Analysis Overview
SHA256
a004be8654d755dc86999ea6688ebc7b7a1b5f7959af4a25a12ec73d0156a04d
Threat Level: Likely malicious
The file Procreate_5.3.8_LeTi.ipa was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Malformed or missing cross-reference table in PDF
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 09:34
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Malformed or missing cross-reference table in PDF
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
129s
Max time network
162s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flat-Brush.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
165s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flourish.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
163s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flower-Power.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240729-en
Max time kernel
122s
Max time network
137s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 2864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2240 wrote to memory of 2864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2240 wrote to memory of 2864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2864 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2864 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2864 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2864 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Eaglehawk.brush\Sub01\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Eaglehawk.brush\Sub01\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Eaglehawk.brush\Sub01\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | c95eed190525f155878b8431a77f69d0 |
| SHA1 | b0c0f131011991a6b95061aadbbb493f8fd9931b |
| SHA256 | 3ea1525657876d3b2b6b3af9aa73d6734f81f25f52cb920d2c334b229994a35d |
| SHA512 | 0e6b2c595cf041ef09f6d32700802b985e8fbf91887aeb45af41cb2c9c9f5a5a2513d25851f418cd338700709882bf0b8abf998076ab25c8e0d609914b467069 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240705-en
Max time kernel
117s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1744 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1744 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2716 wrote to memory of 3052 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 3052 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 3052 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 3052 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fever.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fever.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fever.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 36474406cf52d453dfa416608b11d48c |
| SHA1 | ebab86daa80cad8458da3525f7d681f7b63dd25c |
| SHA256 | 3d462cf9d00a0c1e4189121ca9f90c54cbd980368b6621bd182d603abb40f79a |
| SHA512 | 1bbcb5f3ddca8da71e902323081d50ed2b1ed81039f5993be8776c9060ec66118a68d3f36ae10a8e3fd50f726ed52cdbfb9fbf681b90decbe24815288d556d3b |
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240704-en
Max time kernel
103s
Max time network
48s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2300 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2300 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2772 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2772 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2772 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2772 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Tip.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Tip.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Tip.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | a480fe6cb83739fe782c6097de6c71bd |
| SHA1 | 9a59c03b0bf9c40f54315536f7477c502363df70 |
| SHA256 | d3c154617a9b39cd95875b85a88912964b8fd1d9f11e59933bd669e8185623a4 |
| SHA512 | e53d8b6fce2bc7390228a8e9788aa6ece9401095207fe1892261917176106de85b183ec4d29cbd1959263008fb71a569f8876793262e3502036d8bb0d56045b4 |
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:39
Platform
win7-20240708-en
Max time kernel
118s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3024 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3024 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3024 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2772 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2772 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2772 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2772 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flat-Brush.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flat-Brush.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flat-Brush.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 726ff5d7e76fd937b005a512b911c4e1 |
