Malware Analysis Report

2025-06-15 19:48

Sample ID 240211-fajfvace9t
Target d6fc4895775aafffbd52cb8e9e731824.bin
SHA256 88298903d11f433f1885306c3f4f4f7233e5b4edddbf89374b689dc0be730206
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88298903d11f433f1885306c3f4f4f7233e5b4edddbf89374b689dc0be730206

Threat Level: Known bad

The file d6fc4895775aafffbd52cb8e9e731824.bin was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Enumerates processes with tasklist

Runs ping.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-11 04:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-11 04:40

Reported

2024-02-11 04:42

Platform

win7-20231215-en

Max time kernel

119s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2020 created 1256 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\Explorer.EXE
PID 2144 created 1256 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\Explorer.EXE

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2808 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2808 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2808 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2808 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2808 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2808 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2808 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2808 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 2808 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 2808 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 2808 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 2808 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2808 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2808 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2808 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3028 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 3028 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 3028 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 3028 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 3028 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 3028 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
PID 2020 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 2020 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 2020 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 2020 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 2020 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 2020 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe

"C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 29428

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 29428\Structure.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Bowling + Micro + Britney 29428\J

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif

29428\Structure.pif 29428\J

C:\Windows\SysWOW64\PING.EXE

ping -n 15 localhost

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 xixUQZpETzAqMgfiwcxAuhVlZeIZY.xixUQZpETzAqMgfiwcxAuhVlZeIZY udp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Delays

MD5 60a0a998ac721ce59926c350c1cfa346
SHA1 9b69aef9a6d12e0e7f4efab8f7a65329c0d958f2
SHA256 0129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38
SHA512 86e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Networks

MD5 e0ee57b3d753dba0d3a58379968e19c9
SHA1 7cb2bd6f3bab50a9836a620610d8e47459445ab0
SHA256 4175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5
SHA512 3cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aberdeen

MD5 cadf612984ebd5ecd45906b805ffe46c
SHA1 1b53b6b2a843e6d05678356664be82b0317a3c1a
SHA256 696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909
SHA512 d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Temporary

MD5 90114130f88ac2fb224c689998e124ce
SHA1 df94c44b1ceae98749237fae6ac07092fc4c6099
SHA256 87b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff
SHA512 38fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Maps

MD5 43819522acece762a7389a5683136c4d
SHA1 b3ff7cf638094690347653f613d5cac9913fbd68
SHA256 eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b
SHA512 03dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aggressive

MD5 029325f8240d37784f57441b3176163c
SHA1 bd61a35e87d9e579e3f14f1912437ac91568e969
SHA256 32acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb
SHA512 333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bowling

MD5 51269b2f02dba8f71d9fa5a2a7119642
SHA1 6502d3e85e61fd6cb03f68525bd92682e0de6198
SHA256 526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f
SHA512 2e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Micro

MD5 16c7e782af3a480cf58b2f67f47a637c
SHA1 f23178c12ada8993410e8f1a59a1e271879d5977
SHA256 ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4
SHA512 6d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Britney

MD5 afdc4a4520d5dc1c3dd70fda304c9aa9
SHA1 914ee920b6e037a42e3b522d89909ae1d899197a
SHA256 c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7
SHA512 efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\J

MD5 9e026102dd03937a6464c85c69a2383f
SHA1 520325a083a63ee251284fa447acb52f8004ce53
SHA256 9df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759
SHA512 26b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77

memory/3028-33-0x0000000077750000-0x0000000077826000-memory.dmp

memory/3028-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2020-39-0x0000000000080000-0x0000000000108000-memory.dmp

memory/2020-40-0x0000000000080000-0x0000000000108000-memory.dmp

memory/2020-43-0x0000000000080000-0x0000000000108000-memory.dmp

memory/2020-44-0x0000000000080000-0x0000000000108000-memory.dmp

memory/2020-45-0x00000000030C0000-0x00000000034C0000-memory.dmp

memory/2020-47-0x00000000030C0000-0x00000000034C0000-memory.dmp

memory/2020-46-0x00000000030C0000-0x00000000034C0000-memory.dmp

memory/2020-48-0x0000000077560000-0x0000000077709000-memory.dmp

memory/2020-49-0x00000000030C0000-0x00000000034C0000-memory.dmp

memory/2020-51-0x0000000076840000-0x0000000076887000-memory.dmp

memory/1752-52-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2020-54-0x00000000030C0000-0x00000000034C0000-memory.dmp

memory/1752-55-0x0000000001C00000-0x0000000002000000-memory.dmp

memory/1752-56-0x0000000077560000-0x0000000077709000-memory.dmp

memory/1752-57-0x0000000001C00000-0x0000000002000000-memory.dmp

memory/1752-59-0x0000000077560000-0x0000000077709000-memory.dmp

memory/1752-60-0x0000000076840000-0x0000000076887000-memory.dmp

memory/1752-61-0x0000000001C00000-0x0000000002000000-memory.dmp

memory/2144-70-0x00000000032D0000-0x00000000036D0000-memory.dmp

memory/2144-69-0x00000000032D0000-0x00000000036D0000-memory.dmp

memory/2144-71-0x0000000077560000-0x0000000077709000-memory.dmp

memory/2144-74-0x00000000032D0000-0x00000000036D0000-memory.dmp

memory/2144-77-0x00000000032D0000-0x00000000036D0000-memory.dmp

memory/2144-73-0x0000000076840000-0x0000000076887000-memory.dmp

memory/1440-78-0x0000000001C60000-0x0000000002060000-memory.dmp

memory/1440-79-0x0000000001C60000-0x0000000002060000-memory.dmp

memory/1440-81-0x0000000001C60000-0x0000000002060000-memory.dmp

memory/1440-80-0x0000000077560000-0x0000000077709000-memory.dmp

memory/1440-83-0x0000000077560000-0x0000000077709000-memory.dmp

memory/1440-84-0x0000000076840000-0x0000000076887000-memory.dmp

memory/1440-85-0x0000000001C60000-0x0000000002060000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-11 04:40

Reported

2024-02-11 04:42

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

149s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 848 created 2416 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\system32\sihost.exe
PID 1036 created 2416 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\system32\sihost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4516 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4516 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4516 wrote to memory of 632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4516 wrote to memory of 632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4516 wrote to memory of 632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4516 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4516 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4516 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4516 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4516 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4516 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4516 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4516 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4516 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4516 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4516 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4516 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4944 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2884 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2884 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4944 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4944 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4944 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4944 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 848 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 848 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 848 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 848 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 848 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 4944 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4944 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4944 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4944 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 4944 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
PID 1036 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 1036 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 1036 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 1036 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe
PID 1036 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe

"C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 29438

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 29438\Structure.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Bowling + Micro + Britney 29438\J

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif

29438\Structure.pif 29438\J

C:\Windows\SysWOW64\PING.EXE

ping -n 15 localhost

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 432

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1036 -ip 1036

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1036 -ip 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 432

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xixUQZpETzAqMgfiwcxAuhVlZeIZY.xixUQZpETzAqMgfiwcxAuhVlZeIZY udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Delays

MD5 60a0a998ac721ce59926c350c1cfa346
SHA1 9b69aef9a6d12e0e7f4efab8f7a65329c0d958f2
SHA256 0129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38
SHA512 86e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Networks

MD5 e0ee57b3d753dba0d3a58379968e19c9
SHA1 7cb2bd6f3bab50a9836a620610d8e47459445ab0
SHA256 4175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5
SHA512 3cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Temporary

MD5 90114130f88ac2fb224c689998e124ce
SHA1 df94c44b1ceae98749237fae6ac07092fc4c6099
SHA256 87b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff
SHA512 38fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aggressive

MD5 029325f8240d37784f57441b3176163c
SHA1 bd61a35e87d9e579e3f14f1912437ac91568e969
SHA256 32acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb
SHA512 333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Maps

MD5 43819522acece762a7389a5683136c4d
SHA1 b3ff7cf638094690347653f613d5cac9913fbd68
SHA256 eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b
SHA512 03dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aberdeen

MD5 cadf612984ebd5ecd45906b805ffe46c
SHA1 1b53b6b2a843e6d05678356664be82b0317a3c1a
SHA256 696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909
SHA512 d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bowling

MD5 51269b2f02dba8f71d9fa5a2a7119642
SHA1 6502d3e85e61fd6cb03f68525bd92682e0de6198
SHA256 526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f
SHA512 2e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Micro

MD5 16c7e782af3a480cf58b2f67f47a637c
SHA1 f23178c12ada8993410e8f1a59a1e271879d5977
SHA256 ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4
SHA512 6d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Britney

MD5 afdc4a4520d5dc1c3dd70fda304c9aa9
SHA1 914ee920b6e037a42e3b522d89909ae1d899197a
SHA256 c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7
SHA512 efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif

MD5 52fdcc6257df74b280ab474e2981b342
SHA1 b0a1dad3915f04391c67faa762cab32df21b655c
SHA256 a7e7eaf50bcf21cf726aac26d318a74e6b4ef7366ed0cad0e499c3c2eb112c43
SHA512 c2ddaeeac1cb3c82d270a2a936bb247ca0fbe01b25b0e429be11adceabbaac0e571375fe53197dfaa110c17c001980266fb3bc4c0ecaa2408116430588e35639

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\J

MD5 9e026102dd03937a6464c85c69a2383f
SHA1 520325a083a63ee251284fa447acb52f8004ce53
SHA256 9df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759
SHA512 26b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77

memory/4944-32-0x00000000774F1000-0x0000000077611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/4944-37-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

memory/848-38-0x0000000000710000-0x0000000000798000-memory.dmp

memory/848-39-0x0000000000710000-0x0000000000798000-memory.dmp

memory/848-41-0x0000000000710000-0x0000000000798000-memory.dmp

memory/848-42-0x0000000003BC0000-0x0000000003FC0000-memory.dmp

memory/848-43-0x0000000003BC0000-0x0000000003FC0000-memory.dmp

memory/848-44-0x0000000003BC0000-0x0000000003FC0000-memory.dmp

memory/848-45-0x00007FF86F730000-0x00007FF86F925000-memory.dmp

memory/848-47-0x0000000003BC0000-0x0000000003FC0000-memory.dmp

memory/848-48-0x0000000075D50000-0x0000000075F65000-memory.dmp

memory/3424-49-0x0000000000C20000-0x0000000000C29000-memory.dmp

memory/3424-52-0x00000000028B0000-0x0000000002CB0000-memory.dmp

memory/3424-51-0x00000000028B0000-0x0000000002CB0000-memory.dmp

memory/3424-53-0x00007FF86F730000-0x00007FF86F925000-memory.dmp

memory/3424-55-0x00000000028B0000-0x0000000002CB0000-memory.dmp

memory/3424-56-0x0000000075D50000-0x0000000075F65000-memory.dmp

memory/3424-57-0x00000000028B0000-0x0000000002CB0000-memory.dmp

memory/848-58-0x0000000003BC0000-0x0000000003FC0000-memory.dmp

memory/1036-60-0x0000000000D10000-0x0000000000D98000-memory.dmp

memory/1036-63-0x0000000000D10000-0x0000000000D98000-memory.dmp

memory/1036-64-0x0000000000D10000-0x0000000000D98000-memory.dmp

memory/1036-67-0x0000000004270000-0x0000000004670000-memory.dmp

memory/1036-66-0x0000000004270000-0x0000000004670000-memory.dmp

memory/1036-68-0x00007FF86F730000-0x00007FF86F925000-memory.dmp

memory/1036-69-0x0000000004270000-0x0000000004670000-memory.dmp

memory/1036-71-0x0000000075D50000-0x0000000075F65000-memory.dmp

memory/2856-74-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/2856-75-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/2856-76-0x00007FF86F730000-0x00007FF86F925000-memory.dmp

memory/2856-78-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/2856-79-0x0000000075D50000-0x0000000075F65000-memory.dmp

memory/1036-80-0x0000000004270000-0x0000000004670000-memory.dmp

memory/2856-81-0x00000000023D0000-0x00000000027D0000-memory.dmp