Malware Analysis Report

2024-11-30 02:05

Sample ID 240329-3mysmacg88
Target scandoc0327002.zip
SHA256 67e3a815d433caef4c284c7a9289fd647bda469f4f005a398f9766bc3fae0ff6
Tags
persistence rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67e3a815d433caef4c284c7a9289fd647bda469f4f005a398f9766bc3fae0ff6

Threat Level: Known bad

The file scandoc0327002.zip was found to be: Known bad.

Malicious Activity Summary

persistence rhadamanthys stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 23:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 23:38

Reported

2024-03-30 00:13

Platform

win7-20240221-en

Max time kernel

1557s

Max time network

1560s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescot = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescott2 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"

Network

N/A

Files

memory/2528-5-0x000000001B170000-0x000000001B452000-memory.dmp

memory/2528-6-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/2528-8-0x0000000002470000-0x00000000024F0000-memory.dmp

memory/2528-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

memory/2528-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

memory/2528-10-0x0000000002470000-0x00000000024F0000-memory.dmp

memory/2528-11-0x0000000002470000-0x00000000024F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0V9LTNYOF7JJHOJB4I98.temp

MD5 828658ac2db51839ee4dda61679a2e2f
SHA1 0c20bb64e6cbf6088d1621a547d15dd74da45be3
SHA256 584d03a0ce2ec0c67801c25665f37f644225d3db2e120dc7fc0d0a6c81871103
SHA512 ab52b1d9423e7c3a9b6e5ca8ed2f58c4c23f6144e7a7a8c64aa13a9ebcea0af00a192a03f0a4587902113540d16d1a89000c9d3fc2307d4147624d641eeaf964

memory/960-14-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/960-15-0x0000000002150000-0x0000000002190000-memory.dmp

memory/960-16-0x0000000002150000-0x0000000002190000-memory.dmp

memory/960-17-0x0000000002150000-0x0000000002190000-memory.dmp

memory/2528-18-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

memory/960-19-0x00000000739B0000-0x0000000073F5B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 23:38

Reported

2024-03-30 00:13

Platform

win10-20240221-en

Max time kernel

467s

Max time network

442s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescott2 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescot = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wahc3252\wahc3252.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3D.tmp" "c:\Users\Admin\AppData\Local\Temp\wahc3252\CSCBE51DBA44E604148AFFD394BA92278CD.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0sm4ml2g\0sm4ml2g.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1968.tmp" "c:\Users\Admin\AppData\Local\Temp\0sm4ml2g\CSC1A41F622A19B4FDFBDE5D3253992B7A7.TMP"

C:\Windows\system32\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp

Files

memory/3288-5-0x00007FFB64800000-0x00007FFB651EC000-memory.dmp

memory/4980-8-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/4980-10-0x0000000006590000-0x00000000065C6000-memory.dmp

memory/3288-11-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

memory/3288-9-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

memory/4980-12-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4980-13-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/3288-15-0x000001FF6FAD0000-0x000001FF6FAF2000-memory.dmp

memory/4980-16-0x0000000006CE0000-0x0000000007308000-memory.dmp

memory/4980-20-0x0000000006A20000-0x0000000006A42000-memory.dmp

memory/3288-21-0x000001FF6FC80000-0x000001FF6FCF6000-memory.dmp

memory/4980-22-0x0000000006BC0000-0x0000000006C26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2cctiso.mtg.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4980-31-0x0000000007310000-0x0000000007376000-memory.dmp

memory/4980-36-0x00000000074F0000-0x0000000007840000-memory.dmp

memory/4980-45-0x0000000006CB0000-0x0000000006CCC000-memory.dmp

memory/4980-46-0x0000000007900000-0x000000000794B000-memory.dmp

memory/4980-47-0x0000000007C10000-0x0000000007C86000-memory.dmp

memory/4980-64-0x0000000009420000-0x0000000009A98000-memory.dmp

memory/4980-65-0x00000000089B0000-0x00000000089CA000-memory.dmp

memory/4980-71-0x0000000008DA0000-0x0000000008E34000-memory.dmp

memory/4980-72-0x0000000008C90000-0x0000000008CB2000-memory.dmp

memory/4980-73-0x0000000009AA0000-0x0000000009F9E000-memory.dmp

memory/3288-78-0x00007FFB64800000-0x00007FFB651EC000-memory.dmp

memory/4980-79-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/3288-80-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

memory/4980-81-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/3288-82-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

memory/4980-83-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/3288-85-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wahc3252\wahc3252.cmdline

