Resubmissions
06-08-2024 17:54
240806-wg178swajr 1006-08-2024 17:17
240806-vtzz9sydnh 806-08-2024 17:01
240806-vjypfsybqf 1006-08-2024 08:46
240806-kppnmavdqj 1006-08-2024 08:34
240806-kgm5tsvckl 306-08-2024 07:19
240806-h5szwaxanh 10Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 08:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://dl.dropboxusercontent.com/scl/fi/aihkutsoiyhu3to98rfeu/.rar?rlkey=a555bfxjfjyg6hq2i5bzmcndj&st=i170g4xw&dl=0
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
https://dl.dropboxusercontent.com/scl/fi/aihkutsoiyhu3to98rfeu/.rar?rlkey=a555bfxjfjyg6hq2i5bzmcndj&st=i170g4xw&dl=0
Resource
win11-20240802-en
General
-
Target
https://dl.dropboxusercontent.com/scl/fi/aihkutsoiyhu3to98rfeu/.rar?rlkey=a555bfxjfjyg6hq2i5bzmcndj&st=i170g4xw&dl=0
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1704 created 2536 1704 תמונות של הפרת זכויות יוצרים.exe 44 -
Executes dropped EXE 3 IoCs
pid Process 3320 תמונות של הפרת זכויות יוצרים.exe 1704 תמונות של הפרת זכויות יוצרים.exe 2568 תמונות של הפרת זכויות יוצרים.exe -
Loads dropped DLL 2 IoCs
pid Process 3320 תמונות של הפרת זכויות יוצרים.exe 2568 תמונות של הפרת זכויות יוצרים.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint" reg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3320 תמונות של הפרת זכויות יוצרים.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4996 1704 WerFault.exe 113 4772 1704 WerFault.exe 113 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language תמונות של הפרת זכויות יוצרים.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language תמונות של הפרת זכויות יוצרים.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language תמונות של הפרת זכויות יוצרים.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674076210778772" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2376 chrome.exe 2376 chrome.exe 1704 תמונות של הפרת זכויות יוצרים.exe 1704 תמונות של הפרת זכויות יוצרים.exe 4044 openwith.exe 4044 openwith.exe 4044 openwith.exe 4044 openwith.exe 3080 chrome.exe 3080 chrome.exe 3080 chrome.exe 3080 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2376 chrome.exe 2376 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeRestorePrivilege 2592 7zG.exe Token: 35 2592 7zG.exe Token: SeSecurityPrivilege 2592 7zG.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeCreatePagefilePrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe -
Suspicious use of FindShellTrayWindow 61 IoCs
pid Process 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 452 7zG.exe 2484 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2272 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 4920 2376 chrome.exe 86 PID 2376 wrote to memory of 4920 2376 chrome.exe 86 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 3748 2376 chrome.exe 88 PID 2376 wrote to memory of 1148 2376 chrome.exe 89 PID 2376 wrote to memory of 1148 2376 chrome.exe 89 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90 PID 2376 wrote to memory of 4072 2376 chrome.exe 90
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2536