| SHA1 | ced93efe092776779994c4b28251d269798579be |
| SHA256 | c5177c355696116bf601e11a459d6a98d67d4661da84c8576da9c40d9246d8d5 |
| SHA512 | 09795135068c9187657e1a2cec9164bd332a1a808d229c5b078e0fa1328c1643d6610c66a888d2fcad1198b9f7b26afa5cf5cc67dc4d203383def007782ef48b |
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
159s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Nozzle.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240729-en
Max time kernel
102s
Max time network
25s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 580 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 580 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 580 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2716 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flare.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flare.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flare.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 03939e3f60bc55179069641647439cc0 |
| SHA1 | 14a1f3e0d06904ed7aeb09b57172a8b97a14c7f3 |
| SHA256 | 4d9aa81109ec88573178bacc1ddbb1964d9f05ca1756eea955a225752fb3e832 |
| SHA512 | 3370100aeab8f24014b50e397a3e0d6d034c20090c5634eb21424fc5de3261ffc4370ceb45e38023aa3908cfe0862032a7529a34599cc306bf311c3bc5dcacca |
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
106s
Max time network
169s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flames.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
167s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flicks.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240705-en
Max time kernel
122s
Max time network
139s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1756 wrote to memory of 2692 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1756 wrote to memory of 2692 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1756 wrote to memory of 2692 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2692 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2692 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2692 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2692 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flower-Power.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flower-Power.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flower-Power.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | cd4a78e066e474fc3a1757ef0feecdc6 |
| SHA1 | cbf753956cbdc1c21929f16ccdcccf33bdd5ad29 |
| SHA256 | 2429602302c28455db3924e61411862caa7bc7097fd7ebe1b7c1efd49455f5a6 |
| SHA512 | f888e9cafcbab2fe7d660947dc7ea2050521705cb6f381631075841bde5890af808fe6e1e0071ae3f72296d9f67cad3b6c04d1620ddce7074dc62bd7c38f51e2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Procreate_5.3.8_LeTi.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240729-en
Max time kernel
102s
Max time network
24s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2780 wrote to memory of 2848 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2780 wrote to memory of 2848 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2780 wrote to memory of 2848 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2848 wrote to memory of 2856 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2848 wrote to memory of 2856 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2848 wrote to memory of 2856 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2848 wrote to memory of 2856 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Eaglehawk.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Eaglehawk.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Eaglehawk.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | eecc1b8fe185bff3b0ab0360596e2f78 |
| SHA1 | 084c6e1fc9ebbcffe514d6b609af45815becd3fd |
| SHA256 | 1db4b2e6efa1b3f8beea280d894e658fe03e3e7687f6ec862db77e225b656b06 |
| SHA512 | 60c0b88479db26535a8c481fe1988646836ebae689d288f1c5b8b3b32b08a1fe2f4cb8aa997a3a09e6938659c50e8fb2af04567c7d35f50b396a091b66d51097 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240704-en
Max time kernel
121s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1784 wrote to memory of 2820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1784 wrote to memory of 2820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1784 wrote to memory of 2820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2820 wrote to memory of 2712 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2820 wrote to memory of 2712 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2820 wrote to memory of 2712 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2820 wrote to memory of 2712 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fat-Nozzle.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fat-Nozzle.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fat-Nozzle.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | fb6c2495c60fb7e1244f303c338879bf |
| SHA1 | 5a4be717f1704ea8c0aafcd56e0c34d32ec2df26 |
| SHA256 | 8befb1e19fdfe621e5efacaa4cc870dd59b0d16c4ca0ccb93745c5251e8a5f2a |
| SHA512 | 3e235750603f31302eaf4195319140fbb20d29b7944cfa855c1e7615b3f16f2d2de03e14294b9b44a5d515b103764653f10ebf06cd5bb482549fb57067d52973 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:39
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
163s
Command Line
Signatures
Browser Information Discovery
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\archive_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.archive\ = "archive_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\䆁 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\archive_auto_file\shell\edit | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\archive_auto_file\shell\edit\command | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\archive_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\archive_auto_file\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.archive | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\archive_auto_file | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\archive_auto_file\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{7C8BD26E-B594-419A-BB64-72A53E9612C2} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\䆁\ = "archive_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\archive_auto_file\shell | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Ferntree.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Ferntree.brush\Brush.archive
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fad646f8,0x7ff9fad64708,0x7ff9fad64718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4576 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8094903677863277114,18324520218342804867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff9fad646f8,0x7ff9fad64708,0x7ff9fad64718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15068595649455782852,14087184001172580824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| GB | 184.28.176.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 114.176.28.184.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 184.28.176.56:443 | r.bing.com | tcp |
| GB | 184.28.176.56:443 | r.bing.com | tcp |
| GB | 184.28.176.112:443 | th.bing.com | tcp |
| GB | 184.28.176.112:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 13.107.21.200:443 | bing.com | tcp |
| US | 8.8.8.8:53 | 56.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.76:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 104.18.33.89:443 | www2.bing.com | tcp |
| US | 104.18.33.89:443 | www2.bing.com | tcp |
| US | 8.8.8.8:53 | 89.33.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 847d47008dbea51cb1732d54861ba9c9 |
| SHA1 | f2099242027dccb88d6f05760b57f7c89d926c0d |
| SHA256 | 10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1 |
| SHA512 | bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f |
\??\pipe\LOCAL\crashpad_2764_FXBNYLMUIBUMCQKI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f9664c896e19205022c094d725f820b6 |
| SHA1 | f8f1baf648df755ba64b412d512446baf88c0184 |
| SHA256 | 7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e |
| SHA512 | 3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0a192ab3d704c3df53d7e52677ea702f |
| SHA1 | 13c8c85e37892326905ff6fa7f2828060f6d8b4c |
| SHA256 | 09b9642124396dbbd508c1af4da25701d0c87f632fda5591402b5080d76192f0 |
| SHA512 | 809e480ba35036ff7f9c2c045ceeca3881a6d6d1dfbb3167df1bef6e2cb2b2d228d183329ea5bb2860c3dc98298eceb16c98ccc1b3f17a2a9ec4057181a47e4f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3e4cdb124a42cf6df0b5f6ab11b4d44c |
| SHA1 | 36e1308fc77418b8061fa8ab90d7501af1bedb80 |
| SHA256 | bc48d4e7192e0742cb9a80536326f6b1f2907fb101397e2193d9759739fe82a9 |
| SHA512 | 0079d6c255a0fe0ee2159a2b76a9d64122d89bca2434d8fc323cd258d075dbe693b88a5696917e42d00a7c64effbf568e87c9d3fc4bab172cf5c989c6d040583 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1951c348f24f281904befcee603d4c7d |
| SHA1 | b220b775da361077f103621a928c5a2e43afe67d |
| SHA256 | 9debc31db3a90f069d8dab9f0345393e98c618195f1ed94ff4de59484d79f8b2 |
| SHA512 | a6b142bd7f8bfe6803e3005cf6b0dac028b87d0f3a65454f0caa996f2053e8d94582cc1337502f0c1910d7ac59de93912435f7bcbb645cdfd7ee2867ee82627e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 97300307d0cbd41d2920a9f54500221a |
| SHA1 | b2dabf55128cc0b613f9dac8c55c35eeff0e421b |
| SHA256 | 89ae139553abeab6fcf890de2ad8d7f0eeef0e7cebb07e63bf97cb179383f0fa |
