Analysis Overview
SHA256
296cd8d9dbf290b38ac03cab0586e0f34efb6618b32adb45a2e41ea2e054cd32
Threat Level: Shows suspicious behavior
The file ShadowGen By ShadowOxygen.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Detects Pyinstaller
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 19:50
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240508-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1268 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1268 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1268 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\msacm32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\msacm32.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\secproc.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\secproc.dll",#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp |
Files
memory/1864-0-0x0000000000830000-0x0000000000840000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
132s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\shadowgen.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\Extreme.Net.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\WebDriver.dll",#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240508-en
Max time kernel
105s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\WebDriver.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\libcef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240426-en
Max time kernel
91s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\Xceed.Wpf.Toolkit.dll",#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.21:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\bin32.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\bin32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\libcef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe |
| PID 1368 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe |
| PID 1368 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe"
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI13682\python37.dll
| MD5 | 62125a78b9be5ac58c3b55413f085028 |
| SHA1 | 46c643f70dd3b3e82ab4a5d1bc979946039e35b2 |
| SHA256 | 17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f |
| SHA512 | e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4 |
\Users\Admin\AppData\Local\Temp\_MEI13682\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI13682\base_library.zip
| MD5 | 057917a14cf42e6a27902be13bf1b5af |
| SHA1 | c1e2437235b002a77f88fe7938b4bef560499739 |
| SHA256 | be8e5189ce4183ef24cbc06c8db98f7da16b9b236e6375450b688bd51fedf224 |
| SHA512 | 31951fa321971a8a273cdbf0f9c7fae7b4f9880d2b7ab64e324562b5fa0650c053db099b760cc3cfe4033296bb7b26cb7d3d94f5bac3b50d3afce8a3d01a3cb8 |
\Users\Admin\AppData\Local\Temp\_MEI13682\_ctypes.pyd
| MD5 | 2f21f50d2252e3083555a724ca57b71e |
| SHA1 | 49ec351d569a466284b8cc55ee9aeaf3fbf20099 |
| SHA256 | 09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce |
| SHA512 | e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb |
C:\Users\Admin\AppData\Local\Temp\_MEI13682\_hashlib.pyd
| MD5 | c3b19ad5381b9832e313a448de7c5210 |
| SHA1 | 51777d53e1ea5592efede1ed349418345b55f367 |
| SHA256 | bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc |
| SHA512 | 7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb |
C:\Users\Admin\AppData\Local\Temp\_MEI13682\libcrypto-1_1-x64.dll
| MD5 | 022a61849adab67e3a59bcf4d0f1c40b |
| SHA1 | fca2e1e8c30767c88f7ab5b42fe2bd9abb644672 |
| SHA256 | 2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f |
| SHA512 | 94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\shadowgen.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240426-en
Max time kernel
89s
Max time network
100s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\ShadowGen By ShadowOxygen.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\ShadowGen By ShadowOxygen.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll
CefSharp.dll
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe pqD7ns3fFQLecdPnq54jrnAkrqhcPabFqf510oFIPQFmrymjiCMGDaBrcOTkTSSJ
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll
CefSharp.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| IE | 52.111.236.22:443 | tcp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\python37.dll
