b156f30c7add9bd8f9b82b94b96a70a4908ae5d7fe2f79243353ffad97afeca8

Analysis

max time kernel
660s
max time network
422s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2023 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReShade_Setup_4.9.1.exe
Size

2.9MB
MD5

c6f24869e17d3644037897e593e1708c
SHA1

8b42e60325fc9503b1267f0984d1038bffeac501
SHA256

b156f30c7add9bd8f9b82b94b96a70a4908ae5d7fe2f79243353ffad97afeca8
SHA512

186e3b9f11d5b989d4c6f5a25a8ff889c39fce68d4886a59075b68bdfae81e2d8d9599705d3afa7fff7f60e5a312ef84f904093985b7469335b4ed8ce98b57d0
SSDEEP

49152:dvRtNNdi18mgXoW440ba7dlE7cdDfpz9KEZq0bl33PhctL2xJbCRwUxXEzRBh2ER:FR9Jw4Gh7cdDRz9KbKpcYXb7aUzRB5aM

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	taskmgr.exe
Token: SeSystemProfilePrivilege	2496	taskmgr.exe
Token: SeCreateGlobalPrivilege	2496	taskmgr.exe
Token: 33	4936	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4936	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\ReShade_Setup_4.9.1.exe
"C:\Users\Admin\AppData\Local\Temp\ReShade_Setup_4.9.1.exe"
1⤵
PID:1904

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-133-0x00000173B7C80000-0x00000173B7CAC000-memory.dmp

Filesize
176KB

Download
memory/1904-134-0x00007FF8C6EE0000-0x00007FF8C79A1000-memory.dmp

Filesize
10.8MB

Download
memory/1904-135-0x00000173B9980000-0x00000173B9990000-memory.dmp

Filesize
64KB

Download
memory/1904-136-0x00000173B98E0000-0x00000173B98F2000-memory.dmp

Filesize
72KB

Download
memory/1904-137-0x00000173B9980000-0x00000173B9990000-memory.dmp

Filesize
64KB

Download
memory/1904-139-0x00000173D4050000-0x00000173D4058000-memory.dmp

Filesize
32KB

Download
memory/1904-138-0x00000173B9980000-0x00000173B9990000-memory.dmp

Filesize
64KB

Download
memory/1904-140-0x00000173D6310000-0x00000173D6348000-memory.dmp

Filesize
224KB

Download
memory/1904-141-0x00000173D62E0000-0x00000173D62EE000-memory.dmp

Filesize
56KB

Download
memory/1904-142-0x00000173D6300000-0x00000173D630A000-memory.dmp

Filesize
40KB

Download
memory/1904-151-0x00007FF8C6EE0000-0x00007FF8C79A1000-memory.dmp

Filesize
10.8MB

Download
memory/1904-152-0x00000173B9980000-0x00000173B9990000-memory.dmp

Filesize
64KB

Download
memory/1904-153-0x00000173B9980000-0x00000173B9990000-memory.dmp

Filesize
64KB

Download
memory/1904-154-0x00000173B9980000-0x00000173B9990000-memory.dmp

Filesize
64KB

Download
memory/1904-155-0x00000173B9980000-0x00000173B9990000-memory.dmp

Filesize
64KB

Download
memory/2496-156-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-157-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-158-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-162-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-163-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-164-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-165-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-166-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-167-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download
memory/2496-168-0x000001FA374C0000-0x000001FA374C1000-memory.dmp

Filesize
4KB

Download