Analysis Overview
SHA256
d39440a7b776a3020f422aa3bc90c2b2fb5d2dbe7e107bae1d52bf04c795c40d
Threat Level: Known bad
The file Loader.zip was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Downloads MZ/PE file
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
GoLang User-Agent
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-09 18:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-09 18:27
Reported
2024-02-09 18:38
Platform
win11-20231215-en
Max time kernel
575s
Max time network
586s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3052 created 2896 | N/A | C:\ProgramData\driver2.exe | C:\Windows\system32\sihost.exe |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\driver2.exe | N/A |
| N/A | N/A | C:\ProgramData\driver1.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
C:\ProgramData\driver2.exe
C:\ProgramData\driver2.exe
C:\ProgramData\driver1.exe
C:\ProgramData\driver1.exe
C:\Windows\system32\schtasks.exe
schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://teletype.in/@pchackk/GSX31uT294I
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8ad283cb8,0x7ff8ad283cc8,0x7ff8ad283cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2976 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1876,4447197913891365918,2452690702710640405,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6140 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 82.115.223.43:25565 | 82.115.223.43 | tcp |
| GB | 82.115.223.43:25565 | 82.115.223.43 | tcp |
| GB | 82.115.223.43:25565 | 82.115.223.43 | tcp |
| US | 8.8.8.8:53 | 43.223.115.82.in-addr.arpa | udp |
| US | 172.67.69.38:443 | teletype.in | tcp |
| RU | 77.88.55.88:443 | yandex.ru | tcp |
| US | 8.8.8.8:53 | 88.55.88.77.in-addr.arpa | udp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 87.250.247.181:443 | avatars.mds.yandex.net | tcp |
| RU | 77.88.21.179:443 | ads.adfox.ru | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| US | 172.67.69.38:443 | img2.teletype.in | tcp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| BE | 74.125.206.156:443 | stats.g.doubleclick.net | tcp |
| GB | 216.58.204.67:443 | www.google.co.uk | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| GB | 216.58.204.67:443 | www.google.co.uk | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 34.111.15.3:443 | cdn1.cdn-telegram.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqfesgeu.kqw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1352-8-0x000001EFB2520000-0x000001EFB2542000-memory.dmp
memory/1352-9-0x00007FF89AF60000-0x00007FF89BA22000-memory.dmp
memory/1352-10-0x000001EFB2560000-0x000001EFB2570000-memory.dmp
memory/1352-11-0x000001EFB2560000-0x000001EFB2570000-memory.dmp
memory/1352-14-0x00007FF89AF60000-0x00007FF89BA22000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
memory/2804-24-0x00007FF89AF60000-0x00007FF89BA22000-memory.dmp
memory/2804-25-0x00000188F5470000-0x00000188F5480000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa4f31835d07347297d35862c9045f4a |
| SHA1 | 83e728008935d30f98e5480fba4fbccf10cefb05 |
| SHA256 | 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0 |
| SHA512 | ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629 |
memory/2804-26-0x00000188F5470000-0x00000188F5480000-memory.dmp
memory/2804-28-0x00000188F5470000-0x00000188F5480000-memory.dmp
memory/2804-29-0x00000188F5470000-0x00000188F5480000-memory.dmp
memory/2804-31-0x00007FF89AF60000-0x00007FF89BA22000-memory.dmp
C:\ProgramData\driver2.exe
| MD5 | 29d6d4fa2384ae42a6a59bae034e9df4 |
| SHA1 | 92ec2280e1b9f647146812132e9089a683a4677d |
| SHA256 | 0ecaef9ca9fb3d292b301a4307f9824bc28c6d9916b0ca5f6119fee57c67ce34 |
| SHA512 | bf7fb3fbf8b9249a250cbbabf3787b4e8a2938b9478a894d5790b507e1fd65b68c5f30917b9a249beecb0202a48e7f0b6aadc38226c444a1299aa124cf5d81a9 |
memory/3052-36-0x00000000008E0000-0x0000000000968000-memory.dmp