| MD5 | 62125a78b9be5ac58c3b55413f085028 |
| SHA1 | 46c643f70dd3b3e82ab4a5d1bc979946039e35b2 |
| SHA256 | 17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f |
| SHA512 | e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4 |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\base_library.zip
| MD5 | 057917a14cf42e6a27902be13bf1b5af |
| SHA1 | c1e2437235b002a77f88fe7938b4bef560499739 |
| SHA256 | be8e5189ce4183ef24cbc06c8db98f7da16b9b236e6375450b688bd51fedf224 |
| SHA512 | 31951fa321971a8a273cdbf0f9c7fae7b4f9880d2b7ab64e324562b5fa0650c053db099b760cc3cfe4033296bb7b26cb7d3d94f5bac3b50d3afce8a3d01a3cb8 |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\_ctypes.pyd
| MD5 | 2f21f50d2252e3083555a724ca57b71e |
| SHA1 | 49ec351d569a466284b8cc55ee9aeaf3fbf20099 |
| SHA256 | 09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce |
| SHA512 | e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\_hashlib.pyd
| MD5 | c3b19ad5381b9832e313a448de7c5210 |
| SHA1 | 51777d53e1ea5592efede1ed349418345b55f367 |
| SHA256 | bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc |
| SHA512 | 7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\libcrypto-1_1-x64.dll
| MD5 | 022a61849adab67e3a59bcf4d0f1c40b |
| SHA1 | fca2e1e8c30767c88f7ab5b42fe2bd9abb644672 |
| SHA256 | 2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f |
| SHA512 | 94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240426-en
Max time kernel
89s
Max time network
99s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1456 wrote to memory of 1408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1456 wrote to memory of 1408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1456 wrote to memory of 1408 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\secproc.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\secproc.dll",#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.21:443 | tcp |
Files
memory/1408-0-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/1408-1-0x0000000002D20000-0x0000000002D30000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240419-en
Max time kernel
90s
Max time network
95s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\bin32.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\bin32.exe"
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4772 wrote to memory of 4452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4772 wrote to memory of 4452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4772 wrote to memory of 4452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\msacm32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\msacm32.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win11-20240426-en
Max time kernel
139s
Max time network
134s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133619186081050694" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe"
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95a15ab58,0x7ff95a15ab68,0x7ff95a15ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4912 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3036 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4704 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:1
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 216.58.204.86:443 | i.ytimg.com | tcp |
| GB | 216.58.204.86:443 | i.ytimg.com | tcp |
| GB | 216.58.204.86:443 | i.ytimg.com | tcp |
| GB | 142.250.187.206:443 | www.youtube.com | udp |
| GB | 142.250.179.238:443 | www.youtube.com | udp |
| GB | 216.58.204.86:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 194.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.213.6:443 | static.doubleclick.net | tcp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | udp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI4482\python37.dll
| MD5 | 62125a78b9be5ac58c3b55413f085028 |
| SHA1 | 46c643f70dd3b3e82ab4a5d1bc979946039e35b2 |
| SHA256 | 17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f |
| SHA512 | e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4 |
C:\Users\Admin\AppData\Local\Temp\_MEI4482\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI4482\base_library.zip
| MD5 | 057917a14cf42e6a27902be13bf1b5af |
| SHA1 | c1e2437235b002a77f88fe7938b4bef560499739 |
