rhadamanthys | hxxps://dl[.]dropboxusercontent[.]com/scl/fi/aihkutsoiyhu3to98rfeu/[.]rar?rlkey=a555bfxjfjyg6hq2i5bzmcndj&st=i170g4xw&dl=0

Resubmissions

06/08/2024, 17:54

240806-wg178swajr 10

06/08/2024, 17:17

06/08/2024, 17:01

06/08/2024, 08:46

06/08/2024, 08:34

06/08/2024, 07:19

Analysis

max time kernel
146s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dl.dropboxusercontent.com/scl/fi/aihkutsoiyhu3to98rfeu/.rar?rlkey=a555bfxjfjyg6hq2i5bzmcndj&st=i170g4xw&dl=0

Score

10^/10

rhadamanthys discovery persistence stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1704 created 2536	1704	תמונות של הפרת זכויות יוצרים.exe	44

Executes dropped EXE 3 IoCs

pid	Process
3320	תמונות של הפרת זכויות יוצרים.exe
1704	תמונות של הפרת זכויות יוצרים.exe
2568	תמונות של הפרת זכויות יוצרים.exe

Loads dropped DLL 2 IoCs

pid	Process
3320	תמונות של הפרת זכויות יוצרים.exe
2568	תמונות של הפרת זכויות יוצרים.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint"	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3320	תמונות של הפרת זכויות יוצרים.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4996	1704	WerFault.exe	113
4772	1704	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	תמונות של הפרת זכויות יוצרים.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	תמונות של הפרת זכויות יוצרים.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	תמונות של הפרת זכויות יוצרים.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674076210778772"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
1704	תמונות של הפרת זכויות יוצרים.exe
1704	תמונות של הפרת זכויות יוצרים.exe
4044	openwith.exe
4044	openwith.exe
4044	openwith.exe
4044	openwith.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeRestorePrivilege	2592	7zG.exe
Token: 35	2592	7zG.exe
Token: SeSecurityPrivilege	2592	7zG.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
452	7zG.exe
2484	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2272	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 4920	2376	chrome.exe	86
PID 2376 wrote to memory of 4920	2376	chrome.exe	86
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 3748	2376	chrome.exe	88
PID 2376 wrote to memory of 1148	2376	chrome.exe	89
PID 2376 wrote to memory of 1148	2376	chrome.exe	89
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90
PID 2376 wrote to memory of 4072	2376	chrome.exe	90

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2536
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dl.dropboxusercontent.com/scl/fi/aihkutsoiyhu3to98rfeu/.rar?rlkey=a555bfxjfjyg6hq2i5bzmcndj&st=i170g4xw&dl=0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff5ac3cc40,0x7fff5ac3cc4c,0x7fff5ac3cc58
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1572,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3668,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5016,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4192

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים.rar\" -spe -an -ai#7zMap27970:140:7zEvent11128
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\" -spe -an -ai#7zMap19327:118:7zEvent744
1⤵
- Suspicious use of FindShellTrayWindow
PID:452

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\" -spe -an -ai#7zMap6092:118:7zEvent16916
1⤵
- Suspicious use of FindShellTrayWindow
PID:2484

C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe
"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3320
- C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe
  "C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 500
    3⤵
    - Program crash
    PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 508
    3⤵
    - Program crash
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1704 -ip 1704
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1704 -ip 1704
1⤵
PID:3424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe
"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c77abee8770284983aaa0e30c635681d

SHA1
6891d85eb0b4d2c0cbe28254b17f716c05e000cc

SHA256
e4cef83b8c15ad0220648cb652bdb223c514f4f2bc8e479e2f88598b0ae9e79a

SHA512
675763711b43ff3bd190d1a3a842f26fa167c7f6a2a9b1e934e3d95a6defcdd08ba49a1562e3e69dffbb47d1bcca62a06140b27597fd64469c0b39b3f688c427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
94c34ca3c3274e59e97d6e361778a3ce

SHA1
4c08cb2f382663191995d0eed79077b57f4f95e0

SHA256
402ac7980b85579539b6856f4e21acd0059b97076d0f18b3dcbb3f9f512f633d

SHA512
01cae4ae63363b4f95e07f098e02cc19c243e83c2eb9ec34dfd78f0ccf99ebf3042a4309b9412d32cbefe5ada30e7b49679416c9b3e90ec7bf0056b2385ca22e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
6abb76eb28f29454a70c76f913dc03a9

SHA1
bece4609dde08603e3f27cfe3b729efa73fdd229

SHA256
11efe4f22780c71b2984ef2e90711ff84ffbdae7f0df3e7ff7e6c6a041419348

SHA512
9e2e1ff8f1c47906a847c35fe95409f09df4c198eeb0465f5115648e9b33ceda2410ca555a6f990419fdeaf7698bfcc3faf9e45935b6f76837200396ea5a172d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f7450545c35aaf56fd6410a3c86f2ad3

SHA1
bd16d30d4c383cb6c43fc8013c27240a9e9aba84

SHA256
bc7848272e2e7c9a90a0c52eb6ca3b633e59ab6baba7937f43e1d00dc566d7fc

SHA512
5eaee332b18a49b6614662c72333698e0caa4cbb585531bbc4175323861d0d3705a04bd41512aead4b17be4486a3efacf8d98220ffda0bc43b1f12145741bbd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
704ade86b8d61728b4bd68f7253d0a3d

SHA1
5e4f1cec298a3641cefbaf49aa0fdc57e6ad0969

SHA256
a7873d0df9e5746c520299fef84a9a1afbdb02b77592e2fccce331db058e0f88

SHA512
5603e34893ee19c8e3c5759b28ed1db57c6d41c12c0278cfa686ee7f478f00d2f79b75c56b8aad5d17e8d43df55744ec0d3210789756d287a068377182083bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
91c594f1e59c63e2eb864c2064968ccb

SHA1
ff85518f89354066034afe24314dec8e95fe884a

SHA256
a1488a96c69635f45f15e2a9ebae59cc5c539ae1bc66b63de5e7336e822551c5

SHA512
769844cd0b137a27f92f2833d4eebf433fe7ab468c0b64e3af33337539cb7f7a56bc4a0e0a277b607eb40cf1ee7a7333bd76ff441f6c6400139f3abe86f59b37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fccaec627c4b70326587b6510b2b8298

SHA1
d507727c77811ae99d3cfa4e6e1a62f8e74d4131

SHA256
5a0c5184c875264cde878de17fb73216243f08bfe1d040b08cf6a80ddaefcadf

SHA512
6f2c476df437fa31c3611e2229e9331a0914fc8b8a743161818b7b70217d602d0fb1e58cbc7fe81df4feb42fbbacc15134ccec0b3b814d258b2cb46a06a0425b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
caa1d37396999a1aa664e4bf75253694

SHA1
000c2761b62af2d0ab77543dce89d0cd8d5ce2d7

SHA256
ca0ade86e096ee5833a08256c9338e34c1b2fe3e7b3bd1e8b5025ec9815ee573

SHA512
96b0f927b6ed861708a77babbf75c822ddc7be1ece96057e53e2dea21e206237a22f32dfd588c41d73e33c2de114bccd6ae52e4056e245ff4d2bbb01b3a23374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
28cdd15aa5f42b1dbeb6266c473d8450

SHA1
cdb50f75b6a0cdb3e13125996b4bdd0c179c5c2a

SHA256
4ff1215df569e191eb654afae4e636a8fd76713c7b0cad57275e1c359c54d431

SHA512
701f73a924ad153d7918e9799c03237c6bffb52841ef08895c8e3b2dffdd826db6b4ea6dbbc79c11e8bcac5a0ee43ede657440dd0025accd05f3db280e4a25c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a7e5e5a51ce518f78ecd9b3fcef6a5e3

SHA1
57ac24129aea355f6f96fad79a71566002245d96

SHA256
78f7b0f46c0c47c095e635c5f4b4d500415d93ea9e5aa8dd98f8a900be9120e5

SHA512
0653cc17ae609b1cc4d0d33e791b361786a673af4b0f83496785e470c2d5e25a9c110c188be08f74f046afd93a6d53f64fe1ec945d640910c0f7f5bfe936d3e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
35cac0d237460ce261808662edb019de

SHA1
00578ab4d07ca746d2bd1ee226689a553dc778f4

SHA256
ebd6555f30e43e136fa47e6365b57bd56ed6576b3d69f85f99c176651e68e984

SHA512
52453a2b82454fcd15e3c66527c172fd64a7a307e67264e0188901bed7c3753cf29c114729ce91a1013c4a3f0c34877994f9ec35625c7e1e8d81082970468077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1dad9bf95ebaf2bfb7791c693603b81c

SHA1
e30718dfbdc02b14c2c185135a3863aa3c08946f

SHA256
6c15791579212f7f23896eaed84c22048eb335d56c08852273a668a59d075d90

SHA512
1677cbad64a30da958e8cfb93400b320466718fecf11b961be69dece3d571f3f5fdaf8fbb1d44c747b209f604646779f1dfa7f60df2666bd07db7a41034fc09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a34a1c2db92292f3c6dd76ed02b7f2cc

SHA1
c48a1293f928750e0a0db9771c659037fe15e1de

SHA256
820c7cc539b2c8fa62b67a97b7f2411a0843c3be2d457929a7c48f1e9755c081

SHA512
3ecc46c0307343da469c2795f39c9bd06af81e7c344e5c97259bbf055af62593a80a3bc886213f64ad70a5d5345660b531add50099f0f84ab43663b0f7ebb391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
a7c75f4426924c36e53b09757c9b3ac0

SHA1
e9a2a20aba3d7649a3ddd0312bafd48aa12a2b40

SHA256
9f3ced2809e77bcacd6061103bf7f5512f1a0aeb08fc8e4cbb44e1470c912fe8

SHA512
81a8746c8ff5e5a9f07cf5767c5c7c8d3b90313bb82e806ec006f7a508cf33695f1f102fcf5d99d247d2c7ab6c41890a871f82f6ff89545aae48bb0cc3a7d5c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
6edfb2adda94eed3a5796a4e30ce69fb

SHA1
3b8138a17798d83b4b12227cba8ebf4f9824af32

SHA256
7a4a8da7ab94e2cd4ec0cc61d8ad6470ce957ab933134bc759e836b3aa77e88b

SHA512
a46076117628a5ebbb7baf08fdba19c5304e157d25cbd319a349957b3b44f1c095441532f297cb782dadc953cb4a0b7ea088f3ba3e3bf25f4deb7c800b73e5df

Download Submit
C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\MSIMG32.dll

Filesize
2.0MB

MD5
e0ad9ffbba6ea7e6d85988fde368aaa3

SHA1
2cebb5d57c7b5a9800c86bec71346d44f4f637e4

SHA256
ff154fa75000e745b6ef7e611da5d5ca590c92cd65fb12275a2b7ac7f7255ea7

SHA512
1a62bd660c2d02be17e17ff1c6600d026c2797b940251d4d1d114a099ab9642df95e0b893e71cc7f7f505343ba2d780402540fd035aceff126dd731744ea3f66

Download Submit
C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe

Filesize
1.7MB

MD5
30307b319b2451b6bf61d3e6b232f1da

SHA1
6a512848872be1325761e7ca110e0a1ee91cb0ef

SHA256
a7dbbad8a1cd038e5ab5b3c6b1b312774d808e4b0a2254e8039036972ac8881a

SHA512
7833ecb30a75324af6852e3583a609a653652f3cda9037ace7a1098ce7e52ed4b994c5ff1a0a0b4db748a01b06e8d4b8a10a50ebb9c0d4fbc8aa12dd1168f0b7

Download Submit
memory/1704-126-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1704-128-0x0000000003360000-0x0000000003760000-memory.dmp

Filesize
4.0MB

Download
memory/1704-129-0x0000000003360000-0x0000000003760000-memory.dmp

Filesize
4.0MB

Download
memory/1704-130-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-132-0x0000000075DB0000-0x0000000075FC5000-memory.dmp

Filesize
2.1MB

Download
memory/1704-122-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2568-188-0x0000000011000000-0x0000000011369000-memory.dmp

Filesize
3.4MB

Download
memory/3320-121-0x0000000010000000-0x00000000101F8000-memory.dmp

Filesize
2.0MB

Download
memory/3320-117-0x0000000011000000-0x0000000011369000-memory.dmp

Filesize
3.4MB

Download
memory/3320-127-0x0000000011000000-0x0000000011369000-memory.dmp

Filesize
3.4MB

Download
memory/3320-124-0x0000000010000000-0x00000000101F8000-memory.dmp

Filesize
2.0MB

Download
memory/4044-145-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4044-147-0x0000000075DB0000-0x0000000075FC5000-memory.dmp

Filesize
2.1MB

Download
memory/4044-144-0x0000000002E00000-0x0000000003200000-memory.dmp

Filesize
4.0MB

Download
memory/4044-142-0x0000000001230000-0x0000000001239000-memory.dmp

Filesize
36KB

Download