C:\ProgramData\driver1.exe
| MD5 | 2750abdc521ca0831e79c1792aac9c2c |
| SHA1 | 8f5aeab97a2bbb371d5d5487d8b22fb0c94ddd65 |
| SHA256 | 7904fc5b7f28b75e5a9fd9d39c37bfffc1fd6bed649bf7ab319ced04fbdd9407 |
| SHA512 | 3691d1252c02f1a661fc7eb1baf5be6157e3e6a49b548dea1008925225f9ca6355ee086542b114c04b201d1d19cfad16012ef1d005005ab556d5a2e82c68a119 |
memory/3052-40-0x0000000003480000-0x0000000003880000-memory.dmp
memory/3052-41-0x0000000003480000-0x0000000003880000-memory.dmp
memory/3052-42-0x0000000003480000-0x0000000003880000-memory.dmp
memory/3052-44-0x00007FF8BBCE0000-0x00007FF8BBEE9000-memory.dmp
memory/3052-45-0x0000000003480000-0x0000000003880000-memory.dmp
memory/3052-47-0x0000000075EE0000-0x0000000076132000-memory.dmp
memory/2024-48-0x0000000000F20000-0x0000000000F29000-memory.dmp
memory/3052-49-0x00000000008E0000-0x0000000000968000-memory.dmp
memory/2024-51-0x0000000002D50000-0x0000000003150000-memory.dmp
memory/2024-52-0x0000000002D50000-0x0000000003150000-memory.dmp
memory/2024-53-0x00007FF8BBCE0000-0x00007FF8BBEE9000-memory.dmp
memory/2024-54-0x0000000002D50000-0x0000000003150000-memory.dmp
memory/2024-56-0x0000000075EE0000-0x0000000076132000-memory.dmp
memory/2024-57-0x0000000002D50000-0x0000000003150000-memory.dmp
memory/2024-58-0x00007FF8BBCE0000-0x00007FF8BBEE9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 92e040d7c1eeb7646714b53e4a95eb91 |
| SHA1 | 4eaae5706d13b5f0ca9f2e4c994cfca63890dd7d |
| SHA256 | 5342d5a6f08451e0f1c54f8e3658dd91eeba2be804f3582ddf8d6a4e2d0c6468 |
| SHA512 | e5b4c0ee79b7536679bf2e54f865f91b4957d4f66e498a026b88a6c14a13163f897f54baa9da747c1523eaf20d29cca960b8949a08a7b0ab9b0bbe92478a34f8 |
\??\pipe\LOCAL\crashpad_428_VSEPUAAXESSWHPPI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0112110acab03b46aa99cd4358e6fcb4 |
| SHA1 | 00ef56c02816cbf6c2251721ea907826144c5942 |
| SHA256 | c26ab68f448af2fa330aa10180e3cdb5dfa9e72cd467342ae94bd9f1120fcd0a |
| SHA512 | 68019a1789ac539d3ae3ec2e61f26c08761f2086943acc8587e6f78b1c0dd5e51da663e71203f70f6b7ee83242a02f73b57e3e83ef66ce68095c3226ee44c962 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 60eba10fff08d5abd272a62797697785 |
| SHA1 | 6120534f1bb4cfa84865572935316fd413ecb6b4 |
| SHA256 | 9f0a422a934f0ac56617fcb56645a61b9edc009fceccfb67deed84a0de19837d |
| SHA512 | e62e57c93bcaf4685f4f808c35f6f88d2e1695e212651997868a319ce813cd234c880dc47437df69fe03e31a57a7e409b3d9a8b5825f538a0bf7f6f2dd80873b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a7f34e6f74d7a60c6f00f7f2fcfe418c |
| SHA1 | 524f4e4827d27819028985d74b1524c009534891 |
| SHA256 | b23898ca568528cafa79305b30b711a755cbddc3e34f2d62d446695f2efa0d2d |
| SHA512 | 88d87f7ea9d663e2b816e3da2ae3ae7199f25798d9198ca8de1758f8f297f4c7a0fd3474a76a0434f6e1f1873a62c48e9760f8e621f876637d8f8c7c669e30e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 58e2b179dbb10d049fe23616966bfb2a |
| SHA1 | b4f722b7e798fb6347837b51b05a4314a8219d84 |
| SHA256 | cb934e662ce5441a1fec40f63ddb8b828d7cf0f4a532712907064b377d2777c4 |
| SHA512 | ef3fbdd259151b0695369fae632106d190d2b9ac20b9854c5d2c23359ffde9469ea1736e7079264fd739ef3a214ac6ac8dbb9ab6c49184e5b5ebf9b8341c0c9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ce9092f6ef87723716d8fce200e52eb9 |
| SHA1 | 6aee2653a01988123cb343f2c571dd1f1cd407a2 |
| SHA256 | b1f9b845296937ffaf3c1728b45b7d8bd102bf9bb7412bd9aefa1d65728f03df |
| SHA512 | 52774aaafe69af7d0b84e79c3914ddfac193155e910b27d2707ff5589c40a317d1d255e8f2df3edb0e51628aa1e12bd85e1774ff871a500f6f9ef8478ec9d0f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589527.TMP
| MD5 | f54391f3d52e17952565027aa59c94bc |
| SHA1 | dd9c024f21a87aced8e6fe6ed0dfc8ad5dda3214 |
| SHA256 | 383a775d8cdd71df258f7e54fd9d0456a59cbfb0a9972fe5b3aa1395ac4ed49d |
