Analysis
-
max time kernel
651s -
max time network
630s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-04-2024 05:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file_premium/6h9hyxbf0k8pkgo/Ch3%2540t_Hub_New.rar/file
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
https://www.mediafire.com/file_premium/6h9hyxbf0k8pkgo/Ch3%2540t_Hub_New.rar/file
Resource
win11-20240221-en
General
-
Target
https://www.mediafire.com/file_premium/6h9hyxbf0k8pkgo/Ch3%2540t_Hub_New.rar/file
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
RegAsm.exeRegAsm.exeRegAsm.exedescription pid process target process PID 768 created 2936 768 RegAsm.exe sihost.exe PID 3308 created 2936 3308 RegAsm.exe sihost.exe PID 2996 created 2936 2996 RegAsm.exe sihost.exe -
Executes dropped EXE 3 IoCs
Processes:
Setup.exeSetup.exeSetup.exepid process 1856 Setup.exe 1672 Setup.exe 1476 Setup.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Setup.exeSetup.exeSetup.exedescription pid process target process PID 1856 set thread context of 768 1856 Setup.exe RegAsm.exe PID 1672 set thread context of 3308 1672 Setup.exe RegAsm.exe PID 1476 set thread context of 2996 1476 Setup.exe RegAsm.exe -
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4192 1856 WerFault.exe Setup.exe 2500 768 WerFault.exe RegAsm.exe 2112 768 WerFault.exe RegAsm.exe 2340 1672 WerFault.exe Setup.exe 3400 3308 WerFault.exe RegAsm.exe 2944 3308 WerFault.exe RegAsm.exe 1936 1476 WerFault.exe Setup.exe 4872 2996 WerFault.exe RegAsm.exe 1140 2996 WerFault.exe RegAsm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133565970673021080" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings chrome.exe -
NTFS ADS 4 IoCs
Processes:
chrome.exe7zFM.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Ch3@t_Hub_New.rar:Zone.Identifier chrome.exe File created C:\Users\Admin\AppData\Local\Temp\7zO48596EC0\Setup.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zO4855D931\Setup.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zO485F2E11\Setup.exe:Zone.Identifier 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
chrome.exechrome.exe7zFM.exeRegAsm.exedialer.exeRegAsm.exedialer.exeRegAsm.exedialer.exepid process 3980 chrome.exe 3980 chrome.exe 1612 chrome.exe 1612 chrome.exe 1412 7zFM.exe 1412 7zFM.exe 768 RegAsm.exe 768 RegAsm.exe 780 dialer.exe 780 dialer.exe 780 dialer.exe 780 dialer.exe 1412 7zFM.exe 1412 7zFM.exe 1412 7zFM.exe 1412 7zFM.exe 3308 RegAsm.exe 3308 RegAsm.exe 572 dialer.exe 572 dialer.exe 1412 7zFM.exe 1412 7zFM.exe 572 dialer.exe 572 dialer.exe 1412 7zFM.exe 1412 7zFM.exe 2996 RegAsm.exe 2996 RegAsm.exe 1340 dialer.exe 1340 dialer.exe 1412 7zFM.exe 1412 7zFM.exe 1340 dialer.exe 1340 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 1412 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 3980 chrome.exe 3980 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 3980 wrote to memory of 1704 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 1704 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 2180 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4632 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4632 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 4780 3980 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2936
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:572
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file_premium/6h9hyxbf0k8pkgo/Ch3%2540t_Hub_New.rar/file1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffebe29758,0x7fffebe29768,0x7fffebe297782⤵PID:1704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:22⤵PID:2180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:82⤵PID:4632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:82⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:12⤵PID:4992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:12⤵PID:2200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:82⤵PID:756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:82⤵PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:82⤵
- NTFS ADS
PID:1848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5540 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1824,i,4226559607509073340,15190512408271524961,131072 /prefetch:82⤵PID:4704
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Ch3@t_Hub_New.rar"2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\7zO48596EC0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO48596EC0\Setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 5245⤵
- Program crash
PID:2500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 5165⤵
- Program crash
PID:2112
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 10084⤵
