1ef9f6f47ce297fa50fe714562d32ec98773acddeec5b17b956e6d4b94bbd14f

Analysis

max time kernel
299s
max time network
241s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aridek shit/SpoofShit2.exe
Size

1.1MB
MD5

980ec9e44ba9ad605cfc829108a4b0fd
SHA1

bbc735e5e8bed45b71ff3c6f53a082b06dad8b60
SHA256

79e1577798e3c7a0df48ad7ff147a1636baa7a5fc9c5f4a7cbce878ba85ed506
SHA512

69d6dff6a9ec99343cfc8ce2f1032457b6c884351464c448258247242441e22816fc89990df592837feae7dc760f376d2b16bc0cf46180e17a3ed46a3a247f4e
SSDEEP

24576:OtA4KdTQiBtg9ddxcj9XUcw72X4bD82EUCmNWi2HZ:PdTP4dxiSNyX2LymWiOZ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

extd.exeextd.exeextd.exeload.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exeextd.exe

pid	process
3396	extd.exe
4764	extd.exe
5012	extd.exe
2928	load.exe
4516	tool.exe
2904	tool.exe
660	tool.exe
4484	tool.exe
3656	tool.exe
1120	tool.exe
5076	tool.exe
4520	tool.exe
4900	tool.exe
1660	tool.exe
4788	tool.exe
3004	tool.exe
3464	tool.exe
2540	tool.exe
2084	tool.exe
1464	tool.exe
3508	extd.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe	upx
behavioral2/memory/3396-24-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/3396-25-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/4764-30-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/4764-31-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/5012-33-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/3508-61-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/3508-62-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584420023955526"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4988	chrome.exe
4988	chrome.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4468 taskmgr.exe
Suspicious behavior: LoadsDriver 16 IoCs

Processes:

pid process

652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4988 chrome.exe
4988 chrome.exe
4988 chrome.exe
4988 chrome.exe

pid	process
4468	taskmgr.exe

pid	process
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SpoofShit2.execmd.exeload.execmd.exechrome.exe

description	pid	process	target process
PID 2484 wrote to memory of 2952	2484	SpoofShit2.exe	cmd.exe
PID 2484 wrote to memory of 2952	2484	SpoofShit2.exe	cmd.exe
PID 2952 wrote to memory of 3396	2952	cmd.exe	extd.exe
PID 2952 wrote to memory of 3396	2952	cmd.exe	extd.exe
PID 2952 wrote to memory of 4764	2952	cmd.exe	extd.exe
PID 2952 wrote to memory of 4764	2952	cmd.exe	extd.exe
PID 2952 wrote to memory of 5012	2952	cmd.exe	extd.exe
PID 2952 wrote to memory of 5012	2952	cmd.exe	extd.exe
PID 2952 wrote to memory of 2160	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 2160	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 1140	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 1140	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 4376	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 4376	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 2928	2952	cmd.exe	load.exe
PID 2952 wrote to memory of 2928	2952	cmd.exe	load.exe
PID 2952 wrote to memory of 2928	2952	cmd.exe	load.exe
PID 2928 wrote to memory of 2600	2928	load.exe	cmd.exe
PID 2928 wrote to memory of 2600	2928	load.exe	cmd.exe
PID 2600 wrote to memory of 4516	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4516	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 2904	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 2904	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 660	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 660	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4484	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4484	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 3656	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 3656	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 1120	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 1120	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 5076	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 5076	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4520	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4520	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4900	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4900	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 1660	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 1660	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4788	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 4788	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 3004	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 3004	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 3464	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 3464	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 2540	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 2540	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 2084	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 2084	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 1464	2600	cmd.exe	tool.exe
PID 2600 wrote to memory of 1464	2600	cmd.exe	tool.exe
PID 2952 wrote to memory of 3508	2952	cmd.exe	extd.exe
PID 2952 wrote to memory of 3508	2952	cmd.exe	extd.exe
PID 4988 wrote to memory of 2052	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 2052	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 740	4988	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit2.exe
"C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\3D49.bat "C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit2.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe "/getconsoletitle" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:3396
- - C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe "/resizewindow" "Administrator: sex" "0" "0" "1129" "520" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe "/center" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:5012
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tzautoupdate" /v Start /t reg_dword /d 4 /f
    3⤵
    PID:2160
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" /v Type /t reg_sz /d NoSync /f
    3⤵
    PID:1140
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t reg_dword /d 0 /f
    3⤵
    PID:4376
- - C:\Users\Admin\AppData\Roaming\Aridek\load.exe
    "load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4064.tmp\4065.tmp\4066.bat C:\Users\Admin\AppData\Roaming\Aridek\load.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /SM "System manufacturer"
        5⤵
        Executes dropped EXE
        
        PID:4516
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /SP "System Product Name"
        5⤵
        Executes dropped EXE
        
        PID:2904
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /SV "System Version"
        5⤵
        Executes dropped EXE
        
        PID:660
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /SS "System Serial Number"
        5⤵
        Executes dropped EXE
        
        PID:4484
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /SU "AUTO"
        5⤵
        Executes dropped EXE
        
        PID:3656
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /SK "SKU"
        5⤵
        Executes dropped EXE
        
        PID:1120
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /SF "To be filled by O.E.M."
        5⤵
        Executes dropped EXE
        
        PID:5076
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /BS 300882532216499
        5⤵
        Executes dropped EXE
        
        PID:4520
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /BT "Default string"
        5⤵
        Executes dropped EXE
        
        PID:4900
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /BLC "Default string"
        5⤵
        Executes dropped EXE
        
        PID:1660
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /CM "Default string"
        5⤵
        Executes dropped EXE
        
        PID:4788
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /CV "Default string"
        5⤵
        Executes dropped EXE
        
        PID:3004
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /CS "Default string"
        5⤵
        Executes dropped EXE
        
        PID:3464
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /CA "Default string"
        5⤵
        Executes dropped EXE
        
        PID:2540
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /CSK "Default string"
        5⤵
        Executes dropped EXE
        
        PID:2084
    - - C:\Users\Admin\AppData\Roaming\Aridek\tool.exe
        
        tool.exe /PSN 36431111621297
        5⤵
        Executes dropped EXE
        
        PID:1464
- - C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe "" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:3508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff41f0ab58,0x7fff41f0ab68,0x7fff41f0ab78
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:2
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4328 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:404
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff74066ae48,0x7ff74066ae58,0x7ff74066ae68
    3⤵
    PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4552 --field-trial-handle=2052,i,16790771550147954622,6247143408217486536,131072 /prefetch:1
  2⤵
  PID:1484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2792

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
fc332ad14ca615a8ddfb63530dbed2a9

SHA1
eb80d25002fbca4848a120d0bd60620d653fb989

SHA256
1099f5b9a1e6fd53df79ace82aa9c0c53290797e9ef1e776aea2a1c4268ed0c8

SHA512
5743d9d7cda6a23fd61489e4942a9f70d53af242388e988e182e6ef5f7185908f515940ab6e274386fe7b4fda81311283a39243f233e7024023bcaf0c294164f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
079fb2b0993c1e37cdc8de167413740b

SHA1
64259145048eb118947a7d0446d7066001cad30c

SHA256
67ec3844e297e14e5ba1920af04fd90f8d6ae965f0f9c317f80721498f251b7a

SHA512
9e0d737c2e37f6c8da5bf26ef647ed970a0f7ba04ce86ef549563384816ff52b7609b35fee5780ecc88f838dc9985c5a093ff3aedae344a2d8cc9f2bcb70f7c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f2cdc08017a38f67ef6660038a780ff4

SHA1
918e5eec3124a7b4d2121047445de21a359ec11c

SHA256
2d0e432eeb9570bbeada8c43832dcc22698155f07e04658f7edadab9b09e918a

SHA512
883e292a4303cfb4cd66d23e63aea1589d8bfa291516786bd18340ca790dbea15c37b26e1a3145448ca6ece955fc33ba484cd658ce9ab3d1165d5dc637410e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e4487dbc971282cbcd36f376c04d2bc8

SHA1
3d3c91fedd65bab1c0c58f0531ff7e0de2a9c6c6

SHA256
bf8e33cf27dc0f72b36d5cdf4a1b8c0523cbc6e749116fc9e19b15b6ca89ee6f

SHA512
f45e62a063880ab68037269c0fa6d59afa0cd9bbb1398d982b1edfe44f0691e5862d9ef96bfc4b1abeb8111f3b26bbb2c6d661b8577302f019162dcdf091af7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4bade06c04908e233a60547d02acbb2a

SHA1
e6d8c93eebb2770a9b8784df3b9bdcb2ccd85c38

SHA256
e53087e4a70411d83e50bf959b275ec0fd87bbb06334701d8dac3b6d321d47c9

SHA512
9b2a46801e26b88fc77836916c31841816299d879163706df433d2118573e5c653c06dcb413f2981826ffae840ea021a2e249a12b06a3634c9aeb6c2ff448377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e78b327d52e6ef7e792ba496759b3812

SHA1
d12ca0ffbf1dc3d6c2f6da2d52b281b3549b6b1a

SHA256
1a35617c9afbc9cd935f60f6025d232052ccd08aee9bcc6ae798f63bc35173c0

SHA512
eb2ad07b91e12f056eb52123893db33b1ef91fa2d747b0a54a58240d713b86b2b37c857d581e586ab11b0f28990776294b18a7a101dcc4c244189368caeb44c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
ebf561e2300557455c56cdedc9c7d224

SHA1
770a9883b6ee947d851d037e578873c8a652fd2e

SHA256
b99f6e1da18bfeaf1c19deff3955c72754d2b37391a632611bfedd9eb285206c

SHA512
e5001827b3f683a4737927b6328a566cd342077aabef69be4760e63bba8d978dc7162a91e34dc9ec74545f5315529959066b3d3d44dcb3c1be618b2421759c17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
39ea40ba601876f8291fdba5809d74cd

SHA1
ee375ff4a7a77a506d2519611ec8db4a40c6e37b

SHA256
c72f975b94e73dd37ce61192f734471029d86f6867f1b8795a73e85b8655e950

SHA512
a739302a93a52a4f030bbd0fce9727f336979a936b42319c8e01e919f90ed42858cbe905a8f70fa3c90b15b0239b9b230a405e1686f0d88a5983d0d8a2dc8ed4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
308171f5d8b96132dac6e6b63eb27d75

SHA1
aee64825c726b607351e47e21133298cfba37475

SHA256
5758b412ebcba13277aa806573beac1b5c16b39379daf6ba6b1182aedac1c572

SHA512
407836d1ebffd08e2e68ead8487b2aac14a8a7a54ad48d0cf5ca7bd77fa818dcfdc2e6343742898822425a89ba5de8d5cd0dddb5bbde2653307d8822f90d3dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\3D49.bat

Filesize
1KB

MD5
0b100bddb3f5346233254e4238a76193

SHA1
d4e3653ce2db66f0d6d6f31622e6fc28f9eaec42

SHA256
3a125e99f0d470cf48a6d152b0ca32e0e831326f417969075ba214da4b1486db

SHA512
c25901498230f195080ec7e0fbe700c0d32c220c7e9337bdbbc558cb02496d9cea74c998d9e0ef201c861b77773e62740a2502060bcfe7dcd09b70ba11432c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D47.tmp\3D48.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\4064.tmp\4065.tmp\4066.bat

Filesize
545B

MD5
a8d805349e3718d67fb16fea2e860186

SHA1
394704bef9cf3580aae4ea83f7e698d38ccd5a53

SHA256
f5662df0ec4b20f0503ca6a1ffb0180f36e28127e00e565546360550585c76b6

SHA512
37546bd2430906c1bb7096f1d67ce0b9e71bd69e902a028f590df8637af9c57aa4b77a517f2670b8c8000177872251efb3782502b8cb8c5efe8cb2f89c6cba69

Download Submit
C:\Users\Admin\AppData\Roaming\Aridek\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\Roaming\Aridek\load.exe

Filesize
89KB

MD5
5700cabc6bf4e6aea2f3535fe34f14e2

SHA1
9b0bd296120b99060c88fb5f870f8da1e046d640

SHA256
18c0da701463f2f99e5b8c91d2aa6315b4538960fe883a6bfb519f623fc2696b

SHA512
8db7bcf3e6babbcd2d122d55b6eb17136392ce7951cfbec550b1e8ea2d08348ffdaea37666be0e9df3889867907180c3bfa95ffbe8a307a94b147cc397bead5b

Download Submit
C:\Users\Admin\AppData\Roaming\Aridek\tool.exe

Filesize
453KB

MD5
b696823b80d01a67c1e25355fdaa8bab

SHA1
932d2cd264daa771e93b094de870feb4ec0e1d93

SHA256
4ef86ce5877adc7f861b79da511ca2cbc7b454d6acc33e4a3ccbf21092fe6d94

SHA512
7eadf67c666152002a8d168e6beea36f3f7a7b2c57c313461dea1ba8cb0590fe0d6f6c2c0b4cd147e3ff2429fb99de8e84f3a036c8c7dbf5012d1346e4aff65f

Download Submit
\??\pipe\crashpad_4988_NTLSCLGUSTYCZFDX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3396-24-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3396-25-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3508-61-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3508-62-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4468-276-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-278-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-277-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-282-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-283-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-285-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-284-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-286-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-287-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4468-288-0x00000242EB120000-0x00000242EB121000-memory.dmp

Filesize
4KB

Download
memory/4764-30-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4764-31-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/5012-33-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download