rhadamanthys | hxxp://94[.]156[.]66[.]151/

Resubmissions

18-03-2024 18:43

240318-xddhfafd78 10

18-03-2024 18:31

240318-w6jz9afh4s 10

18-03-2024 18:08

240318-wqytgaeg87 10

Analysis

max time kernel
110s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://94.156.66.151/

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5700 created 2340	5700	hghghjhfhleviticus.exe	42

Executes dropped EXE 1 IoCs

pid	Process
5700	hghghjhfhleviticus.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133552603475641139"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe
5700	hghghjhfhleviticus.exe
5700	hghghjhfhleviticus.exe
6088	dialer.exe
6088	dialer.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5912	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeDebugPrivilege	5580	taskmgr.exe
Token: SeSystemProfilePrivilege	5580	taskmgr.exe
Token: SeCreateGlobalPrivilege	5580	taskmgr.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5912	mmc.exe
5912	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 3132	1092	chrome.exe	95
PID 1092 wrote to memory of 3132	1092	chrome.exe	95
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1460	1092	chrome.exe	98
PID 1092 wrote to memory of 1368	1092	chrome.exe	99
PID 1092 wrote to memory of 1368	1092	chrome.exe	99
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100
PID 1092 wrote to memory of 800	1092	chrome.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340
- C:\Windows\system32\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://94.156.66.151/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9876c9758,0x7ff9876c9768,0x7ff9876c9778
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4688 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4816 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4512 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:5500
- C:\Users\Admin\Downloads\hghghjhfhleviticus.exe
  "C:\Users\Admin\Downloads\hghghjhfhleviticus.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1856,i,16004049600585710130,2815474284230876662,131072 /prefetch:8
  2⤵
  PID:5988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:904

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:5236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3056

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7dc9d826aa9f0b0eabc5a167ccbfb295

SHA1
bd4037b72a20ab0370559c07d6dc57f9d362aef2

SHA256
e1a57f0cda5e6b7b57faac113da4ba863dbfbd6588d686704ef90215f42c2bda

SHA512
d9f189a26092411c500ddb25470a3bb6be8f8e60ef7af489cc67cc7f2727be2fd6d9c3bae827fe1d9539e8b675614dfec694520b472dc50398b92f7d129e1bab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6d62ef66ada2f63040944a85897bfb47

SHA1
311c74abd08f337b15c7d7b35a2bb228600657fe

SHA256
3b8c91f35cc73cd4e7f02bff2a2ac3a14f88f22eb16393d28e2be0e0c16c1085

SHA512
a99335052a319a09e9363579ce4ae0db0bef3794c198393ac82ef0f63621500a508701ebff0fe9caccadd62771a03aa09383e638050d3efea277afebddfde37e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5ca9196bc142396ba8fc95e2319d8c60

SHA1
517230bb93e2b84103166d3722343aaf143b5bd0

SHA256
92d776138f436fb0d05cea2dba49442c9f452c9d9bfb2bc2283c8d7a297c76ab

SHA512
fbb430376e584092463f16987ca6c4685d5467fe1acc122d1724eee6b08541ce57c689575f86b0d03ac5a7dea71b46e201cba2f3b663fdb9fa640815394beb6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c5de68444bc45d28ae1ce8a12b636bce

SHA1
1d1b0272096f77406754524d45e8955d767ec167

SHA256
657e41f22f9c7aa8f9b3d1faa9592ab49cb806a88f4fcba6742ebaa620be6a9b

SHA512
20ce648c8c55f82ec482d5d8ab38561334e453865a68d79ba1ce70f1b8c4d67bb4b26dd24cd0b31e40a9a1b67756c3c93ac3811dd278d606b08d56910faccbac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
96cc692c1e894e4514573e79ba0632c5

SHA1
0fe15fb81965da490dfba55667b33991feb8bfbe

SHA256
bc3538f4e576e1b3bc11544e387f5618c89dd8f296cdb3a472fa4b3569e69633

SHA512
6ab894abc498cf3508fd300de07676082864ab09604dd80bda34b8b200f179f6f81a69b0ec32ab1e71d9dacd2217854f02b42a8d5b429e0a79e6aafd13ed07e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
506c0215702f3853e67241783fee0a6a

SHA1
a03a18ee6c8162bfccc550ab759bc86babd123eb

SHA256
4bf354d2b498f54243a833768444c6297aa89300573943719a30e073fbaa821e

SHA512
63aec67d35374bb7fa6e9c515cff7d8f4c7699f532d70d72d62d5db1964de57fbb14229de5fdc063e3aef248af1d6b0d93c1e0a863f9889229eba51d68ac0994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
b6088b5f4f79c60a4f381674ed336fdb

SHA1
7bf1742a5cfa9c90a0975f4f3a03c052e01f331a

SHA256
52ac21a833d6014c7229eb368e0771766dbf05fcda57ede698f0ad441e5044a6

SHA512
76975ca6272c0240629d12b7b6b64533a77cabc4cb52e4d8938bcc1e2108a5115ceb08f1a790d1d46cf3bcad58ecc6c628ebcff612a949bd8f5a5464f013e42d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e50ae7ae-516b-4fee-8e5b-47e4227cf3d4.tmp

Filesize
128KB

MD5
e84fad85e5475f9cceca326e3c075606

SHA1
c86ea1e6accbbcc33663781c59f45ff3af3051ba

SHA256
ccab0685a48b1045858313dab8a6f738753a56c1262048954ab1e70ea7d84ade

SHA512
b56c58ee3965a59ee6bad52b68f3b7991be9ccd59ca7929aec5f41c5b5592b394461b276b9ba40b12a6af6b9d8d3978fd955e4148963882b282f25d4ef657c7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 523427.crdownload

Filesize
539KB

MD5
585cc99fbf9df24009231d70d007c236

SHA1
cd0e58b6a885580d048b4041bad3b92059bad5b9

SHA256
39ccc224c2c6d89d0bce3d9e2c677465cbc7524f2d2aa903f79ad26b340dec3d

SHA512
0cbf32cfcb2c76e175a479a0e35fe9aea4ce9f7a4eb57f09ec5ec099a6b968d6e5cd97617f07bf60798c76f36d7d6bd1aeb8313ab0f72fa75c660a525c252609

Download Submit
memory/5580-84-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-76-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-75-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-74-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-80-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-81-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-82-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-85-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-83-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5580-86-0x000001E0721F0000-0x000001E0721F1000-memory.dmp

Filesize
4KB

Download
memory/5700-59-0x0000000003370000-0x0000000003770000-memory.dmp

Filesize
4.0MB

Download
memory/5700-65-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5700-60-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/5700-62-0x00007FF9A6630000-0x00007FF9A66EE000-memory.dmp

Filesize
760KB

Download
memory/5700-63-0x00007FF9A3FF0000-0x00007FF9A42B9000-memory.dmp

Filesize
2.8MB

Download
memory/5700-61-0x0000000003370000-0x0000000003770000-memory.dmp

Filesize
4.0MB

Download
memory/5700-58-0x0000000003370000-0x0000000003770000-memory.dmp

Filesize
4.0MB

Download
memory/5700-57-0x0000000003370000-0x0000000003770000-memory.dmp

Filesize
4.0MB

Download
memory/5700-54-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5912-120-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/5912-124-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/5912-132-0x00007FF97EA70000-0x00007FF97F531000-memory.dmp

Filesize
10.8MB

Download
memory/5912-129-0x00007FF97EA70000-0x00007FF97F531000-memory.dmp

Filesize
10.8MB

Download
memory/5912-128-0x000000001DF30000-0x000000001E030000-memory.dmp

Filesize
1024KB

Download
memory/5912-119-0x00007FF97EA70000-0x00007FF97F531000-memory.dmp

Filesize
10.8MB

Download
memory/5912-127-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/5912-122-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/5912-123-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/5912-126-0x00007FF401890000-0x00007FF4018A0000-memory.dmp

Filesize
64KB

Download
memory/5912-125-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/6088-73-0x000001A86C940000-0x000001A86CD40000-memory.dmp

Filesize
4.0MB

Download
memory/6088-69-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/6088-71-0x000001A86C940000-0x000001A86CD40000-memory.dmp

Filesize
4.0MB

Download
memory/6088-72-0x00007FF9A3FF0000-0x00007FF9A42B9000-memory.dmp

Filesize
2.8MB

Download
memory/6088-70-0x00007FF9A6630000-0x00007FF9A66EE000-memory.dmp

Filesize
760KB

Download
memory/6088-68-0x000001A86C940000-0x000001A86CD40000-memory.dmp

Filesize
4.0MB

Download
memory/6088-67-0x000001A86C940000-0x000001A86CD40000-memory.dmp

Filesize
4.0MB

Download
memory/6088-64-0x000001A86AEA0000-0x000001A86AEA9000-memory.dmp

Filesize
36KB

Download