| SHA512 | c7e56c2d01ccb455ec565db2a1b49dbcd5ae3d47b798291edc6f3922ba729e8d3d2a51c6befeca8e98d983cebd828900c0bb439003361dd39d6f21ec29a0d230 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2630d3d6c9328db3099cce2a245abf42 |
| SHA1 | db1e5621c06dc8fe676faafae0c404bb39ace408 |
| SHA256 | 2432dc99c4322ceb974069e62d062844f3953a940307450f1852d1db544b332f |
| SHA512 | b2052f9aa48d889f3fb69a85d7ca35cd3b3c4793674c5714147aa80b149ad4eac970eeda2cdf5a67420c02250bcc4562990e34a45f14e0441a1da3553f3d3a5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 246a0c4939dc0315b3765705d495650a |
| SHA1 | d5e1df9360ae9fededf3deb0642e3471eded6c6f |
| SHA256 | f4d0be553adce475c9bf52def512f277904ceff95c48026b86c5bdc7d44e4cf9 |
| SHA512 | 87dced56fd0ac588abc1959da0153efb15b050f3baf963a18b6759af0bddf940352178c3e7058281c7c897ecae46a1ef4b4d202e2e778e0b8abaa266de604a21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b15b0ed842375ed9ba6be1776b45d516 |
| SHA1 | d99bf59e9a2e0348d32961cb8ef4111c70073df0 |
| SHA256 | e203b622fed56fbaef01e04b22a503161c06985b85dfe8018d0ce625b1b9db27 |
| SHA512 | cbff3086facb12516f824457e3e3be299fdbf8ced61ff612f20b09c7ab8ad430f14c5c1125a25a6da7b1770b4c1f57cd707dffa7fd55bfd29b1b9b9decf22a47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4d9842aab367fb74b81d6fa0e5e45a32 |
| SHA1 | 62e5a97761ca98e2c896d830386be94f5604636a |
| SHA256 | 3818f634b425e921c76892397afc8fe0751f84e4c918051a39eb8debddb54e3d |
| SHA512 | c3196d75769f3a5811475f97e733ab66d1d461f40e8a761f2c6268d4611ba9b40b49725210b4d108347314ecd3846d45f079401e872644e3b48fc12693e63dd5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 0aaee2a0a221f492e14b8876ede893cb |
| SHA1 | ee6fffb061014c0a9ec113489cd10e876be01eaf |
| SHA256 | b98b21b69d32d372408b91cca159be699105291550da8dc132ee85aaba213494 |
| SHA512 | d6dc445e268aa2d9f63acff1b04c4a2a5b5914ee97f31d1360ee98ef544a4cd0fdc6e2599311acbb202596e262969ecfffb782b5d64656e5109f7f846b490b0a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 837c6cb38db77dab3754fbacb6936df1 |
| SHA1 | 4df8a4552de6b1b33492093d362989bb900b88f0 |
| SHA256 | 77a387fc91e92ebd9d984fa3bce660768fcd3ea9efbd11a41d5148b31d37ada8 |
| SHA512 | 08c9f8ecbfa5b12f51b830ee5a20f8b51a42823b6c97cf4d9942753cb3a0cb30d885180b38eb63a4c0b7543f6f51f8a204f3de08a7fdbdd3cfdba678e0b43a43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 209700a79a882f3c229cf6aec3d2c7ba |
| SHA1 | e220a0ccf2d5992095001ff12982aee12b9dd370 |
| SHA256 | ad70171000dda6966fecaa819efb6f649945239521f10b38aa9a0bdd96529290 |
| SHA512 | ae5c3f71a27d80b2582671f37fad9f3e19b395b3a520e9ef165bb76ba2d872a9a95c0bad808db66886b0240989005653180c8b3d79a8f7cb88a6404d5999ecad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | eb14c8b68c390609abe82e86734befc6 |
| SHA1 | 0ff40c78f9fbdd715a71fc70ffa739535fa015fb |
| SHA256 | a4a4c719d35b3ff1e475d3c9e569c984db855311dbf092db83252ceefc563ae9 |
| SHA512 | 875d657433d8df6a582d7140fba3ef0c5fa90f38ad240233567fee2f306a26557d63ba0a73fc85768feaea9ffb97b4921c57f0ca87b8c49541083891a8590d61 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3aa7cc7a830ed5787c0d6c4116e8efd9 |
| SHA1 | 16a99dbc10d7fdf69f09c591a1e188f03ca56d20 |
| SHA256 | 09b841cac5dce0bdf2ce6c0ebd0fa9c9d02ac54843e89e136c8cb32cbe1d1f1b |
| SHA512 | 1b52091e7e3b1b1bd005d70db61a541fe23757d3c7f182ac4b975d12725a99e2c8ca003033bb061ef1212d3b01183870913547cc7a3c68f2f35f340831304752 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cf566f57e078b0017bac6ee00852e408 |
| SHA1 | d9fffdfb726b943d75e923424ae82accb845972d |
| SHA256 | 81f875660c7d9103f21b78ab322adee04a3d1dd924a0d88ac2329e8471855029 |
| SHA512 | d5e295d4fe589c8aa18351a99fe81afed68a38145e6d0addbd113a6ef27e93d5a66ae46cb148f0dd55b70253dde101f9486e41893960174a3b5fdbebce592dca |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-09 18:27
Reported
2024-02-09 18:38
Platform
win11-20231215-en
Max time kernel
441s
Max time network
443s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |