Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
233s -
max time network
242s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/06/2024, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
_Getintopc.com_Shadow_Defender_1.5.0.726.rar
Resource
win10v2004-20240226-en
General
-
Target
_Getintopc.com_Shadow_Defender_1.5.0.726.rar
-
Size
3.9MB
-
MD5
4f413413d826637184d384e35d34f98a
-
SHA1
89d7270d76d4789111a701bc4e85ac0e43f69c45
-
SHA256
444e4f94756e7094b2dced1bf728874ffae492d6c5e306232c1e162c470eaada
-
SHA512
ca55eefd76e735dead58fb7a31693e749d677ed75fc6488ddc1e9fc4187804f08dfd0a38e44807129eb206c36efb0411ca08e98ff34c2b021f58197e8507e240
-
SSDEEP
98304:q1lY8xKHQ1ILuTFOIp4MqH7fjNcOyY7GJ7MqEAmjqtvXA11ukvZn:qQkKYcuc5Mqb7R72x0OEvhn
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\diskpt.sys Setup.exe File opened for modification C:\Windows\system32\drivers\diskpt.sys Setup.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diskpt\ImagePath = "SYSTEM32\\drivers\\diskpt.sys" Setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 14 IoCs
pid Process 3552 Setup.exe 3952 Setup.exe 372 Setup_x64.exe 988 Setup.exe 4860 Service.exe 5096 Defender.exe 4748 Defender.exe 2772 Uninstall.exe 3504 shdDE.tmp 408 Service.exe 536 DefenderDaemon.exe 732 Commit.exe 376 CmdTool.exe 1528 Defender.exe -
Loads dropped DLL 2 IoCs
pid Process 988 Setup.exe 3364 Process not Found -
Registers COM server for autorun 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}\InprocServer32\ThreadingModel = "Apartment" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\InprocServer32\ = "C:\\Program Files\\Shadow Defender\\ShellExt.dll" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\InprocServer32\ThreadingModel = "Apartment" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}\InprocServer32\ = "C:\\Windows\\system32\\shell32.dll" Setup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shadow Defender Daemon = "\"C:\\Program Files\\Shadow Defender\\DefenderDaemon.exe\" /Auto" Setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 45 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Setup.exe File opened (read-only) \??\V: Setup.exe File opened (read-only) \??\X: Service.exe File opened (read-only) \??\G: Setup.exe File opened (read-only) \??\I: Setup.exe File opened (read-only) \??\W: Setup.exe File opened (read-only) \??\V: Service.exe File opened (read-only) \??\E: Setup.exe File opened (read-only) \??\L: Setup.exe File opened (read-only) \??\N: Service.exe File opened (read-only) \??\E: Service.exe File opened (read-only) \??\Z: Setup.exe File opened (read-only) \??\Z: Service.exe File opened (read-only) \??\G: Service.exe File opened (read-only) \??\M: Setup.exe File opened (read-only) \??\U: Service.exe File opened (read-only) \??\K: Setup.exe File opened (read-only) \??\S: Setup.exe File opened (read-only) \??\U: Setup.exe File opened (read-only) \??\S: Service.exe File opened (read-only) \??\M: Service.exe File opened (read-only) \??\F: Service.exe File opened (read-only) \??\H: Setup.exe File opened (read-only) \??\J: Setup.exe File opened (read-only) \??\Y: Setup.exe File opened (read-only) \??\W: Service.exe File opened (read-only) \??\Q: Service.exe File opened (read-only) \??\P: Service.exe File opened (read-only) \??\L: Service.exe File opened (read-only) \??\I: Service.exe File opened (read-only) \??\P: Setup.exe File opened (read-only) \??\T: Setup.exe File opened (read-only) \??\X: Setup.exe File opened (read-only) \??\Y: Service.exe File opened (read-only) \??\R: Service.exe File opened (read-only) \??\K: Service.exe File opened (read-only) \??\F: Setup.exe File opened (read-only) \??\O: Setup.exe File opened (read-only) \??\Z: mountvol.exe File opened (read-only) \??\T: Service.exe File opened (read-only) \??\O: Service.exe File opened (read-only) \??\J: Service.exe File opened (read-only) \??\H: Service.exe File opened (read-only) \??\N: Setup.exe File opened (read-only) \??\Q: Setup.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Shadow Defender\Commit.exe Setup.exe File created C:\Program Files\Shadow Defender\ShellExt.dll Setup.exe File opened for modification C:\Program Files\Shadow Defender\res.ini Setup.exe File created C:\Program Files\Shadow Defender\CmdTool.txt Setup.exe File created C:\Program Files\Shadow Defender\Defender.exe Setup.exe File created C:\Program Files\Shadow Defender\CmdTool.exe Setup.exe File created C:\Program Files\Shadow Defender\Help.chm Setup.exe File created C:\Program Files\Shadow Defender\eula.rtf Setup.exe File opened for modification C:\Program Files\Shadow Defender\user.dat Setup.exe File opened for modification C:\Program Files\Shadow Defender\Defender.exe Setup.exe File created C:\Program Files\Shadow Defender\DefenderDaemon.exe Setup.exe File created C:\Program Files\Shadow Defender\Service.exe Setup.exe File created C:\Program Files\Shadow Defender\res.ini Setup.exe File created C:\Program Files\Shadow Defender\Uninstall.exe Setup.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\diskpt.crt Setup.exe File created C:\Windows\diskpt.crt Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ 7zFM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\TypeLib Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\HELPDIR\ = "C:\\Program Files\\Shadow Defender" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt.1 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}\InprocServer32\ = "C:\\Windows\\system32\\shell32.dll" Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.dat OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\潬灯se㨬䷘⫮耀㓀믙Ⱦ\ = "dat_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dat_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt.1\CLSID\ = "{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\InprocServer32\ = "C:\\Program Files\\Shadow Defender\\ShellExt.dll" Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dat_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1} Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\0 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt\CurVer Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\InprocServer32\ThreadingModel = "Apartment" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DefenderContextMenuExt Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9} Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dat_auto_file OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FF2EA936-C1E1-428D-9572-F4285AFC4F48} Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}\InprocServer32\ThreadingModel = "Apartment" Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\潬灯se㨬䷘⫮耀㓀믙Ⱦ OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt.1\ = "DefenderContextMenuExt Class" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt\CLSID\ = "{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\ = "DefenderContextMenuExt Class" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DefenderContextMenuExt\ = "{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\ = "ShellExt 1.0 Type Library" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt.1\CLSID Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\FLAGS Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}\ = e807060006000f0011001e001f000a00 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}\InprocServer32 Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\믜Ⱦ OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt\ = "DefenderContextMenuExt Class" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt\CurVer\ = "DefenderShellExt.ContextMenuExt.1" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\ProgID\ = "DefenderShellExt.ContextMenuExt.1" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\HELPDIR Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294} Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\DefenderContextMenuExt\ = "{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}" Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dat_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DefenderShellExt.ContextMenuExt\CLSID Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\FLAGS\ = "0" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dat_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FF2EA936-C1E1-428D-9572-F4285AFC4F48}\ = "DefenderShellExt" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\VersionIndependentProgID Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\TypeLib\ = "{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\DefenderContextMenuExt Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\㓀믙Ⱦ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\㓀믙Ⱦ\ = "dat_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dat_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\AppID = "{FF2EA936-C1E1-428D-9572-F4285AFC4F48}" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\DefenderContextMenuExt Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\DefenderContextMenuExt\ = "{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}" Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ 7zFM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\ProgID Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\VersionIndependentProgID\ = "DefenderShellExt.ContextMenuExt" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EE8E9E6-2853-4D28-B2DE-6529EDA0A294}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\0\win64\ = "C:\\Program Files\\Shadow Defender\\ShellExt.dll" Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\믜Ⱦ\ = "dat_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dat_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dat_auto_file\shell\open OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4428 7zFM.exe 1172 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 4428 7zFM.exe Token: 35 4428 7zFM.exe Token: SeSecurityPrivilege 4428 7zFM.exe Token: SeDebugPrivilege 2256 taskmgr.exe Token: SeSystemProfilePrivilege 2256 taskmgr.exe Token: SeCreateGlobalPrivilege 2256 taskmgr.exe Token: 33 2256 taskmgr.exe Token: SeIncBasePriorityPrivilege 2256 taskmgr.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 4428 7zFM.exe 4428 7zFM.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe -
Suspicious use of SetWindowsHookEx 41 IoCs
pid Process 988 Setup.exe 988 Setup.exe 5096 Defender.exe 5096 Defender.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 1172 OpenWith.exe 4748 Defender.exe 4748 Defender.exe 2772 Uninstall.exe 2772 Uninstall.exe 3504 shdDE.tmp 3504 shdDE.tmp 732 Commit.exe 732 Commit.exe 376 CmdTool.exe 1528 Defender.exe 1528 Defender.exe 4384 OpenWith.exe 4384 OpenWith.exe 4384 OpenWith.exe 4384 OpenWith.exe 4384 OpenWith.exe 4384 OpenWith.exe 4384 OpenWith.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4428 5080 cmd.exe 91 PID 5080 wrote to memory of 4428 5080 cmd.exe 91 PID 3552 wrote to memory of 3952 3552 Setup.exe 107 PID 3552 wrote to memory of 3952 3552 Setup.exe 107 PID 3552 wrote to memory of 3952 3552 Setup.exe 107 PID 3952 wrote to memory of 372 3952 Setup.exe 108 PID 3952 wrote to memory of 372 3952 Setup.exe 108 PID 3952 wrote to memory of 372 3952 Setup.exe 108 PID 372 wrote to memory of 988 372 Setup_x64.exe 109 PID 372 wrote to memory of 988 372 Setup_x64.exe 109 PID 988 wrote to memory of 4860 988 Setup.exe 110 PID 988 wrote to memory of 4860 988 Setup.exe 110 PID 1172 wrote to memory of 4632 1172 OpenWith.exe 121 PID 1172 wrote to memory of 4632 1172 OpenWith.exe 121 PID 2772 wrote to memory of 3504 2772 Uninstall.exe 125 PID 2772 wrote to memory of 3504 2772 Uninstall.exe 125 PID 408 wrote to memory of 4156 408 Service.exe 127 PID 408 wrote to memory of 4156 408 Service.exe 127 PID 408 wrote to memory of 1236 408 Service.exe 129 PID 408 wrote to memory of 1236 408 Service.exe 129 PID 4384 wrote to memory of 4560 4384 OpenWith.exe 137 PID 4384 wrote to memory of 4560 4384 OpenWith.exe 137
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\_Getintopc.com_Shadow_Defender_1.5.0.726.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\_Getintopc.com_Shadow_Defender_1.5.0.726.rar"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:3804
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:432
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sd\How to Install.txt1⤵PID:448
-
C:\Users\Admin\Desktop\sd\Setup.exe"C:\Users\Admin\Desktop\sd\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\7z8C1B9DE0\Setup.exeC:\Users\Admin\AppData\Local\Temp\7z8C1B9DE0\Setup.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\7z8C1B9DE0\Setup_x64.exe"C:\Users\Admin\AppData\Local\Temp\7z8C1B9DE0\Setup_x64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\7z8C909174\Setup.exeC:\Users\Admin\AppData\Local\Temp\7z8C909174\Setup.exe4⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Program Files\Shadow Defender\Service.exe"C:\Program Files\Shadow Defender\Service.exe" /install5⤵
- Executes dropped EXE
PID:4860
-
-
-
-
-
C:\Users\Admin\Desktop\Keygen\keygen.exe"C:\Users\Admin\Desktop\Keygen\keygen.exe"1⤵PID:532
-
C:\Program Files\Shadow Defender\Defender.exe"C:\Program Files\Shadow Defender\Defender.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5096
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Shadow Defender\user.dat2⤵PID:4632
-
-
C:\Program Files\Shadow Defender\Defender.exe"C:\Program Files\Shadow Defender\Defender.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4748
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256
-
C:\Program Files\Shadow Defender\Uninstall.exe"C:\Program Files\Shadow Defender\Uninstall.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\shdDE.tmp"C:\Users\Admin\AppData\Local\Temp\shdDE.tmp" /CLONE:"C:\Program Files\Shadow Defender"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3504
-
-
C:\Program Files\Shadow Defender\Service.exe"C:\Program Files\Shadow Defender\Service.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SYSTEM32\mountvol.exemountvol Z: /s2⤵PID:4156
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol Z: /d2⤵
- Enumerates connected drives
PID:1236
-
-
C:\Program Files\Shadow Defender\DefenderDaemon.exe"C:\Program Files\Shadow Defender\DefenderDaemon.exe"1⤵
- Executes dropped EXE
PID:536
-
C:\Program Files\Shadow Defender\Commit.exe"C:\Program Files\Shadow Defender\Commit.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:732
-
C:\Program Files\Shadow Defender\CmdTool.exe"C:\Program Files\Shadow Defender\CmdTool.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:376
-
C:\Program Files\Shadow Defender\Defender.exe"C:\Program Files\Shadow Defender\Defender.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Shadow Defender\user.dat2⤵PID:4560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD5887dd82aab3dc9f7cfe87d9f6fc83e3a
SHA1c4545342d56a2dfbb3c818413b10abe4522b47d1
SHA2569ad64f2e5ee60bc50fcf071a0f29bda4c3828277a3666b681e0031429159568c
SHA512bbf3e9e011d551bf24bcf1ce8abdff13a3524be1807f026cab9622f3e4684468311855f77ff65600ad09c576537b4716143832b9c7de470171ffe902aa593849
-
Filesize
91KB
MD56db4ae6e41a3671de64b27b91e4be743
SHA142ea76727563244e43af6187ba96f718373c05ef
SHA256c3d6792a785edf286a88ee9294121f00d62bc054394bfd5b77db1cf8656ddced
SHA512826bbc3107cc691479f3be019a29b36784c7ccf9cea5c668ea2f24123b35b45772fc08bc2e303e5f2fb453a587bd45d13d46e9cdf17bf2d18ed805aef7670477
-
Filesize
2.1MB
MD554895739b5713c93387890e1fe730a21
SHA1697f0f8bd003b81ffa88e3c8810ee7456faa1c07
SHA256ef84591e539404b3c7cd034d6a5f467d378dac76376d9bdae2964158a62ed0ee
SHA51212a3afdcb9238198899a5dcdd304bc2161fcc2dc01680506e57cea3f4cefd5e935fa07e8bb40cc8adf536d05f5d5ab1970543eef8c3e966ebad0178c983866dd
-
Filesize
726KB
MD57eed712fd75227269aef7e861b507214
SHA194137540e491850558459d3067929239f54d2fb9
SHA25657cb2fb43662cfbfe0c56464faee76a8b26430943bbb3ff2392bd684ade54f9a
SHA5126732a06b0e3d1f308440f8ee05fe549dfda82def08e8d5be67ae8e7b1259b1986632658d09eed215f97cea47fabc8f4f1f697cb70bf59045f1f23a7eceab3ed6
-
Filesize
1KB
MD50a3b5e5856e14d6d7a8b906b1b300b77
SHA16504c6f7b12fa0fcf5802a37408ec599cf012e5f
SHA25699e75281087dffde0af97d6d475fc8fd1db4731b72cd5c5f6e3b8c714bc761e4
SHA5127183c52d6ed46d8eb63439145000d3de14d572d0a2adcc6ceb4a9fd350e95c480b09dbfe28820cb288f858cf3c639f5a98b941c0b15b8bcf7d886987355e9337
-
Filesize
863KB
MD5759d4451a50129d1f4163fb11190cfe2
SHA1b70cfc8bd910d64941e10c7c5dceca87ced88156
SHA256f3f8a71a7a42dcd95cd703ef4a1c09d4e024460f12c208835470d3d0d2173aca
SHA5125792ca0a695f4a4dc14e03e3f48a268f268879721106fb88c730ecbcf95b1bc6444c7e4f9555c1af7bb528d6f0dc53d97cbb0513b75ecd8912fe8e11e5ed000d
-
Filesize
557KB
MD5b3b45a29d1b4277decb0c6afd8f8d5bf
SHA19f940af3e5883f5e7d28f82ac130cfc15a17a709
SHA256354b2bdf4ef0de2812848d190ace61879de975ab37657f1c81bb9fff58c7c55c
SHA512cbcf6c2a46ab9ce7ed6ee6c570ff3c88864980bb89843492a34b7307b5fa9df80190b8fc37c837a718fc79ebf9de8639e2d2cc0de28c6266fc959832af8cde66
-
Filesize
1.3MB
MD5b4a28c2a991b061cc0633e0fa45e43c4
SHA121ca367f795bf789597c1cba8676cd81b66894d8
SHA256ae47c41f25fc412b82e6d26c21f622ad6076119ffa25068d540c0b517765a075
SHA512f8bbed4b850dd2674cd6bf725f26ec284b64c5c83e51867e3482c2defb7a7f14e5570d3f8c639561b0334e46508258e7a88a8abd010b6cf40dcf730fac67a47d
-
Filesize
327KB
MD51e39c9c1ce3d1aa0075edf960e65b238
SHA1181ac3dc1ddb845ab9e4e2d04214c8c29b2907e8
SHA256c883adc0bba4ec932f657357e6d9e1dc44ce8c3687dca369199741d8fc110459
SHA5125ea2fc6bd05be4b5e5a1442cf526af2227d51b4cd77c8af29d6e7fd8c3b6d627cb8b460974da6a89c6a181e0e5d1560b7eb067181dc99d59ce00e799cc6829f7
-
Filesize
130KB
MD59b9b73b2d6656a1679740d6d64018706
SHA1af142fb019a06848070baf8b91239da4dec66260
SHA256740e6c7027599448305e244d772ff6babdbe33d2d5bf8291f609e28b937bac54
SHA512b52efd1dd0e80c144f5ca7cf874532bc8ed5d88d3158d6bf9d964ec5e7bb211e123c90446a08465a8ce6ca1767ca0b1807d20b27ac0b149fc65006e9b83056d7
-
Filesize
869KB
MD52a7011b3451a089c3e8645374e16c695
SHA1ab5057933bf2fb141bca458017717d0eee334d41
SHA2564d31518b752e4da221433a5611631d80efdbe2e985fe4c8ae667c4e2c76b4e12
SHA51207b977774d82695606f740bdeaff6a00734c636ece49062868f49d84feed5d4e766308d1a845fffce73908ed43fd62955521c723734b82dfc04d53f1f77ee544
-
Filesize
413KB
MD5b60b9851b20d2fbaea560de63637d3b6
SHA100de41406bdc874d8b5bc2c6ddda245a4aa5ef8c
SHA256951428a6219b018ee3d6bb22487cef81d2cacd562ed232699386057139d9583f
SHA512cd4d217294981bff54ca41bf9cb2ab6e94d24d4802874a441be98fa9df04e77659c18ac9da511300f6d30b6b750c84b7ca6cb7d56c4922d955c79a65b946c8e5
-
Filesize
599KB
MD5a363a11b6722015152dc29010ee6a2cb
SHA1893ed1aea6faa47d00b877263ca72c407100b218
SHA256f4efa917717cb7b3cb4a8ec0e357c85cc968271ce574f0bb082c17ac00ae7dfb
SHA5120f11ecf0866bc6c7a4d7d57a2b2c4eac41d1bc3bfa80ac66a677ae3b27493f2de2c5906d4656790cb03c9feeffe0b07cbe5ec67f1dffdd5aea7f7a123c56566c
-
Filesize
453KB
MD53ae7155ec3b4ad2cd002c897f5985e60
SHA1e70801b369b5c340479db710dddb0cd33aa187ff
SHA2560d0766d4261f063ea4754d173a17394c1433acae94a65e007b52245e9ba157b0
SHA5126b65d170ec42afd51379cce82cf80995ff6453799449b507798e4ab091f0dd6014f3aa939742172125b5488f7d43b813ff500f797a5cf4677079a1fe9c73f715
-
Filesize
467KB
MD507f890920dda3100263f02193e900b77
SHA1aa06412691699ba3f7000cf73689e3d491b9fb90
SHA2566ffd78b5954064bba7370af51b2e4f1358424f542682218a1121a375f3903583
SHA512c5776ca359408339ae87678fa1ddcc0274f53940f044ae324ff83fbbf8441bf564bd3f06fd6dcd2ebe164ad1925ea9f0e3eac88b35559f7615b9a04fb5790946
-
Filesize
9KB
MD532d2f08dec5dcf692ca40ba2f829d0de
SHA1981387d3192dff4bcdf5ec574f8e9cb84ddbcc7a
SHA25622ba619951f7d5ca072fa7e5dd154c1aa6dcc76afc626783aa2ee4d1e488c731
SHA512991db94244d72d1e66a26b019c2568e4d8a76e0bb4b4a90b9a0d8734924c8cc753b12a78092af9b248042049d61c55a5b43acff8abb624ef6b7dbf5f7916e118
-
Filesize
8KB
MD57ab51d79c94256ebc06b7155c02ac418
SHA1f4730e56113e67011e87663151ac3827e3bb4eec
SHA2569d7722929ea6f016983ebd50cbff744d0f57db2516edf5d4f461baa0f5d0f442
SHA5120f66c8e690dae49363b5663e8f4ef730aa23a94eca10f4aa12c17d09fff434468d98df52dc335e41a5a48cdfe1a4d21a838c9e7e116aee22717003ce2c88b8f8
-
Filesize
1KB
MD5ab89e83ecfb23cd2bbf4512d28b3c732
SHA17525bb5d9261cc101213a956dd029ba7038752ab
SHA25674ff33614d875e01cf48ea3f5905aa6844be032ccff63d2db1be0c3ee355b4bc
SHA512fc7fd78ee694e83b49a42db94c03a61dafb06b97f36697b3a7322f9e1aceff18d7c0a8333d2909252caa7fff7de4cdabef8c464b1392a06025e5e927c358d711
-
Filesize
3.5MB
MD5e9077833645033fd561e51b93c001a67
SHA1bf760c2128a53a23764f9bf95a9b6ddc3398d0ba
SHA256c724ff33c4877c92eeba24ba956cca9f6d8f6c7245b5500b528babd6a8cc5973
SHA512a5f45af8ebddf8f76e3d26a68cc71fe79ed6b3b51e6b2cc782378769db278c2196d107974f68ee8d023ba610563809fd98651e7d9fc02098a9753da4d3c3c4f6