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dl.dropboxusercontent.com/scl/fi/aihkutsoiyhu3to98rfeu/.rar?rlkey=a555bfxjfjyg6hq2i5bzmcndj&st=i170g4xw&dl=01⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff5ac3cc40,0x7fff5ac3cc4c,0x7fff5ac3cc582⤵PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1572,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1856 /prefetch:22⤵PID:3748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2160 /prefetch:32⤵PID:1148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2296 /prefetch:82⤵PID:4072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:1432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4792 /prefetch:82⤵PID:4772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3668,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5160 /prefetch:82⤵PID:1824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5016,i,15123216688491554107,7148974522547652253,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3080
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2972
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4192
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים.rar\" -spe -an -ai#7zMap27970:140:7zEvent111281⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\" -spe -an -ai#7zMap19327:118:7zEvent7441⤵
- Suspicious use of FindShellTrayWindow
PID:452
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\" -spe -an -ai#7zMap6092:118:7zEvent169161⤵
- Suspicious use of FindShellTrayWindow
PID:2484
-
C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 5003⤵
- Program crash
PID:4996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 5083⤵
- Program crash
PID:4772
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit2⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1012
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1704 -ip 17041⤵PID:2304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1704 -ip 17041⤵PID:3424
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2272
-
C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"C:\Users\Admin\Downloads\תמונות של הפרת זכויות יוצרים\תמונות של הפרת זכויות יוצרים.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c77abee8770284983aaa0e30c635681d
SHA16891d85eb0b4d2c0cbe28254b17f716c05e000cc
SHA256e4cef83b8c15ad0220648cb652bdb223c514f4f2bc8e479e2f88598b0ae9e79a
SHA512675763711b43ff3bd190d1a3a842f26fa167c7f6a2a9b1e934e3d95a6defcdd08ba49a1562e3e69dffbb47d1bcca62a06140b27597fd64469c0b39b3f688c427
-
Filesize
1KB
MD594c34ca3c3274e59e97d6e361778a3ce
SHA14c08cb2f382663191995d0eed79077b57f4f95e0
SHA256402ac7980b85579539b6856f4e21acd0059b97076d0f18b3dcbb3f9f512f633d
SHA51201cae4ae63363b4f95e07f098e02cc19c243e83c2eb9ec34dfd78f0ccf99ebf3042a4309b9412d32cbefe5ada30e7b49679416c9b3e90ec7bf0056b2385ca22e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
521B
MD56abb76eb28f29454a70c76f913dc03a9
SHA1bece4609dde08603e3f27cfe3b729efa73fdd229
SHA25611efe4f22780c71b2984ef2e90711ff84ffbdae7f0df3e7ff7e6c6a041419348
SHA5129e2e1ff8f1c47906a847c35fe95409f09df4c198eeb0465f5115648e9b33ceda2410ca555a6f990419fdeaf7698bfcc3faf9e45935b6f76837200396ea5a172d
-
Filesize
8KB
MD5f7450545c35aaf56fd6410a3c86f2ad3
SHA1bd16d30d4c383cb6c43fc8013c27240a9e9aba84
SHA256bc7848272e2e7c9a90a0c52eb6ca3b633e59ab6baba7937f43e1d00dc566d7fc
SHA5125eaee332b18a49b6614662c72333698e0caa4cbb585531bbc4175323861d0d3705a04bd41512aead4b17be4486a3efacf8d98220ffda0bc43b1f12145741bbd4
-
Filesize
8KB
MD5704ade86b8d61728b4bd68f7253d0a3d
SHA15e4f1cec298a3641cefbaf49aa0fdc57e6ad0969
SHA256a7873d0df9e5746c520299fef84a9a1afbdb02b77592e2fccce331db058e0f88
SHA5125603e34893ee19c8e3c5759b28ed1db57c6d41c12c0278cfa686ee7f478f00d2f79b75c56b8aad5d17e8d43df55744ec0d3210789756d287a068377182083bc9
-
Filesize
8KB
MD591c594f1e59c63e2eb864c2064968ccb
SHA1ff85518f89354066034afe24314dec8e95fe884a
SHA256a1488a96c69635f45f15e2a9ebae59cc5c539ae1bc66b63de5e7336e822551c5
SHA512769844cd0b137a27f92f2833d4eebf433fe7ab468c0b64e3af33337539cb7f7a56bc4a0e0a277b607eb40cf1ee7a7333bd76ff441f6c6400139f3abe86f59b37
-
Filesize
8KB
MD5fccaec627c4b70326587b6510b2b8298
SHA1d507727c77811ae99d3cfa4e6e1a62f8e74d4131
SHA2565a0c5184c875264cde878de17fb73216243f08bfe1d040b08cf6a80ddaefcadf
SHA5126f2c476df437fa31c3611e2229e9331a0914fc8b8a743161818b7b70217d602d0fb1e58cbc7fe81df4feb42fbbacc15134ccec0b3b814d258b2cb46a06a0425b
-
Filesize
8KB
MD5caa1d37396999a1aa664e4bf75253694
SHA1000c2761b62af2d0ab77543dce89d0cd8d5ce2d7
SHA256ca0ade86e096ee5833a08256c9338e34c1b2fe3e7b3bd1e8b5025ec9815ee573
SHA51296b0f927b6ed861708a77babbf75c822ddc7be1ece96057e53e2dea21e206237a22f32dfd588c41d73e33c2de114bccd6ae52e4056e245ff4d2bbb01b3a23374
-
Filesize
8KB
MD528cdd15aa5f42b1dbeb6266c473d8450
SHA1cdb50f75b6a0cdb3e13125996b4bdd0c179c5c2a
SHA2564ff1215df569e191eb654afae4e636a8fd76713c7b0cad57275e1c359c54d431
SHA512701f73a924ad153d7918e9799c03237c6bffb52841ef08895c8e3b2dffdd826db6b4ea6dbbc79c11e8bcac5a0ee43ede657440dd0025accd05f3db280e4a25c0
-
Filesize
8KB
MD5a7e5e5a51ce518f78ecd9b3fcef6a5e3
SHA157ac24129aea355f6f96fad79a71566002245d96
SHA25678f7b0f46c0c47c095e635c5f4b4d500415d93ea9e5aa8dd98f8a900be9120e5
SHA5120653cc17ae609b1cc4d0d33e791b361786a673af4b0f83496785e470c2d5e25a9c110c188be08f74f046afd93a6d53f64fe1ec945d640910c0f7f5bfe936d3e7
-
Filesize
8KB
MD535cac0d237460ce261808662edb019de
SHA100578ab4d07ca746d2bd1ee226689a553dc778f4
SHA256ebd6555f30e43e136fa47e6365b57bd56ed6576b3d69f85f99c176651e68e984
SHA51252453a2b82454fcd15e3c66527c172fd64a7a307e67264e0188901bed7c3753cf29c114729ce91a1013c4a3f0c34877994f9ec35625c7e1e8d81082970468077
-
Filesize
8KB
MD51dad9bf95ebaf2bfb7791c693603b81c
SHA1e30718dfbdc02b14c2c185135a3863aa3c08946f
SHA2566c15791579212f7f23896eaed84c22048eb335d56c08852273a668a59d075d90
SHA5121677cbad64a30da958e8cfb93400b320466718fecf11b961be69dece3d571f3f5fdaf8fbb1d44c747b209f604646779f1dfa7f60df2666bd07db7a41034fc09e
-
Filesize
8KB
MD5a34a1c2db92292f3c6dd76ed02b7f2cc
SHA1c48a1293f928750e0a0db9771c659037fe15e1de
SHA256820c7cc539b2c8fa62b67a97b7f2411a0843c3be2d457929a7c48f1e9755c081
SHA5123ecc46c0307343da469c2795f39c9bd06af81e7c344e5c97259bbf055af62593a80a3bc886213f64ad70a5d5345660b531add50099f0f84ab43663b0f7ebb391
-
Filesize
100KB
MD5a7c75f4426924c36e53b09757c9b3ac0
SHA1e9a2a20aba3d7649a3ddd0312bafd48aa12a2b40
SHA2569f3ced2809e77bcacd6061103bf7f5512f1a0aeb08fc8e4cbb44e1470c912fe8
SHA51281a8746c8ff5e5a9f07cf5767c5c7c8d3b90313bb82e806ec006f7a508cf33695f1f102fcf5d99d247d2c7ab6c41890a871f82f6ff89545aae48bb0cc3a7d5c9
-
Filesize
100KB
MD56edfb2adda94eed3a5796a4e30ce69fb
SHA13b8138a17798d83b4b12227cba8ebf4f9824af32
SHA2567a4a8da7ab94e2cd4ec0cc61d8ad6470ce957ab933134bc759e836b3aa77e88b
SHA512a46076117628a5ebbb7baf08fdba19c5304e157d25cbd319a349957b3b44f1c095441532f297cb782dadc953cb4a0b7ea088f3ba3e3bf25f4deb7c800b73e5df
-
Filesize
2.0MB
MD5e0ad9ffbba6ea7e6d85988fde368aaa3
SHA12cebb5d57c7b5a9800c86bec71346d44f4f637e4
SHA256ff154fa75000e745b6ef7e611da5d5ca590c92cd65fb12275a2b7ac7f7255ea7
SHA5121a62bd660c2d02be17e17ff1c6600d026c2797b940251d4d1d114a099ab9642df95e0b893e71cc7f7f505343ba2d780402540fd035aceff126dd731744ea3f66
-
Filesize
1.7MB
MD530307b319b2451b6bf61d3e6b232f1da
SHA16a512848872be1325761e7ca110e0a1ee91cb0ef
SHA256a7dbbad8a1cd038e5ab5b3c6b1b312774d808e4b0a2254e8039036972ac8881a
SHA5127833ecb30a75324af6852e3583a609a653652f3cda9037ace7a1098ce7e52ed4b994c5ff1a0a0b4db748a01b06e8d4b8a10a50ebb9c0d4fbc8aa12dd1168f0b7