| SHA512 | 2fe9ea5540f1f90759afae1d14e2ef8677addb5a105836490a665bb6fcfc238a6491de7d88f3b3371c76d2121ed069e8b4387f5a47e69f8cb35b7422c00d1362 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 66ecf35641b2885b14b88fea76d51fcd |
| SHA1 | 000601166ec12334bbc83091af7915682b947f5a |
| SHA256 | 9932cd7abe5d0b56a2e3221ccfe9d924dbced1bd74da036b0f725ee6a2468e0f |
| SHA512 | bb0f3d92a5b257b70fd7b647aed7192b75737403f7d8a7465ab771aaaa510f14bafcd20ce2fa5f571d4d3a041f6a396c34d65629127741ca9899b0a905ead330 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a18de8e886c43bc8f3acbe6b94398355 |
| SHA1 | 01aca1c0329fe408fde3f3c0accbe06f90a3b9e8 |
| SHA256 | 5874ca1c7856aeccf94a35a4ed89e739039f8b13c5131877683f8a2676d6583d |
| SHA512 | 90b5af7bc7a9be4743d835d07adda24293ce13c2169db8c1594a233b35b1b09241fb343b0913ce5c4073cbfb33d97d7dc7da81c68fa7df51300769920b3e15c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
| MD5 | 3f9cfd9b7f8306fe551d5790735b1d5c |
| SHA1 | 79c033ad8bb2519261d6541550403c82f3ee9cfe |
| SHA256 | 9d37cf5632b9df8cc103850d0788f4025ad4028294d6693885b0b32d39932985 |
| SHA512 | 49d78320586abec9ae5751022690456b9d989e625e7e2336f26acb2c1cc909416186746145dc37f2bc4ec61551338669e0f3810e5321a578c9d35583a7da6d41 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
| MD5 | d5cab695d8dcc87c3ca77009b2d68420 |
| SHA1 | 2b7f54312633fc5e72bd06ad1e145abca52084c6 |
| SHA256 | 6f5c41ca2e6e3a2a69b044ff2d253f25797e08a490aa4af7aa83ac5db1eac94c |
| SHA512 | 93dcd2045e836a9cfc980332180caa03110b48fe93b58fc35db905ecc6d6ac600559871172182064d71abd6815e5e0926cc7de98fcc0eca21f2e4bb70a561712 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | d2561a08221705058fa455aab079e33a |
| SHA1 | cdb80102e26c6dc64eacef074a724070d977822d |
| SHA256 | d56eb74cf6dd02a0f30f916b1b9d4705adc041fdeee8d90bdc6961bba6ea3365 |
| SHA512 | 01489351a4072dae3274e32e69d3caf8ddc62a3a1c7129ac1794ae6686c998dd9ba32eb6ffde9f11404711f0907b9cb4d6278169c01c52bec15cadace5762f1e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
| MD5 | 97260fed57e7b62071707392be453c37 |
| SHA1 | 29761427abf9d959e60bff172979eee4665daecd |
| SHA256 | ba6001abbcadf4988a373541cb063b25b4b54ee222cf1c66a4702cfbc52ab6b8 |
| SHA512 | 142b122492db91998a297f77e935e0ad39f8fa933fbb8881c9f9ecb4948b37b5d771d1ce933765f8c74b9dd99b304382b6edcf98a43e867289519b97f988bb47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
| MD5 | a031072c91b76a1388f2970547f7996d |
| SHA1 | 31c0c94dc171073660c323454de0cf716f33fab5 |
| SHA256 | 0c33d06317c87c1ea470f9d77723452260c0124c72f02113d4ebb9303e42cecf |
| SHA512 | 5c6b166993c68c0a7a4de4c5bb4afeacc587625b8031801be7413f377cccbd200f13660e8eb1e7b10cd3cce031e37a173994ad04a9e3d784f1c5fd5ff0641fec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
| MD5 | cb9d4903db52829e842b976aeda2f358 |
| SHA1 | 95febf2bce9752b4ed89f61f77e69a25362045e8 |
| SHA256 | e4b3f84b04dcb8f028c87b479a399f2ecef071784bba04f2a162195e7e9112f2 |
| SHA512 | 3c044141f31051276b28f1de594357aaa9bdaaa4e4ce79a9246418707beb6cc0c3262b95d48bafc509f759a92d6287e7e2bfbaf424ebffd4106746b9f77a43d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
| MD5 | d035710d9645bc6f3a2b07d65df96d5e |
| SHA1 | 1b8ac4d6eb5c9eac68081d769e77b5b7f93237ec |
| SHA256 | 37793a725266c5dd9ef17793c0f59d2159b540418b8b1cece37516014e77a0b0 |
| SHA512 | b368acc6ff0844a037c6744b73b90cbda1a8e5b037eca45f173ba1458f0ec26fe9d22f2b16ce7f532355e8bc64fae84c5b31ffd942d648e98ad691f66df3459f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
| MD5 | 722b40ab10ba2db5794dc9d1c5526d99 |
| SHA1 | 35ee412c04a9f38a14363fb3a2dd03ce62e226e8 |
| SHA256 | a06cf93a7d07f66aaa54989c894ad2f95e9169724cae2b7b25c971e730a21225 |
| SHA512 | 05a149006927a6bedc8d200a8f6cc14c5c987603298e215c4c823aa1bd57e6f0358235e23aaf6eefd97e83777c4d1931880542e15a27f358c492aa4f44e417e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
| MD5 | d0613c85ba3ee5f2acecacab9baac745 |
| SHA1 | 958be819b50c62d937a8794baa5134443d3d0284 |
| SHA256 | 5ba2f546312d37e6b228228892afb6b2513973fdf95d5968635963c423750427 |
| SHA512 | 46c947f209c6a02787179a46ef7d7395cc320ab70a264b8baec9bb446dba742647e5329ba2478063e6ea6cd198f1f920938817dc658383c7338102753f66e5c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | 28fde87ad3f1dcd2c3e87d54d53bfe88 |
| SHA1 | ba8e850102f69885dfb32c5fd9523251ee885814 |
| SHA256 | 345da2b42ea78160bdf4c2e70c9449091a9226ff0e54f240ce17f2226f754109 |
| SHA512 | 45c7312851b1c545e0611f782bbc341e36f7bc97125e2a952d39b62b4bd21fa170518b91a1675b2a37f4a2977536bdf8ffe09c6480ad811344609fb7797278d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7f945118563b6ffedac3f032f8491fb4 |
| SHA1 | 7dbaafe1975bca05cf332c64a88e34b674c97118 |
| SHA256 | c50dfb8a4dc41b8567b67c32b79bddb48a1687942b9ae706bfa2615711f5461b |
| SHA512 | 056817cb4b48e5463bfb3fc5202d6bd5375fdc8e751419169d96fcb0271c5f2b9243a3c67caa1fc108c08779488f20c9d263f08c2644b0329049f51062b7d25f |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
| MD5 | 3ff013512885047023d2daeedadf5d19 |
| SHA1 | 0ec1981f24778b2a9cdc908e9fd77a207cd89c1d |
| SHA256 | 0fd1fd5fb48c172a3d20e32ec6ce86aaf147c48bd282b48187856b3800dde32c |
| SHA512 | 0cfddfcdd2d5803e7d986ba03c6fe33dd01c5d4adc326442e593f63ad77a130b5310e690f0767f6e380be3267b06fd51056edffd60aa2478a7c5b2b0929aa1af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
| MD5 | a48763b50473dbd0a0922258703d673e |
| SHA1 | 5a3572629bcdf5586d79823b6ddbf3d9736aa251 |
| SHA256 | 9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd |
| SHA512 | 536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 80936fdaa4bb2739ac9a9597fb1377fb |
| SHA1 | 02adaad426e33c3836c82a8bbecde8f54b18dcc1 |
| SHA256 | 109ceeb68dc79e6a55dd1d371c5d2193d5a6369ee5b980030add9d1724b3bc12 |
| SHA512 | 739d3516bb23ed28e00e6d67ba7e5a62bcd74352fe2333d74fe908f2573091a1a4f75b8dff249d53ead1fcbe3b30cd5dc3aa3828e7374b11f6c08a2257722e9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | edb8b2a435993f17656988f1d5a98d37 |
| SHA1 | 04ff53d9372917aa904502da5cfd409a06bd8a08 |
| SHA256 | b8f21f89400f8a66e8c7d637ae73ba5aec822c16522ae39b673947b3c7030396 |
| SHA512 | 80957cc396a34aacc54b568140a99778bdec7ba589ae69db8a47313bb8024d7cb9cfdac175f39afebeed7f46262c74c5ee8678d65835785b2d4e6118ed7d7957 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
| MD5 | 22040a62254f018bab5e7d0155afd0b4 |
| SHA1 | 11430f3d7db8217f928565b4dbca52fe05951677 |
| SHA256 | 0948dfaec12693fbd9d0e74832cccd97ebe0ec6254d03834b676a9538da0a00f |
| SHA512 | 99a1099f9a09405b8ae6aab06faea61509ce3797251ff9e0b6cdc8004ddf31b95d0417252c0dca79207cd88df59042e0eefb1b8fd9960c798797e0f087fcaa36 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001
| MD5 | 1ac9e744574f723e217fb139ef1e86a9 |
| SHA1 | 4194dce485bd10f2a030d2499da5c796dd12630f |
| SHA256 | 4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e |
| SHA512 | b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002
| MD5 | 507e84952813ee5c7b57489b277d2082 |
| SHA1 | 3bc9052a4b23bbce030f8f9f48646461fa88c106 |
| SHA256 | 0b7d5c2bd00d3eea03c36a6b1c072a307debfe892010c78c11cea5138d8eba07 |
| SHA512 | 6ee8e67f81fda20d1a0aaabd9fde522981589210e4569476c23aa973b12ea16348041b7166efbded04cf71dbaf76e7284fe5b72db715d8cd77e43abec8b8ac06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003
| MD5 | a33b3a3fdf5161be5bd861804961f557 |
| SHA1 | 68a57897f1686a3e62ce9808165e18f31661d077 |
| SHA256 | ac33d8bc6d9a5e769472877d7dd3d035f8088274b886b16cb1898b106da48560 |
| SHA512 | c94c29a5a9da89044504fe06702f00a7fdd5bc7b85e1733c0cc9a363a812c8d8f95672ea7731643229fa4ae2f1a632c73096d90b63799f5bae7639b41151ccb3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004
| MD5 | d22cb8682c6c279a568ed39bdc634f0f |
| SHA1 | 677360e899085b1fe7af0098575842261a6d854a |
| SHA256 | 78b575d52c9342adcc7b89ee8545e0577169b0d520a9924c7d53bc3587b240e0 |
| SHA512 | 2ad0f705556abae3edb620d4370c1e72c749935d6ec079a10272ba2cbfe42d06a67f6fa1c3d80755aef9419391f701e98d479e946708e26980497f438b154ce8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
| MD5 | 64c41118698e1aed88b4efa4a71ce6b5 |
| SHA1 | 919dda9509a6fe6a22effafffac2644392dc0b94 |
| SHA256 | 2b8891b58287b6b3ead81aff24bcef142e9d4bbe211b97cbf4dfcda776831f77 |
| SHA512 | 7cdfdfafdfa0eb6d7644ceb5e565d57dcb6b55c6bc2c658e0a2d4c99c028b2100f84308b2f27dd7f430b5f2e15b935ab19c34ce218e086c6e8cb26c4d14a2513 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | d7bb3efbd386fccab06a67c5a822378f |
| SHA1 | 172323494107693632bd9ba1c34805f80adb74be |
| SHA256 | 2895b3c2c00495eb47c9c8cfa7b60a8542e63230d14347bfe786194754321a2f |
| SHA512 | da661cca285b63695de91be1afcce9fc39c440bba3efc043630120a8a8f1bdb4006da774934d0ec25a7b7a00f9a3a13226294a99d15ddd5734bfa10ca1070c3d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
| MD5 | b142c7f52e07e42cb7de9b952ec618f6 |
| SHA1 | 82f3f2d181741840c2e0970c5ce706cfbab8cb46 |
| SHA256 | 7d626748f022dc3fd864549cf078a5d56c54cd0fe0347f6519c318c24005562f |
| SHA512 | b21ea88d35ab91073ab3eb6988ad4b5df2047af2b17bf0b16e823d00089e1090bfd32847a64921e45ce3a8c674572d2126d7cc2b4167ed91cc7dfa160262acc7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
| MD5 | 5e32dccac84e6915d65de9ca8be20592 |
| SHA1 | f4b6cc02a5bc12a5d0d7808ad6a88d1fefe1af32 |
| SHA256 | 1f78f31aff399e6bc497a8643ad67672db5188e15ea5b30ade658388cb931de8 |
| SHA512 | 0cdb21f72dd986c4a28fea64ace39f69d92ee95cb37b69b24cb4d0a3b69f16d9202c1109964037ec90fa2051a4e368c25a07bd1ef345cff91abdf4b2cfa96207 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 12a0be6057a77ae63e0b96d2ec19fc03 |
| SHA1 | 3ee6a5dbfe7e2bfada044ca9e73c7bdc618d2dce |
| SHA256 | abd54ce91ce361285d3380470becc95904d2cd581a9ce54f811f82844c808d64 |
| SHA512 | 4fb3558eac223325e6f06def916ac7e6170df8228d90642f49a8a69475f66f14551773da543406254a0aa7b77eb48e49920d5f4aad53d2b44c5ef00763f158a1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | da1fceb5a298abc51757530fa659e838 |
| SHA1 | da4d324373b6d1d630028780274d7bcd5c57a864 |
| SHA256 | c48387ef47ac2924d1fac97f0ec832a1c400a875415ff2a7a6f269193965020f |
| SHA512 | c231c6248b2e40c66a4aceeae6e71127033821e2ed809983eb8b307f32c7892536abcd55c147c00ac878637bb80a4ce5d4a70e1cb7502482d4fba40275c74082 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
| MD5 | 13bb8bf9d12bd95df53bea75c25a90d8 |
| SHA1 | 3026c7dc468cc6df04be70091cd83395e5b16e35 |
| SHA256 | dcda592f05f5f4557723e420dc9fcb95390efc1ccc5ef818df1253b9bc72335f |
| SHA512 | 7f065ac9dedc625f412a331a4cc43ab4b29ca7a281b76258cc0a9b3b62f51aaf37eef0dfff47b8b8cebee3099278e9b06e5f74b6923815ecb53452bd7456f31b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13367324267354806
| MD5 | 19bc4977df1a77d6bac42280a17cb6ad |
| SHA1 | 54d93396e8b17e7ffe833e7e51d73084f9eb870f |
| SHA256 | 747668f9269e6ed415623a0c5a82e5ba830603ee7496bfa9053908f3924fc27d |
| SHA512 | 63744e53ceeaecffbf2d072dcb1fc527eef974fc46f170831c4d56844f4b2a326bd257fb2eb6bcb9f0f3c898d662402e3421f24aa13fd2c7ffae058ab5494a03 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 0851e66ac8a30e75311954c8493d456c |
| SHA1 | 94b3737c6bee244e170ae47f913632d75fe439a0 |
| SHA256 | 1a3b44e5422d1729c7cde90dd3baeb8215cb3eecf76b4897eafcbe92321176a2 |
| SHA512 | 1be16dac14538e17a82ef950c2add0685f24a535cd97be00e5ca2bc50247dbe8e73048a77fa5cc4be4988802d72e71c7e713254155c2c002b736d0b72e6ad7b9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 182da4beabe7a527d130b94a6bf96d62 |
| SHA1 | 7fe75f864f49ca9c756a64ab974b64d2f86193e1 |
| SHA256 | e04811084e770f8aa7266100fe5547f669ca36f2bdf24cc51449242c8c00b84e |
| SHA512 | 8090d9aca02e16bd1f5a2bac126b38c5a959415ff0b6f4181b1a83dd03dfa82516564e4faeab3d1cd3af4041a352dae75983f343626bd6fa1773f2e395702955 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
| MD5 | 7ae5c2614c4131d7939f1b42040f1bc5 |
| SHA1 | 38bc8d40cd5e7a24b43d1529b08b67c0f614a9e2 |
| SHA256 | 74aa08c5837a30faf1038b1a8a229db7a6942fba9dd5161e7be02f739f29a4f6 |
| SHA512 | 4c3220261ab4a4c3335449195e8ade3c46ec4757f6e24d2f4593610721ab2957456afd17c8558f1994eb682d33994b6650cf84303e9e701e11b2970853ed20d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 972420d7a1515c9a8d50c2c15794e5e8 |
| SHA1 | 36dd4758ee5ba9a11d5b93f0950822269383c5f4 |
| SHA256 | 23c8f884eb6a4402af5afc45df593d27a260f58185517a284c4bbeae71c0014f |
| SHA512 | 0115b2b2828591f7cc94285e7569faaf099c00b36085fa7031c2ff9890b15280ebe2230251b18445a78e5475882b94358b384dc8b7913bf72129b872f538264b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | e3c436be2e0bef53767bbe09a5659ead |
| SHA1 | af7a42bb11256da2b9ad3dfc708793ccda79e9dd |
| SHA256 | 02235a786b3df4e995a923a01cd73795c9fbdeb81a2e53a45980cddbbb3d27f8 |
| SHA512 | ed84b3e7e0d71da5a76b7d87c5e06fa41f6150ce6fc7f999076c84e642b111aa4ebcb0da0cc6380ed7a0d0d7e981dc2eefbd030d76550d681b67669c3b4abb5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL
| MD5 | 2d90d14bc522c466398fdae855753de0 |
| SHA1 | 41dd2772d9ec993b40f1d6d6c50dbb947f43126b |
| SHA256 | 11684ad12fabe0e8dd08a44bcd58514973b6538f2a067ccda9f7418037763f46 |
| SHA512 | 5f6eef1c2222d5699b22e6738aafa89dbd4268457646e6355cac1c2163da4ab93fef41105f3758bfff34b049a09ba8c85347aacde6187fc9c00c158361ca55e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13367324267044806
| MD5 | 163d351c1d3c56601648062f78f5d215 |
| SHA1 | d9cd975fde1edf849ba708df5270e5fc296168bc |
| SHA256 | 04f4412c14181ceacb2a9cd02ba305a6a63f0cd872657151fa9a201cdcb5a863 |
| SHA512 | fc0251d13a26f292ba2234804cc54924c38b25231bfa021ea72296d3e8633559a9ec9e8767526f9d309d5cdfa3dac407f1918350bcb6a6ccbe5a8d30a198b9f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
| MD5 | d7e34580da80c02ac057afd1d44cdfa2 |
| SHA1 | f2ba6f62a6459bd3c10899dacef76409e253b330 |
| SHA256 | 79730d4c39bd8714c73259eadf36b80a6483cee31b74c72fd59edb181b59f274 |
| SHA512 | 01f2e4181553d795c7aca628309f17f6ec8cd7f8f2b0498ee7a01eea52112d24bdae292a8fee70c8bf80db0f94b7dc4ac17a385645129ad55682c3ce7524d058 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data-journal
| MD5 | f2688c77c0cbf8b7a6a5881abb61873d |
| SHA1 | 9b2c987540467c0e6070a6975f65fb76fe2843c9 |
| SHA256 | 38ba62a69df78e1837aad279c4b1463022d29273e6e12e4af68a3b20e9a856ca |
| SHA512 | d31e8ecf26aa19c496e14741c59569e95ed0edd52c51edc752f92ac2393555010c500329467f99c0c46a37dee95c1d97e9c8881f8d6e6cc33ee21b04be0e6126 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 442a72a70053c8fd7abc471c821718cb |
| SHA1 | 4b0911efca8eebb0129fa426e4533a9d47c96064 |
| SHA256 | 394d28d3633902f2c92abbfd4f083921fe9ed247c7bfad25413a63e4ed7c852b |
| SHA512 | 2488b9e37aa708e9c1e0ead5b78e8e7b63d3de859a6fa6e6892186ba344bd9c4e668e6adc946b3f761a015f7990df6df42bc793a197611e372025db040685df5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 360047a38da1f901aaa8e063d28a55d5 |
| SHA1 | e380be5c55f3560a841864b65c4631af2b59a155 |
| SHA256 | 1355bb2d5cb7955f3dc57c13a37ed573fdf0c2705dc601d5b2b5dd9c60e61dc8 |
| SHA512 | bce90a16a0d13f151f848535ccfcb5c5ffa1bb2d9f24923ee9ec848496661e946a34361754c9e58bfb61e7d604ce51cbf4514ba4f33554efd42f92a98e87da0e |
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
162s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Hair.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
85s
Max time network
162s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Eaglehawk.brush\Sub01\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
159s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fat-Nozzle.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240705-en
Max time kernel
121s
Max time network
138s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2720 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2720 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2744 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2744 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2744 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2744 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flames.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flames.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flames.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | d042296f8fa84f389d178d11978cb4c8 |
| SHA1 | f99054b6f05dbfa8f13a529cdb4865ef98039180 |
| SHA256 | 26f3e22c550c8f341a14c726abe532341b2f6441938d2f808b3bab85f93b421b |
| SHA512 | ebdb0706ff29260d2641814533a4a043d3146a75940e29f98c5295dcd7a7268cda06e156774e85b64b9c90a8ee130314ed7b73de2e449ad24b1f1ac874eb611f |
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240708-en
Max time kernel
121s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2948 wrote to memory of 2400 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2948 wrote to memory of 2400 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2948 wrote to memory of 2400 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2400 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2400 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2400 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2400 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flicks.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flicks.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flicks.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ccfda4f83be6881139973d6ac22a95c2 |
| SHA1 | fc0bc369c6361d35935f81ece2345cc6b155255e |
| SHA256 | 79d0b58d91d93924d016818edb6f213ba15a394bdf4e496889c6e45e7d4a3666 |
| SHA512 | 1e81542ed2c8ec2aac2d9d5645f28ecbbeac7c398637c94775e4e1e6d89d4f7df50b35658305eabf9789e4aca803c948ee2586935b783bc5788d64ec80526ccc |
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240729-en
Max time kernel
102s
Max time network
26s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1796 wrote to memory of 3012 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1796 wrote to memory of 3012 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1796 wrote to memory of 3012 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3012 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3012 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3012 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3012 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Hair.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Hair.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Hair.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ba2ab0244ccfe4748a5554d11ff0b2e1 |
| SHA1 | 14fb87548e1a61a5e39454da2e0fdff4dbd9e446 |
| SHA256 | c62b9cc108d5b71e3ee106b2bc4eca6b0ba1eb82e8b0d2a7dcae5dc7a050e5a6 |
| SHA512 | 968fbf20a406c722d1a4b6e39a90c8206835ecf754325c2cf1177ae15f6f08142c6d2f6f94da8b8e7008db0b9df59e9bd465206bd6982842072f0049027ff83f |
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:39
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
161s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Tip.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
163s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flare.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:39
Platform
win7-20240708-en
Max time kernel
121s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Procreate_5.3.8_LeTi.zip
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240704-en
Max time kernel
122s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 2892 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2352 wrote to memory of 2892 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2352 wrote to memory of 2892 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2892 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2892 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2892 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2892 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Evolve.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Evolve.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Evolve.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | f4b3ba0ad02af1aca46df51b1ba311d2 |
| SHA1 | ac496a695811767c0de8d5cd5e2c95b07aef8382 |
| SHA256 | b58575d9cd24179edc5062c7346740041e68c69c7a801c2ee48963909af36a9b |
| SHA512 | 7daedc5938bf1e5163dfcf1faed226731b5307dc5a55ad2148c74938066ec6bf1c2e9b0ab3aa9a5a3706804f4b772a35d686a47cbb0832467edb999faae82c78 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
168s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Evolve.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
162s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fever.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240708-en
Max time kernel
120s
Max time network
137s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2556 wrote to memory of 476 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2556 wrote to memory of 476 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2556 wrote to memory of 476 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 476 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 476 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 476 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 476 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Nozzle.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Nozzle.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Fine-Nozzle.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ecb2df039481fe2dcc1078a2bab0337b |
| SHA1 | 6a3c7ee39197123ffe36b80e448f2774956d628f |
| SHA256 | f03815f283cd8e126d9e1ceffe061bea9a7f4dc1eb3fb1dea09285ed400d3835 |
| SHA512 | 97481e7e93748ef84464f384bf531819e8d027891cf2a6a9f05c2833a01bfb3930719ed285ff1c3385130eaf7495faaa892d36177547cb044efcb50988838b65 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240708-en
Max time kernel
121s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2904 wrote to memory of 2568 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2904 wrote to memory of 2568 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2904 wrote to memory of 2568 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2568 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2568 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2568 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2568 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flourish.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flourish.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Flourish.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 312a1e6d607f353f55457f6cb4e80482 |
| SHA1 | f6c2db44669841ab746cf87711d326c69a0be445 |
| SHA256 | 44ec38ac3fba10944e15aa67111eb5ccc8cf3522d0412d1f9fa5168c649da746 |
| SHA512 | 9042f669590664b9949adab7e385ab59a0c5b8e8ba36fe04920aff25d7ae8385f65a92f3e903e622d84afc956b0681e8e03c39391731cbf539e60094655420e3 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win10v2004-20240802-en
Max time kernel
1s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Eaglehawk.brush\Brush.archive
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-05 09:30
Reported
2024-08-05 09:40
Platform
win7-20240729-en
Max time kernel
102s
Max time network
24s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.archive | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.archive\ = "archive_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\archive_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1744 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1744 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2668 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Ferntree.brush\Brush.archive
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Ferntree.brush\Brush.archive
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Procreate.app\ValkyrieResources.bundle\Brushes\Ferntree.brush\Brush.archive"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 17d2b763331cbd82660bce873f0c937a |
| SHA1 | 39e5b7e87bad18513b1950d31f08df397aa2f4f8 |
| SHA256 | 255d5b6be543e36c91fb90b3f6bf574250728b2117d90d2f07a0411c50d05b9a |
| SHA512 | 5e3e8ea8add1220c992ea55f4319859f7c1493582cdb308a3eebeea36b5b070930a1b1ada2e2c13afd6d6bc9f3b04cadacbbb55505980643eb3cf04a1e388b4e |