MD5 7d3f602461fd8d45b0961650cac195b4
SHA1 97d500e9b5a405954dc440ae7d957a7a07feb6d5
SHA256 fc33fd3902e1d2de287a7f855845f6b1d1a6b630fa5ef3df511d8c25df83b32b
SHA512 2c43bee0d3420bcb794f78897e5894264de237063f4c27d9fb8af04db5e6be4e0c22a305a7a1edae3e899dd5734d2b1bc58498c750273626f3ebb68e71cb54fe

\??\c:\Users\Admin\AppData\Local\Temp\wahc3252\wahc3252.0.cs

MD5 0c6b6122e65041da2deb106419c81970
SHA1 8a12628dc5ad5d9f522bba863c7a42da8fdc6c47
SHA256 afb856249a4eab1884344e28058ce5a3495364270f4f88799cf872ec82cf348a
SHA512 a65b157dc5202a07cac7656c69fcba17329aef97282fabcdd359a28f47214b1babebf7a1107045a12586513b8e59a9826b3fb4e35796b7b91630023926950651

\??\c:\Users\Admin\AppData\Local\Temp\wahc3252\CSCBE51DBA44E604148AFFD394BA92278CD.TMP

MD5 4fd6459269e73fa7b516b37e95d928b3
SHA1 3ec6e36efed09bc0be36e00e8584c38b749ef32c
SHA256 bc1dd2d80e2a5d3fb6bbd6ba9569e23b494d25d62ca06fd574d0b4b3e5e61e08
SHA512 4f8c7b522d56cf5630894451cc284b2de138eed4c15e4f054882df130216b26b6a075e7f1cda7fcafd08255cc9a880deef48554c4a166eea53c9e0c31d18b648

C:\Users\Admin\AppData\Local\Temp\RESE3D.tmp

MD5 608796b77120d6aacd8da6780f6ad863
SHA1 d1291b28c8ac3b8d96f407da167ad9d97e972700
SHA256 e392f9a84d4d25ca2889fb385ad30fe401ff5b3fc88ed4ee343530a6568f54c6
SHA512 da452093436d5f89beff3db6df1800fd9cbb0f4c2b249a93241e1306a53af7eeb17cfe9d30a72e2f566801bca0e6c24c7f846a6e2375fc2033ef78c1d258955d

C:\Users\Admin\AppData\Local\Temp\wahc3252\wahc3252.dll

MD5 5e8644237d264175cf40dbc31c72968d
SHA1 374bf2ec21d198a2c29ee9de651f3e2adf20ccc7
SHA256 da7e7275008510d88ade9993423012721f886094fa2807fd3e1b361fe7e747dc
SHA512 cd3fdbc6a7b749f65efa226ad90034188e6ffb5366053643e73344dd3e863a1fd2a2dea9fade3d9b570c294729a6e9f36a7dbd419c7dc2c23e2fe3851307f6c1

memory/3288-98-0x000001FF6FAC0000-0x000001FF6FAC8000-memory.dmp

memory/3288-112-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\0sm4ml2g\0sm4ml2g.cmdline

MD5 34ce466e8813f5815e51bef98d2ccbc5
SHA1 9d04bc9c76576742ab7c1a51851d3db6f25fdb06
SHA256 b121634abf91d502c8f9c91ca29b05944984aad4dac6fbf39427e2fb1cbb132e
SHA512 0be8e58cd3ff8ed8a1dbb0dd95b09d4fa292fb80d9b9c057d3316c118d4075b9ad52ce18c9539fc80630b9d7baee083de9b8f8cbde248c78107fa9cd9f165a15

\??\c:\Users\Admin\AppData\Local\Temp\0sm4ml2g\CSC1A41F622A19B4FDFBDE5D3253992B7A7.TMP