| SHA256 | be8e5189ce4183ef24cbc06c8db98f7da16b9b236e6375450b688bd51fedf224 |
| SHA512 | 31951fa321971a8a273cdbf0f9c7fae7b4f9880d2b7ab64e324562b5fa0650c053db099b760cc3cfe4033296bb7b26cb7d3d94f5bac3b50d3afce8a3d01a3cb8 |
C:\Users\Admin\AppData\Local\Temp\_MEI4482\_ctypes.pyd
| MD5 | 2f21f50d2252e3083555a724ca57b71e |
| SHA1 | 49ec351d569a466284b8cc55ee9aeaf3fbf20099 |
| SHA256 | 09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce |
| SHA512 | e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb |
C:\Users\Admin\AppData\Local\Temp\_MEI4482\_hashlib.pyd
| MD5 | c3b19ad5381b9832e313a448de7c5210 |
| SHA1 | 51777d53e1ea5592efede1ed349418345b55f367 |
| SHA256 | bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc |
| SHA512 | 7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb |
C:\Users\Admin\AppData\Local\Temp\_MEI4482\libcrypto-1_1-x64.dll
| MD5 | 022a61849adab67e3a59bcf4d0f1c40b |
| SHA1 | fca2e1e8c30767c88f7ab5b42fe2bd9abb644672 |
| SHA256 | 2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f |
| SHA512 | 94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246 |
\??\pipe\crashpad_1220_FHXXDRYRPRHSOSUG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 370e5802c514e31f25017fd771bfc186 |
| SHA1 | ef39abbb5f2c85eedea3713ffe9fe9fa76496a0d |
| SHA256 | d353ef78da38163ea8043893b0847c15ba0287a9a6a295fca9131be546d63abf |
| SHA512 | 0fc326494e1c315c716193f797d64bf8493705444e0ba6dbcf2b1e015958176c71c3c990e5053f6c191d5821a403e7da3ca9304a6966b3c7ebb5613b100834dc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 781550d2fdf5c0c2edd2f2146f2f2acf |
| SHA1 | 5d431a7332899a16f5c0781b6ef09c6fabee23df |
| SHA256 | 7c393f9384bdbac509e91e16c3a3010c98258237eea567af165f444d90c862d6 |
| SHA512 | 5f094ccf010a892417092863d5ae1e39ed47a4d952afd83b98b21b4368db401172436bb9ad0a05ca9220fbc2c2ee9c0bc1c67641f523c1237872bf5fa5322944 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4fa0ec2d2b7f108127d1dd30fd30d241 |
| SHA1 | 82abedbf05da39056d45ced5f98d08cd0af15e10 |
| SHA256 | 3c3728b805d1906dbe76c53e430183399980eb7d0d5f5953e423327e790b3e74 |
| SHA512 | 79ed97b7ecf307689257483166a1f55fe032f89f4d3ceabeb450e203a53e0d08a8912565261128730d303f2149849afa2e9ec5129b678412f78d0901f847ac6e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 407199b1afe3a2bb7c6010812b5fdebb |
| SHA1 | f744f2297f1e1192f30b3383b84285dc22b2cfd8 |
| SHA256 | cb67a33c2a104c9925fb8a7e6a022606bdc9cfc53a8d1deacda60b65fb605bcd |
| SHA512 | 31da3a025f8e57406980c078a0a1531823bc4a76dd2deb7a1fa9758eb4dcbdd66ab9027250677ef06fc50d3a056bba342dcd144a12c15f50a1f16a405545708f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 94275bde03760c160b707ba8806ef545 |
| SHA1 | aad8d87b0796de7baca00ab000b2b12a26427859 |
| SHA256 | c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968 |
| SHA512 | 2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe590edb.TMP
| MD5 | ecbe8da4741e79f2dd90835caa4e3e05 |
| SHA1 | ea533aa9c645acce2a2160156da0aefe3980dd68 |
| SHA256 | 5aa5f49449d3821de91c05ddf1e39cedcb72622834fa43c172e837fac381fcd7 |
| SHA512 | 0bb4e675b95092ebd123e8c873cca4f6603bf6866e8995e1292c6882cc06b6850035d9a7a797fb80d967f4f39cd277f8189aefbe2d3f646f743c15c26ecd89d3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d9cdd8812b654a3f0ede47024cc7aa75 |
| SHA1 | 311f804db51890f314bcdb70cf8c9f0934a22a23 |
| SHA256 | b9acc4910f966c4ef5c41241ccd8d8141c3e79cbae681e434d26af4c4b985b32 |
| SHA512 | 2091f37c41210f7174243ed4949d9ece9142255c56794411cc4b74b7c032a8da74798d87ce654a4c8b181d10be0905e1ca2f1dfc82e6a7a8fa3ffa18cab0ac3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4e71c0875ed41c60c807d60fed85891b |
| SHA1 | 900dfac7c73cbfb55fc367cfb4583334ecbcd1a8 |
| SHA256 | 9f2f162b2ed54b800436d4387e627ec732cf20d531ad3120653e7631e9b8fd5b |
| SHA512 | d04af7a21cfa3dae57c591b7e4920b3911ed74b11c71eb1bd9f4325428c716d2c47962bfe4d8569decc1a021552e178db976dc08579924f5b5d0b1e10f9471a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c703d43950ab1986eebe5b0aac6bc90a |
| SHA1 | 7fa6e9b092fa2b3aad3f60736b1ea84d5428bb5c |
| SHA256 | 2b9d6a1862696d18f494c1c0051854352ac0fb18a8ed29f513daf063be1ed518 |
| SHA512 | 4f34017fe0de705107a73aebbd4e7950ed167c770faff9dff550eb2fabe4d4f02a6d5ab63a9a88f80d387cfda4a2cd719bd9e0c3c98928cbb74393e730b2c259 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 16894b4218c7f751ae5d462d722107a3 |