- Program crash
PID:4192
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4855D931\Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO4855D931\Setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 5205⤵
- Program crash
PID:3400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 5165⤵
- Program crash
PID:2944
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 9884⤵
- Program crash
PID:2340
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO485F2E11\Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO485F2E11\Setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 5205⤵
- Program crash
PID:4872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 5245⤵
- Program crash
PID:1140
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 10204⤵
- Program crash
PID:1936
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 18561⤵PID:3844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 768 -ip 7681⤵PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 768 -ip 7681⤵PID:2160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1672 -ip 16721⤵PID:3876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3308 -ip 33081⤵PID:2008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3308 -ip 33081⤵PID:2732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1476 -ip 14761⤵PID:3420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2996 -ip 29961⤵PID:3112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2996 -ip 29961⤵PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
869B
MD5ca6a22ff326d5eae006f5e8f3f601ed3
SHA1740ddcf1158c9fe4f97aa188b767b62b5dc178a6
SHA256d104876610960b5d2b0fb81e94a416e6956ffdb3dd266be7bc00025293ee7ae6
SHA512302a761ffc702f3252390dc85fed50babefb50640676f05b8ca82cf52024b8ae2a00e5c2a099fdd86071439d06a401d744e61d03bd0684ac9fed3686a7555749
-
Filesize
369B
MD505850e20df4ff5cc9efe49d11b13a8b8
SHA10a9fb2967cf88f939c52fd7cafcac7a0b7fd592e
SHA256f2e2fabeb9b2e7b65aac23720f0c7e23cd44378386d66d5175a0bab82c6198ca
SHA512ef242f9e2fa21f3bf09ddf907f71f5377a9f3089c6004d4f2d6c2262988cc82a2a46e0f6dace4aab509a2dcef66c4b9ce71232a62649f8e3ee9de5a09f81e5c1
-
Filesize
6KB
MD5c9c1dd34c80b511e9dc16b96211b2366
SHA1100fb255013bbd935b8eeeac04e93d57938140a0
SHA256d7569bb2eb44b17d771fb02679aa4a084ce6709a4032ec257acd8d964b59582d
SHA512857574fa0bf7555b8948a6f009954c884b32a9b41c69e41ca4a830baca2312fedb2daf6f0475e834f45b25fef9beb206e457d714564f4f6f4822dbe07bf12925
-
Filesize
6KB
MD5090cb22ac97e5db52e5aecc9d65fd973
SHA14685a919491f4714eda05668388764f2529d7e1c
SHA256084dfa3b4f86641fccb3703dfe6411f0ee5ef4c9d6b457d54bb8de49c32d7866
SHA512a6fb98e0f979b615b39a387fcf6bd4ba42d54d77c269884346c8d43a9609a88325c34395f1e8b1586518efa700c023fa1f774d0a85e78c4c5f1f28b26c390391
-
Filesize
130KB
MD57f2122b9f98223dd16b8e45bf511d396
SHA19f18029a2fc217682f51915544b508b82f3d11cc
SHA256b8da25736f586d449dd6fbdd2e4f1a1b6c8c6d4383b04f2f576db917ca654209
SHA512514a00c2108017c7980c7a92dd4bfd1c9c0b67cb4139e08925d93d08203cb903e05ba0a065198cef71818dddc69d67efbe4b7f8cd7549dfb100908b28bb4e754
-
Filesize
107KB
MD5040199fb507bb4f6dde27f8125cb904a
SHA1ecb2de7935d3ae338fa68c63e0e5fb6d6e756e27
SHA256a759fd6ff1fa5127b8a44d58f7eb3efe3e451fd50b01a6d0be3afcc4d05bad64
SHA512646a128e035e8676f0244114c89debea15edd296eed3ebf8a89fe9b4d8e08fc049976cc8170989d44e90ffaf72530fb5bcbbc7f6fbaca035502144fcc4c4b746
-
Filesize
98KB
MD51fc75115ca6c652c1e38b8c9552eb36f
SHA15ac2a785dac504a47cb4a4026820c4ba1351cf5a
SHA2567a560bc6de925a78b136fd7a0149d898d29c49ee15a95994dd841fdcc26fbb96
SHA512251936b3ba05c9781db7be41f68fd0decf3fb81235a66a7d033f952abd455a92c9b5975a3cc7e4f7a629bf8e2286f904956d45f2ee670899844aeea3e93bae1e
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
396KB
MD51cf11de39d55d71e8c978a3e5e96e9b4
SHA17e6a66d170b31db3699cc37082576d011680bdec
SHA2568e735b709c11669e871dff87b16898292b71d95e40040b9a3bbd9fa3a57c39e9
SHA512b1dec16ccbee6da03bb7279af4449d143e973675da5c241f5141444129914f31f82facec38b5c2a7f5f36612ee13616b4c33d369ba95333be4777bc1e2204340
-
Filesize
282B
MD587e5d0f480797f40a0ce5ab2245eb8db
SHA14cb4218f737c723fbcc28469552d42db1795d494
SHA256e31ad31c1096f6f3340fbc1099c981b13d9a3b952c330c178952060110669726
SHA512c6639cb8f39f7a4c1fe3ac8f057f9251d4048dc51813370583af0da0b9a84842e15bb7c3d5991140ad589b96ddc93fab9ba29aeb525265680a21939ef0d248d5
-
Filesize
24.7MB
MD56e82d8d3de3d6b07aad4de0c9ebec675
SHA1fcdde25dfb0a0b13f7501271c640244d0c1f8b21
SHA256b1cd278881261096529c02bcd5cb72caadd75433d0d73e07a94303597d40dd4a
SHA5120c14a1bd600d7f1e82c187e79ebe3ae9f4be4cb2418219f785d30d89a71cd3c4459dc6294af840177551245db741ab311d2c2df6343e3fecc20788cceee4e989
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e