MD5 e6c329c319efe2c9095d967fdc78787e
SHA1 7d125264b9bc6ff65c8429efd276be88b954c9c7
SHA256 d689939f650f2fc0d8e1e6870122e66c8a680ccf031a43d3043382870f787a8f
SHA512 9878fb4b05254d52033c23b4026c1119c7b261e665dd0beae6bed4e65a9269d91e561c63f33a12294640854a0e887c23b009913bc873e0abd42f1ff15b67619f

C:\Users\Admin\AppData\Local\Temp\RES1968.tmp

MD5 883cacf8d678622b4a36272ff9d6a629
SHA1 719953a277913c3a31647dbb6ffc1462da42cb82
SHA256 620e4dcf75d82979943d4cbfb662bad3905badbc510c77f5bce6d2a69ac8b4d1
SHA512 dce960d05f3a0d39c070550c82557c90882954122ba3c3121030a11fa7791fa131d907411c1cd3177024e050f2c6e834e6b26f087259681c05097ad4b01bde79

C:\Users\Admin\AppData\Local\Temp\0sm4ml2g\0sm4ml2g.dll

MD5 e1d577ea6b35b615236d7e813ff66ea2
SHA1 07e3a0614ba63afa2caa3c7915115ef234690596
SHA256 353f7c9fab6a4e862a621bd1715469f9d1a114b0466df1ddaf352079187d77c9
SHA512 b74e32198f18954905eb1f1540efa81b7d4329853b38198243298b4c683853dce39081381303e91ca457741aa1dde0f5dad1a416cdd31af541f1457930b7b437

memory/4980-234-0x0000000002F30000-0x0000000002F38000-memory.dmp

memory/3288-1150-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

memory/3288-1160-0x000001FF70000000-0x000001FF700A3000-memory.dmp

memory/3288-1169-0x000001FF70000000-0x000001FF700A3000-memory.dmp

memory/4980-1323-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4980-1439-0x00000000714B0000-0x00000000714BD000-memory.dmp

memory/4980-1440-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/3288-1441-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

memory/3288-1443-0x000001FF70680000-0x000001FF706EB000-memory.dmp

memory/3288-1442-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

memory/3288-1444-0x000001FF6FC70000-0x000001FF6FC79000-memory.dmp

memory/3288-1446-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp

memory/3288-1445-0x000001FF706F0000-0x000001FF70AF0000-memory.dmp

memory/3288-1449-0x000001FF70680000-0x000001FF706EB000-memory.dmp

memory/3288-1451-0x000001FF706F0000-0x000001FF70AF0000-memory.dmp

memory/3288-1453-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp

memory/3288-1450-0x000001FF706F0000-0x000001FF70AF0000-memory.dmp

memory/3288-1454-0x00007FFB6EF90000-0x00007FFB6F03E000-memory.dmp

memory/3288-1455-0x00007FFB6D540000-0x00007FFB6D789000-memory.dmp

memory/3288-1448-0x000001FF706F0000-0x000001FF70AF0000-memory.dmp

memory/884-1456-0x000001D2BFAC0000-0x000001D2BFAC9000-memory.dmp

memory/3288-1466-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp

memory/884-1468-0x000001D2C15F0000-0x000001D2C19F0000-memory.dmp

memory/884-1469-0x000001D2C15F0000-0x000001D2C19F0000-memory.dmp

memory/884-1476-0x00007FFB6EF90000-0x00007FFB6F03E000-memory.dmp

memory/884-1474-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp

memory/884-1479-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp

memory/884-1480-0x00007FFB6D540000-0x00007FFB6D789000-memory.dmp

memory/884-1477-0x000001D2C15F0000-0x000001D2C19F0000-memory.dmp

memory/3288-1473-0x000001FF70000000-0x000001FF700A3000-memory.dmp

memory/884-1502-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp

memory/884-1500-0x000001D2C15F0000-0x000001D2C19F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-29 23:38

Reported

2024-03-30 00:13

Platform

win10v2004-20240226-en

Max time kernel

1160s

Max time network

1165s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2192 created 2564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\sihost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prescott2 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prescot = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 5072 N/A C:\Windows\system32\wscript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 5072 N/A C:\Windows\system32\wscript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 5072 N/A C:\Windows\system32\wscript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2192 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2192 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 3416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2192 wrote to memory of 3416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3416 wrote to memory of 5064 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3416 wrote to memory of 5064 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2192 wrote to memory of 864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\dialer.exe
PID 2192 wrote to memory of 864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\dialer.exe
PID 2192 wrote to memory of 864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\dialer.exe
PID 2192 wrote to memory of 864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\dialer.exe
PID 5072 wrote to memory of 1720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5072 wrote to memory of 1720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5072 wrote to memory of 1720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1720 wrote to memory of 4196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1720 wrote to memory of 4196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1720 wrote to memory of 4196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xyz3xo2r\xyz3xo2r.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAC4.tmp" "c:\Users\Admin\AppData\Local\Temp\xyz3xo2r\CSC155EABC788C14E8D84C1F82675C2966.TMP"

C:\Windows\system32\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vxlj2ee\4vxlj2ee.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F6C.tmp" "c:\Users\Admin\AppData\Local\Temp\4vxlj2ee\CSC948A045653934277AC1CC76DC76517.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

memory/2192-1-0x00007FFE145C0000-0x00007FFE15081000-memory.dmp

memory/2192-2-0x000001D776950000-0x000001D776960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otql5kvc.eh2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5072-13-0x0000000002740000-0x0000000002776000-memory.dmp

memory/2192-12-0x000001D778AD0000-0x000001D778AF2000-memory.dmp

memory/5072-14-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/5072-17-0x0000000005240000-0x0000000005868000-memory.dmp

memory/2192-16-0x000001D776950000-0x000001D776960000-memory.dmp

memory/5072-18-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/5072-15-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/5072-20-0x0000000005050000-0x0000000005072000-memory.dmp

memory/2192-19-0x000001D776950000-0x000001D776960000-memory.dmp

memory/5072-21-0x00000000050F0000-0x0000000005156000-memory.dmp

memory/5072-22-0x0000000005160000-0x00000000051C6000-memory.dmp

memory/5072-32-0x0000000005870000-0x0000000005BC4000-memory.dmp

memory/5072-33-0x0000000004E00000-0x0000000004E1E000-memory.dmp

memory/5072-34-0x00000000060B0000-0x00000000060FC000-memory.dmp

memory/5072-35-0x0000000007990000-0x000000000800A000-memory.dmp

memory/5072-36-0x0000000006560000-0x000000000657A000-memory.dmp

memory/5072-37-0x00000000073B0000-0x0000000007446000-memory.dmp

memory/5072-38-0x0000000006680000-0x00000000066A2000-memory.dmp

memory/5072-39-0x00000000085C0000-0x0000000008B64000-memory.dmp

memory/2192-41-0x00007FFE145C0000-0x00007FFE15081000-memory.dmp

memory/5072-42-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/5072-44-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/2192-43-0x000001D776950000-0x000001D776960000-memory.dmp

memory/2192-46-0x000001D776950000-0x000001D776960000-memory.dmp

memory/5072-47-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/2192-48-0x000001D776950000-0x000001D776960000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xyz3xo2r\xyz3xo2r.cmdline

MD5 efb62d351c5d67de9ed71e99f7bdc501
SHA1 fbe9e20901c3040084572043b4e4c227a6d62184
SHA256 e186ce0b13ca4f18b4d9fd824c6d78fd30f97744a7d912eecf536f77559f047c
SHA512 53fd18e0d1b05ceb4415221a0981b7eb437a5b8eb433a626359f119b8215c53cfd060cf1febdf3ee0664ec9a232e7645ab61f93da9ad0788bc6564594ffe8f24

\??\c:\Users\Admin\AppData\Local\Temp\xyz3xo2r\xyz3xo2r.0.cs

MD5 0c6b6122e65041da2deb106419c81970
SHA1 8a12628dc5ad5d9f522bba863c7a42da8fdc6c47
SHA256 afb856249a4eab1884344e28058ce5a3495364270f4f88799cf872ec82cf348a
SHA512 a65b157dc5202a07cac7656c69fcba17329aef97282fabcdd359a28f47214b1babebf7a1107045a12586513b8e59a9826b3fb4e35796b7b91630023926950651

\??\c:\Users\Admin\AppData\Local\Temp\xyz3xo2r\CSC155EABC788C14E8D84C1F82675C2966.TMP

MD5 6e7512a0ffdbb35dc4a8719de9d776d8
SHA1 8987a1c784ac84825a1ba42f430edd71bb4207d3
SHA256 11756aad0f6784dcd0d14575495952912191d0e1ee716fa9eecfa6cb20cb5751
SHA512 9d42c38f1dcc2ec2e9775fbd8100a98e3ff6294c1753e7b9b194eb2615f5b018daa444b51cbd8a8564d4c682dda351eee5093cb7b17dc75f8bd30b40955a09b0

C:\Users\Admin\AppData\Local\Temp\RESFAC4.tmp

MD5 043f32750df05893f9c33408613c0fdd
SHA1 8863856befe48845472ac0aa9dd1c9b72129d269
SHA256 6515453ea722bf2cc94788da31b47867b378b443614ba73baf0cc6a88085ada9
SHA512 39c137370b29439305aefe03e804943f2464ad0b481be4c5c3193027d31da9d7c2a38e72cd4116477a40a60a6ac2765fcc095055bc3e5d4f310a5bd0c059d948

memory/2192-61-0x000001D778D40000-0x000001D778D48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyz3xo2r\xyz3xo2r.dll

MD5 085359a1da4de3cc26f9631a3c2297d8
SHA1 733883a65e8a07834e9392ee4c3d7d2be4a361c3
SHA256 7207bc0d5dbbd51bb8276318d6e3d7a8c53bf41902b960d2e6bd4fb799b6e988
SHA512 f925f8cf6679a3bd35b15dd8960a2097437f14a58b69e78c2986004fa7ecfa201705072ee3d90c5f1a36d4778bcd73fe0f67269ed2a4147f93298c09b9604bc6

memory/2192-63-0x000001D776950000-0x000001D776960000-memory.dmp

memory/2192-64-0x000001D778D50000-0x000001D778DF3000-memory.dmp

memory/2192-65-0x000001D778D50000-0x000001D778DF3000-memory.dmp

memory/2192-66-0x000001D7793A0000-0x000001D77940B000-memory.dmp

memory/2192-67-0x00007FFE33A30000-0x00007FFE33C25000-memory.dmp

memory/2192-68-0x000001D779410000-0x000001D779419000-memory.dmp

memory/2192-69-0x000001D7793A0000-0x000001D77940B000-memory.dmp

memory/2192-70-0x000001D779430000-0x000001D779830000-memory.dmp

memory/2192-71-0x000001D779430000-0x000001D779830000-memory.dmp

memory/2192-73-0x00007FFE33A30000-0x00007FFE33C25000-memory.dmp

memory/2192-72-0x000001D779430000-0x000001D779830000-memory.dmp

memory/2192-74-0x00007FFE330D0000-0x00007FFE3318E000-memory.dmp

memory/2192-75-0x00007FFE31300000-0x00007FFE315C9000-memory.dmp

memory/864-76-0x0000025E95F50000-0x0000025E95F59000-memory.dmp

memory/864-79-0x0000025E97AC0000-0x0000025E97EC0000-memory.dmp

memory/864-80-0x00007FFE33A30000-0x00007FFE33C25000-memory.dmp

memory/864-82-0x00007FFE330D0000-0x00007FFE3318E000-memory.dmp

memory/864-81-0x0000025E97AC0000-0x0000025E97EC0000-memory.dmp

memory/864-83-0x00007FFE31300000-0x00007FFE315C9000-memory.dmp

memory/864-84-0x0000025E97AC0000-0x0000025E97EC0000-memory.dmp

memory/2192-88-0x000001D778D50000-0x000001D778DF3000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4vxlj2ee\4vxlj2ee.cmdline

MD5 9a24b21fb7067bccefab06bbf70e7745
SHA1 e3bddbca8a99f353d7285d299f649295a8653d9b
SHA256 2597119f3623a5a3ce3edba7d46ed39f6b43156104d3a055a7fa93e5f60c60c9
SHA512 61a71981029bd0f8ed5ea26cc61efa61919bba965a9082ec276a738682f0e9f239e9ab24fdaff88ff9f106757a0f762a9f2c05fcc1a3a5a15f7e78b2aaf59519

\??\c:\Users\Admin\AppData\Local\Temp\4vxlj2ee\CSC948A045653934277AC1CC76DC76517.TMP

MD5 87cef804ff787048722ba36345a058ba
SHA1 c34ce8086a7a313dce4afaadfab2700440eabaad
SHA256 40422e0d70fcd61c6eb33c01b759ced4b369bce46781b5b44dbb1845c2896fa7
SHA512 96c23e8e96abc326089c7c4fa983878d380834f3d97cb9a8e76663d9e9a70e9f94f2b3159114043978e6e27eab10367b7089c61768d83ae0e6b5f3218966398c

C:\Users\Admin\AppData\Local\Temp\RES4F6C.tmp

MD5 83f7811d5d5e662ee620f7000bd9558b
SHA1 4e07e8ca1372c542e624258e8574cdc431ff1f5b
SHA256 6ba2aed718c8fd250291744b34a68c94f876df77c4ece38371ffe0100bcf5ddc
SHA512 fa46cc7b113c010d528d5875bfb851272e0745a1758f3a5e4550af77c5e3c03fa88344ebb223d92762254e401eeb54e929ecf1ff28f3386bca7e89ac5aa250cc

C:\Users\Admin\AppData\Local\Temp\4vxlj2ee\4vxlj2ee.dll

MD5 c2600b0ff8c75c37a8a19b778111b571
SHA1 9cfbd5e2ca30e2ddf1ea5ca3364b265bb9afd962
SHA256 5c24cbbaa6908e0cafae9f0248a23fbbb33475cb9033d3bae9ca02ac14ebcec2
SHA512 4f9a2091064022fc45fde1fa456fffe202bc616cb660c49fca820516ed89d5e45b8ed4549bb0a2ee04e03897546ee283025beea7fd412169a9156f2d447b351d

memory/5072-98-0x0000000000980000-0x0000000000988000-memory.dmp

memory/5072-102-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/5072-103-0x0000000072130000-0x0000000072142000-memory.dmp

memory/2192-104-0x00007FFE33A30000-0x00007FFE33C25000-memory.dmp

memory/2192-105-0x000001D779430000-0x000001D779830000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-29 23:38

Reported

2024-03-30 00:13

Platform

win11-20240221-en

Max time kernel

1336s

Max time network

1169s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2976 created 2484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\sihost.exe

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescot = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescott2 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2976 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2976 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 4116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2976 wrote to memory of 4116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4116 wrote to memory of 756 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4116 wrote to memory of 756 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2116 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2116 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2116 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2332 wrote to memory of 1232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2332 wrote to memory of 1232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2332 wrote to memory of 1232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2976 wrote to memory of 4584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\dialer.exe
PID 2976 wrote to memory of 4584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\dialer.exe
PID 2976 wrote to memory of 4584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\dialer.exe
PID 2976 wrote to memory of 4584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ttumtpw\5ttumtpw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA179.tmp" "c:\Users\Admin\AppData\Local\Temp\5ttumtpw\CSC42A52E25B82943AAAEC654395C3480B0.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbxn3dkn\jbxn3dkn.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB00F.tmp" "c:\Users\Admin\AppData\Local\Temp\jbxn3dkn\CSCBF3AF1A2C8A04CE192F5872E87624DE0.TMP"

C:\Windows\system32\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uw0hthia.pju.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2976-9-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

memory/2976-10-0x0000022FEA680000-0x0000022FEA690000-memory.dmp

memory/2976-11-0x0000022FEA650000-0x0000022FEA672000-memory.dmp

memory/2116-13-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/2116-14-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2116-12-0x00000000025D0000-0x0000000002606000-memory.dmp

memory/2116-15-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2116-16-0x0000000005070000-0x000000000569A000-memory.dmp

memory/2116-17-0x0000000004EF0000-0x0000000004F12000-memory.dmp

memory/2116-18-0x0000000004FA0000-0x0000000005006000-memory.dmp

memory/2116-24-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/2116-28-0x00000000058C0000-0x0000000005C17000-memory.dmp

memory/2116-29-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

memory/2116-30-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

memory/2116-31-0x0000000007510000-0x0000000007B8A000-memory.dmp

memory/2116-32-0x0000000006300000-0x000000000631A000-memory.dmp

memory/2116-33-0x0000000007090000-0x0000000007126000-memory.dmp

memory/2116-34-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

memory/2116-35-0x0000000008140000-0x00000000086E6000-memory.dmp

memory/2976-37-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

memory/2116-38-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/2976-39-0x0000022FEA680000-0x0000022FEA690000-memory.dmp

memory/2976-40-0x0000022FEA680000-0x0000022FEA690000-memory.dmp

memory/2116-41-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2976-42-0x0000022FEA680000-0x0000022FEA690000-memory.dmp

memory/2116-43-0x00000000026A0000-0x00000000026B0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\5ttumtpw\5ttumtpw.cmdline

MD5 ab3203477b605ab98cf7a69a2ea72b76
SHA1 f488a639a585ab33eb866443031a7763e99c752c
SHA256 5c4e30faa4fc7bd0f13c14caf70d37716a899621d87d25c556196ad0377e34b1
SHA512 346cf3d4ece735c99cb60bed6e8bc0cc2e34693f30dc2abe4f24d7273cc0131d0859d03502b2988b8f0ea1ecaf3decc423dfb5dc0a012165edde3f362c3b1968

\??\c:\Users\Admin\AppData\Local\Temp\5ttumtpw\5ttumtpw.0.cs

MD5 0c6b6122e65041da2deb106419c81970
SHA1 8a12628dc5ad5d9f522bba863c7a42da8fdc6c47
SHA256 afb856249a4eab1884344e28058ce5a3495364270f4f88799cf872ec82cf348a
SHA512 a65b157dc5202a07cac7656c69fcba17329aef97282fabcdd359a28f47214b1babebf7a1107045a12586513b8e59a9826b3fb4e35796b7b91630023926950651

\??\c:\Users\Admin\AppData\Local\Temp\5ttumtpw\CSC42A52E25B82943AAAEC654395C3480B0.TMP

MD5 8ba6016950fe1c55914a6c68c6cf6d6d
SHA1 025511811928d6bed45293e4cd267fd859e6bceb
SHA256 59eff0a399518930082da030e7f9e6f2a4bff7fe6a350cae124d3486db775de8
SHA512 ad5342d3358d197c301d65ce2fcd5a248d1dbdb93590bebae29ecf46225a887e76d6da9ffc03173e064656b41b6824b50ac3f28cd9c065ac095f5a9b9f6c6a10

C:\Users\Admin\AppData\Local\Temp\RESA179.tmp

MD5 d7e15f09b49dcfa6ed301cce1adcf805
SHA1 9e1fb4310dcd2aa63bc8b9e87a4f2db60239c391
SHA256 7d1e16e8efe2aa10086f71e122bccbeb01b1e6d5212119b6ef213e4a51c19224
SHA512 d696c4717df7eb3888c53b778c12e813e7996de8025d3b30fdf8ecd88796031476bcca6b8836d7b6d4baa101cbaa67adfe171c4ac2fffba9b4b019e74926e528

memory/2976-56-0x0000022FEA790000-0x0000022FEA798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5ttumtpw\5ttumtpw.dll

MD5 e42c6c731e1a381cd0ffb14ab6e55d87
SHA1 8369aa31417ebef7d94f72e3037c4359ea152dec
SHA256 c5556d2f763ed4cf72c17cd40d0e0e408bd521f4eb5982ba7812d8a948423b4e
SHA512 55bd96f542106e9ed20e671c7184db6fa35343f379fc74a1d86c8021fd532e62783d44c6f92ce8b0a0d6630799c5c6c6c04094a5f72825cae59f6ea9f1425b0b

memory/2976-58-0x0000022FEA680000-0x0000022FEA690000-memory.dmp

memory/2976-59-0x0000022FEADF0000-0x0000022FEAE93000-memory.dmp

memory/2976-60-0x0000022FEADF0000-0x0000022FEAE93000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jbxn3dkn\jbxn3dkn.cmdline

MD5 23a134c2819e4661a7125f1b4691c79f
SHA1 a6917ed2b2974205e6b9aa149d9325849a3fa3f7
SHA256 a66287c8a9a33763da4fa2f50e077db68d94196b37013c756bf86d6d2efcb78d
SHA512 29bedfecde86b262beb0c473cfc7092f9d0b665c1c74a69b64d2cc79220342c6846bfacb4dd490cb0df2468e11918bbb83faaaf3a7abee91db53749ef13d96ca

\??\c:\Users\Admin\AppData\Local\Temp\jbxn3dkn\CSCBF3AF1A2C8A04CE192F5872E87624DE0.TMP

MD5 1afec7c4d6a732db99009db6823baa84
SHA1 83465f655bb066cba2be1ef6b63017aac6432ec2
SHA256 c1f4726d35b472b160c5cc13e91ea5b966e0fcc80770cc03a50c3fae0da0c8af
SHA512 38188c7d3180c3eadd1d4c0952ab442b257667fc69d03c08e7ee7bd52e1c67a974f36eb421e3e015e414f1a69d2ab14c9ba2d767eb3b2022fd90e3682eeeec08

C:\Users\Admin\AppData\Local\Temp\RESB00F.tmp

MD5 6d981c71aa2c53148b8529ac4657728b
SHA1 57d4b066efda0789284bd1da3ce0106d1307ae01
SHA256 f6370063e465978d9cf0044822ceb94354a760ee682145918f78d548af632b6d
SHA512 ddf3fc754bb500048b5dd56f2c40ed1056afee9d7a2d7709f1857224c5a20fc152ff57a51579f762ba22fddb88e7b48fc700bb15a5f6b681ee4f3ee3f001d956

C:\Users\Admin\AppData\Local\Temp\jbxn3dkn\jbxn3dkn.dll

MD5 018175c97a3f244828c20c7d66c1a6a3
SHA1 ba43f2c16cf96e7c3685e2198e39e3c3d3930d74
SHA256 11d7be2ba81a464a8449210f36bb93e40f761772f6327177c234779ae2026f45
SHA512 8c64df444dbd7e04e179c466eaf270c879948a0488c552cec7b63bbd1280fb7e562eafe87c2093cd01d0fa45bc30cb0739186f671ed621b0302b833290f01697

memory/2116-73-0x0000000000A40000-0x0000000000A48000-memory.dmp

memory/2116-75-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2116-78-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/2976-79-0x0000022FEB020000-0x0000022FEB08B000-memory.dmp

memory/2976-80-0x0000022FEA7E0000-0x0000022FEA7E9000-memory.dmp

memory/2976-82-0x0000022FEB0A0000-0x0000022FEB4A0000-memory.dmp

memory/2976-81-0x0000022FEB020000-0x0000022FEB08B000-memory.dmp

memory/2976-84-0x0000022FEB0A0000-0x0000022FEB4A0000-memory.dmp

memory/2976-85-0x00007FFB76060000-0x00007FFB76269000-memory.dmp

memory/2976-87-0x0000022FEB0A0000-0x0000022FEB4A0000-memory.dmp

memory/2976-88-0x00007FFB73A60000-0x00007FFB73DD4000-memory.dmp

memory/2976-86-0x00007FFB74FE0000-0x00007FFB7509D000-memory.dmp

memory/4584-89-0x0000028EAAB20000-0x0000028EAAB29000-memory.dmp

memory/4584-91-0x0000028EAC6F0000-0x0000028EACAF0000-memory.dmp

memory/4584-92-0x00007FFB76060000-0x00007FFB76269000-memory.dmp

memory/4584-94-0x0000028EAC6F0000-0x0000028EACAF0000-memory.dmp

memory/4584-96-0x00007FFB73A60000-0x00007FFB73DD4000-memory.dmp

memory/4584-95-0x00007FFB76060000-0x00007FFB76269000-memory.dmp

memory/4584-93-0x00007FFB74FE0000-0x00007FFB7509D000-memory.dmp

memory/4584-97-0x0000028EAC6F0000-0x0000028EACAF0000-memory.dmp

memory/4584-98-0x00007FFB76060000-0x00007FFB76269000-memory.dmp

memory/2976-99-0x0000022FEADF0000-0x0000022FEAE93000-memory.dmp

memory/2976-100-0x0000022FEB0A0000-0x0000022FEB4A0000-memory.dmp

memory/2976-101-0x00007FFB76060000-0x00007FFB76269000-memory.dmp