| SHA1 | c2ad727debeade0c239a610a20ffb0d8cc1c5076 |
| SHA256 | 95b6a23ca3680f1f5a9ec7ecb159eb6ea14faad153f2e0dbe188e73fe2942669 |
| SHA512 | 03b048db6c8dae51742499512f5590476e820bfa5e087ed69242428b505e04d0dbddac49f77e10b63009c7725a60261621d6fa27ec37ede6f9ae74f640dddded |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 8836c35fea6b3cbe2eb151131b23fe70 |
| SHA1 | f9282ec46083c0c6eec1762695782ba5b936232d |
| SHA256 | 0f1343babecf001f7817f60d2290779da2dcd9252a2c9fe7f244b21404467491 |
| SHA512 | 8a035242292ed3c3a395541f168b9af1b13861dcecb558c66f75044af95ef601f799c4ed8f4f3b52bfe3f6a66e476e666e70870f4bfd3646aa463fe472c3616e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ebd0ff2e3367a21ee6f157956f477541 |
| SHA1 | a6003b62ddbe59223e733300a29ee9b197b44b0f |
| SHA256 | 57493d0558e718dd051aa1a13ebb12086cc6c9de0d6d039f51bb164e4076829f |
| SHA512 | ed005b9d37a5019829727ecfce4b1cb84a4d8fa320e03b6b95e6cb92893251584e034db212b677a71fefd87530f8ff30c63ec93fd28656614d2571f31ee7afce |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 2f23663111658be2ba0b273463ff5e60 |
| SHA1 | c2af77369b83a0177bfdb90c11fad4c5f897a983 |
| SHA256 | eab4709a1ad32b0b87a53d307893899eb3ee26c6a59a1b34fe83062c79817513 |
| SHA512 | e0fdfe555a47709cbf14c4c22498c89c3e8fd61c5b40806b9dd06aee20fbdcd3d9c4f7861d1183df15e9c64ed25828f97c8292bc6b4a700d3d4586433bf45bd8 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 0e3aeafd55d6bd5185cac0576dc68cde |
| SHA1 | 138e081aba01626f9cbcf67c0a886a035cd1329f |
| SHA256 | 9227c44bbf30ab193b600d87eb927114d968ab9334f4b0bcbf185464576fd9fc |
| SHA512 | 23d308c78e35cb3c53f9d417f9e741c8cdda41cd9d32fb72547a3b5f2983831e9ac5e601f7f261386dde110cfe93e7a2a31e6d060a4454a233eb7fcd33dbcaad |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win10-20240404-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\Extreme.Net.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\ShadowGen By ShadowOxygen.exe
"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\ShadowGen By ShadowOxygen.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll
CefSharp.dll
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe 9tn6yvCjmsn0UaWTmqwuMxUMqEtdw9bXkWTvD9SppOxWsbvoXT5APdOsBk3x0sb5
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll
CefSharp.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
C:\Users\Admin\AppData\Local\Temp\_MEI36162\python37.dll
| MD5 | 62125a78b9be5ac58c3b55413f085028 |
| SHA1 | 46c643f70dd3b3e82ab4a5d1bc979946039e35b2 |
| SHA256 | 17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f |
| SHA512 | e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4 |
C:\Users\Admin\AppData\Local\Temp\_MEI36162\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI36162\base_library.zip
| MD5 | 057917a14cf42e6a27902be13bf1b5af |
| SHA1 | c1e2437235b002a77f88fe7938b4bef560499739 |
| SHA256 | be8e5189ce4183ef24cbc06c8db98f7da16b9b236e6375450b688bd51fedf224 |
| SHA512 | 31951fa321971a8a273cdbf0f9c7fae7b4f9880d2b7ab64e324562b5fa0650c053db099b760cc3cfe4033296bb7b26cb7d3d94f5bac3b50d3afce8a3d01a3cb8 |
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_ctypes.pyd
| MD5 | 2f21f50d2252e3083555a724ca57b71e |
| SHA1 | 49ec351d569a466284b8cc55ee9aeaf3fbf20099 |
| SHA256 | 09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce |
| SHA512 | e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb |
C:\Users\Admin\AppData\Local\Temp\_MEI36162\_hashlib.pyd
| MD5 | c3b19ad5381b9832e313a448de7c5210 |
| SHA1 | 51777d53e1ea5592efede1ed349418345b55f367 |
| SHA256 | bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc |
| SHA512 | 7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb |
C:\Users\Admin\AppData\Local\Temp\_MEI36162\libcrypto-1_1-x64.dll
| MD5 | 022a61849adab67e3a59bcf4d0f1c40b |
| SHA1 | fca2e1e8c30767c88f7ab5b42fe2bd9abb644672 |
| SHA256 | 2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f |
| SHA512 | 94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-03 19:50
Reported
2024-06-03 20:04
Platform
win10-20240404-en
Max time kernel
134s
Max time network
139s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\Xceed.Wpf.Toolkit.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |