rhadamanthys | hxxp://tinyurl[.]com/bdeutman

Resubmissions

23-09-2024 08:15

240923-j5m93azfmq 10

Analysis

max time kernel
124s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tinyurl.com/bdeutman

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

AdDTUiFi5x.exe

description	pid	Process	procid_target
PID 4664 created 2456	4664	AdDTUiFi5x.exe	44

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
3964	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

AdDTUiFi5x.exe

pid	Process
4664	AdDTUiFi5x.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

openwith.exeAdDTUiFi5x.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdDTUiFi5x.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133715540314513685"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

chrome.exepowershell.exeAdDTUiFi5x.exeopenwith.exetaskmgr.exechrome.exe

pid	Process
436	chrome.exe
436	chrome.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
4664	AdDTUiFi5x.exe
4664	AdDTUiFi5x.exe
4664	AdDTUiFi5x.exe
4664	AdDTUiFi5x.exe
4232	openwith.exe
4232	openwith.exe
4232	openwith.exe
4232	openwith.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
3564	chrome.exe
3564	chrome.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
3564	chrome.exe
3564	chrome.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
2908	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
436	chrome.exe
436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe

Suspicious use of SendNotifyMessage 53 IoCs

Processes:

chrome.exetaskmgr.exe

pid	Process
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe
2908	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

launcher.exeAdDTUiFi5x.exe

pid	Process
2616	launcher.exe
4664	AdDTUiFi5x.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 436 wrote to memory of 1612	436	chrome.exe	82
PID 436 wrote to memory of 1612	436	chrome.exe	82
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 1004	436	chrome.exe	84
PID 436 wrote to memory of 440	436	chrome.exe	85
PID 436 wrote to memory of 440	436	chrome.exe	85
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86
PID 436 wrote to memory of 2852	436	chrome.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2456
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://tinyurl.com/bdeutman
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd1710cc40,0x7ffd1710cc4c,0x7ffd1710cc58
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,5301036522728472154,11615414718139726112,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,5301036522728472154,11615414718139726112,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,5301036522728472154,11615414718139726112,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,5301036522728472154,11615414718139726112,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,5301036522728472154,11615414718139726112,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,5301036522728472154,11615414718139726112,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3736,i,5301036522728472154,11615414718139726112,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5200,i,5301036522728472154,11615414718139726112,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3564

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3888

C:\Users\Admin\Desktop\launcher.exe
"C:\Users\Admin\Desktop\launcher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:4196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\AdDTUiFi5x.exe"
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\AdDTUiFi5x.exe
    C:\Users\Admin\AppData\Local\Temp\AdDTUiFi5x.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
37833d223b395a8e1cd0e0181ef28493

SHA1
3f65a8767b9cfc96a217d9b6c6a0b48f482758f6

SHA256
2580fea833d23fe0eda7378ea3f079c97abef503004f6c7466f6282fd2a113d2

SHA512
177290c39c5eadd553ac04567038aea389bb64eb9fdd270254e490f995f362168bc6b139dc01e23924d88924eee11bf61aa55002e889bf8f9b71e5f9fb53ac6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
836fc5128ae61330e647aad25a458bd6

SHA1
578e64dbaf491bac922fdc3ddc92d27869369986

SHA256
d94452557d1fa372eb444f5e0c9ad7f74b4c1be80e69d8ad8166597ca5fdbf25

SHA512
39189d78c9a8245e4c4757dc471398965f0ee90d3d6c4caec619f686a1440713e5906f87f86f88d4f6b7869a29a532aa3125bd80e40851e719b1f0bf9c995f14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
552fdbcd411f63e1d5b7634958d60f68

SHA1
521b7d835625fa219cb42e83b874bed6a1083c6e

SHA256
399ae84ac068762f920597d73a873ff706b6c88f219a1fb6fa6b43c506ffc5a0

SHA512
3b96061b4f62a746959f0b458fa71e910fca2943fce2a48e67218a52876b31883f392a00e7f80f1210697c7b3be7f81fdcfd58f03f923e970d4394ed4c7ed6ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
686B

MD5
443bbfa626cf71a769d3273e7db7a5a0

SHA1
d84719dd7f3071704a713ec9104618c70f9908a8

SHA256
4a541df8970defbf7e212bc3ae3b25d9fc6be3f90a9918de2e46d95bbaefe2e4

SHA512
ef98d251d3099fe0f92af332cc29bf190b29359edf5a735c3a6ee75676edfc53b61757dc6f0a080e6e2ab745d40d3845bea3b43f2e54c14aa93aa8903e9da57a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2cd97e6b1af8cd4d1175ecf85f90f5ac

SHA1
d3acd38280548b3e662ff1996ca74fd9397f0e21

SHA256
25f15a97c70221463314874b2474875a4f18ee20290de3d6296ad984ebe0e69b

SHA512
2450ffb83f2c14bc66bac0c3679ce3482a89a96c4c02f449c5451519ba9b00c00f232efb0a2b63abbb78438392db29167680f61cef66e0a161911691a92e70a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4c5632b4c78d27244a924d04e6a9b62

SHA1
4cb6cf6accb696af4acc57000be809516efe6cf3

SHA256
6ffb79cb89b270577c79b71bc68820e558cf23598c88d67ed24782d48b6c1cdc

SHA512
42de79c2ec30233b1e1dead568ebe0a20742a25e31d665f4daba3c7cb35b122b865bf7dab09081d12b046b9c47d1a072bbe129d570a1f0e3e533e8e8140fe787

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1138667954c8639eb71c92172ff6593

SHA1
1c08b43560e01392bdd43fe42e4e380a6f4a998c

SHA256
5295f6c2133e66b89316ea02529a6b2d6cb46937e4e2f0e6c10023ca09e01ad3

SHA512
29c5a663c14a0a132daba6d7b6b6d8eeff65b3f042f2672b28075ba3cff9a63fb742249267cce57672404e347547d51dbcde6c1b7db3ad0d15dd28cacaa3da7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b22c799af88f41934a807347b871bdbd

SHA1
e3ff7f1ad2b391b9baa4c57def89ee095fac6039

SHA256
b77211891519a31b03d2725fd130af5bc549ef7951ddabf81def77d133cfd5bf

SHA512
59db553b334cb3b256c035f277246c0298ae732c6af971dea2ec4279ed20747951dfffdda890b0e956dacb3f51716b59cdd7ada8edbb859fff5f420d71565743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e1308a4a2b2f5488f9621db6cdc6235

SHA1
79accb294f6e6608b8edc4c17d0a7dccac3d0feb

SHA256
23dbbd41ee42e32de8dcf23e6580bf4e875fdfdcae7b596fea1f7b2d769da764

SHA512
c360142ba3f59b2ee75119ab6a15f1e6e11af01855d4e6e830d031e346a69eb4c8ce18b93c9f57287f37dd099e442509cfcd80f1dfed7519f91c3e02520dd4aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd371f00a3801a37c5a277b893937a12

SHA1
829b2df48f44a351a3dc75d956d3883c3d40a055

SHA256
9d13fa6550febaed24d4ede4cfa6d305f5846bf372d4b349045dfe8c33a0048c

SHA512
112308bd5b74903c2ad8370124bfedddf3824ba7d28239cf2647878957b28d5ae3107c3b80f489606986b238bf421646f8d48c63ca0026e9761566ecd103f6be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc4e2e379d848af60650ba3206d50187

SHA1
8bb783e7ce529794abf6adf75688388d1cecaa6e

SHA256
be7c00b5a2378225a3efc1db2887ad71aabf7d1faf9bd6a9146a97b345cba8a7

SHA512
220923299ce07232c263d8152d7d6aea403abfa8f2ccafd953cbebd109d58aa9905f092d7a35abf14aad48ee6c2f4c05c3ca8c8ac189f814f6333155de4e16b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b1554b2b77729e11e42365a0a900c588

SHA1
85209f0be783eb57ab27baa05e6e32da1d35f609

SHA256
a90e4d91d50d74ebf45e9be98eff9604d751787e6ad0122ab22cf603abf7fc79

SHA512
651b8de789c02f44c8749b8ec0f5f680ad6bf6ec3df27407ca50a529a518bf0899f7c7b2c81f6171e6391ba377a6f94ff7730253c0e7055e96edc35d6e8b13a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0abb8fd73118ff61e80fc9bf441acbd3

SHA1
1857699ae0a99fb475e1c0368f2c4605004e93d3

SHA256
864b165ec19780df3c836d0f77b40407067b4fee9875b8f280f5df1d3f10839e

SHA512
c7b1ed3a84189e7d03b239f0edd1376558bfc23426331825aa037fb721d6750d7d22a6280c96b916fa12a63a46d0e03aa5ab944f387f0f426334b7f72310f234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a4fc459f3dc03b2bcc1666b70f6d23b5

SHA1
42fd460aba1c603994eee28a1707d07905322131

SHA256
b6c9897b89d74de535c1c8b3da09addce3046980d4edb545f9c04ac1168c7c47

SHA512
dd826c0b0a50157c29b8215840df66f56d95f78c37a6c3aa8074c602e7c3362a6f54f07faa452274b63f63ff74f11afa016472f1a778f696e3b21317c8509bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdDTUiFi5x.exe

Filesize
5.1MB

MD5
588a46f868c4f4dac5b9b255f2584362

SHA1
f6b4502c0abe6f2ba66cf98b84a90dae89efcd97

SHA256
c396b25bf0b7ad349be220d1e1a78604eb1f83b6c42776c53cbb93155ef57a15

SHA512
ea1294e53bf6aee1266de52d38f40be8689f0f8056a43cba04c57c63b7640f9e1b84e1431e79d838b8a9d61956b1044e730b58883882a71e5f02ff477b17972a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g2m5bwa2.fit.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\crashpad_436_GQSIANYGYHIHTJDQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2908-159-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-167-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-170-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-169-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-165-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-166-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-168-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-164-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-158-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/2908-160-0x000001B470440000-0x000001B470441000-memory.dmp

Filesize
4KB

Download
memory/3964-126-0x000002BD37AA0000-0x000002BD37AC2000-memory.dmp

Filesize
136KB

Download
memory/4232-151-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/4232-155-0x00007FFD25630000-0x00007FFD25825000-memory.dmp

Filesize
2.0MB

Download
memory/4232-154-0x0000000001FA0000-0x00000000023A0000-memory.dmp

Filesize
4.0MB

Download
memory/4232-157-0x0000000077360000-0x0000000077575000-memory.dmp

Filesize
2.1MB

Download
memory/4664-145-0x0000000000330000-0x0000000000865000-memory.dmp

Filesize
5.2MB

Download
memory/4664-152-0x0000000000330000-0x0000000000865000-memory.dmp

Filesize
5.2MB

Download
memory/4664-150-0x0000000077360000-0x0000000077575000-memory.dmp

Filesize
2.1MB

Download
memory/4664-148-0x00007FFD25630000-0x00007FFD25825000-memory.dmp

Filesize
2.0MB

Download
memory/4664-147-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/4664-146-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/4664-142-0x0000000000330000-0x0000000000865000-memory.dmp

Filesize
5.2MB

Download
memory/4664-144-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download