rhadamanthys | 456ebef3ea4fd5820ebf1f96be5057967a020d7d1808a598dcda016a4629a00c

Analysis

max time kernel
149s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
12-02-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Project/GitMultiLoader.exe
Size

42.7MB
MD5

5ec24905f80bb16b8844d440fd4ca921
SHA1

079f6782c79d633f3ac1288523d39fd5c6132df9
SHA256

eec6302b15fdbf92d7c6204f195246278aa2d7c54ed2eaf51f8298554ac75024
SHA512

10e3b37422b3d540f9435712ee94955df759ed1c404e35e708f0b6863ff2f8c4b1ff0fc084df10ffd805a9a9e633bb6110dc82d0d8d8d474439cd8a5b6fbfc55
SSDEEP

98304:YfCv+rScGQYPDofAKB1RYQpHd5nKRQGEaTmR3vNUkqh76n7EnVFG8TzIhX724Lks:Y7EsfAeHY0x7nbT9UsMaN6maSl

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description pid process target process

PID 2088 created 2628 2088 RegAsm.exe sihost.exe
Executes dropped EXE 1 IoCs

Processes:

driver1.exe

pid process

4908 driver1.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\tpm.msc mmc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

driver1.exe

description pid process target process

PID 4908 set thread context of 2088 4908 driver1.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2348 2088 WerFault.exe RegAsm.exe
3180 2088 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 2088 created 2628	2088	RegAsm.exe	sihost.exe

pid	process
4908	driver1.exe

description	ioc	process
File opened for modification	C:\Windows\system32\tpm.msc	mmc.exe

description	pid	process	target process
PID 4908 set thread context of 2088	4908	driver1.exe	RegAsm.exe

pid	pid_target	process	target process
2348	2088	WerFault.exe	RegAsm.exe
3180	2088	WerFault.exe	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522341246862399"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exeRegAsm.exedialer.exechrome.exe

pid	process
3220	powershell.exe
3220	powershell.exe
2088	RegAsm.exe
2088	RegAsm.exe
1448	dialer.exe
1448	dialer.exe
1448	dialer.exe
1448	dialer.exe
3452	chrome.exe
3452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3452 chrome.exe
3452 chrome.exe
3452 chrome.exe
3452 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exemmc.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3220	powershell.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: 33	2356	mmc.exe
Token: SeIncBasePriorityPrivilege	2356	mmc.exe
Token: SeShutdownPrivilege	3452	chrome.exe
Token: SeCreatePagefilePrivilege	3452	chrome.exe
Token: SeShutdownPrivilege	3452	chrome.exe
Token: SeCreatePagefilePrivilege	3452	chrome.exe
Token: SeShutdownPrivilege	3452	chrome.exe
Token: SeCreatePagefilePrivilege	3452	chrome.exe
Token: SeShutdownPrivilege	3452	chrome.exe
Token: SeCreatePagefilePrivilege	3452	chrome.exe
Token: SeShutdownPrivilege	3452	chrome.exe
Token: SeCreatePagefilePrivilege	3452	chrome.exe
Token: SeShutdownPrivilege	3452	chrome.exe
Token: SeCreatePagefilePrivilege	3452	chrome.exe
Token: SeShutdownPrivilege	3452	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe
3452	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mmc.exe

pid process

2356 mmc.exe
2356 mmc.exe

pid	process
2356	mmc.exe
2356	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GitMultiLoader.exedriver1.exeRegAsm.exechrome.exe

description	pid	process	target process
PID 4684 wrote to memory of 3220	4684	GitMultiLoader.exe	powershell.exe
PID 4684 wrote to memory of 3220	4684	GitMultiLoader.exe	powershell.exe
PID 4684 wrote to memory of 4908	4684	GitMultiLoader.exe	driver1.exe
PID 4684 wrote to memory of 4908	4684	GitMultiLoader.exe	driver1.exe
PID 4684 wrote to memory of 4908	4684	GitMultiLoader.exe	driver1.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 4908 wrote to memory of 2088	4908	driver1.exe	RegAsm.exe
PID 2088 wrote to memory of 1448	2088	RegAsm.exe	dialer.exe
PID 2088 wrote to memory of 1448	2088	RegAsm.exe	dialer.exe
PID 2088 wrote to memory of 1448	2088	RegAsm.exe	dialer.exe
PID 2088 wrote to memory of 1448	2088	RegAsm.exe	dialer.exe
PID 2088 wrote to memory of 1448	2088	RegAsm.exe	dialer.exe
PID 3452 wrote to memory of 4752	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 4752	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 2080	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 1608	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 1608	3452	chrome.exe	chrome.exe
PID 3452 wrote to memory of 4856	3452	chrome.exe	chrome.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2628

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Users\Admin\AppData\Local\Temp\Project\GitMultiLoader.exe
"C:\Users\Admin\AppData\Local\Temp\Project\GitMultiLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Users\Admin\AppData\Roaming\driver1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 532
4⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 524
4⤵
- Program crash
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2088 -ip 2088
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2088 -ip 2088
1⤵
PID:3248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4720

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\tpm.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1000

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StopMeasure.wmv"
1⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcdb129758,0x7ffcdb129768,0x7ffcdb129778
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:2
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:1
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3212 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:1
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:1
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
2⤵
PID:3960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6ac597688,0x7ff6ac597698,0x7ff6ac5976a8
3⤵
PID:3772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6ac597688,0x7ff6ac597698,0x7ff6ac5976a8
3⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5116 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:1
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
2⤵
PID:3720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1408

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7f9527d5-2ba2-40e8-b811-c5e29c9f8e03.tmp

Filesize
6KB

MD5
4d1bf1c9920c870da408bc3b2a34c94b

SHA1
77a9ae846996a39a0597f16fd9429839f8ef547b

SHA256
b27403e498150355bc44d2dd16f3413a7b5e3f4cc303ff52ead635c496c48808

SHA512
db87b660ea15a0aa9818d898ad961c5cbc12179a254dce8227ea7914000e6be0c191e2524080bc476619539b41cd01ed98e8dc3920faac8da858a8bec09dff55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
9d46a7315cda3131d804cfb64f933b1d

SHA1
d9b0b0738e7c2bf26eddf6bced318bfb31776fe6

SHA256
859e5def0a1f4c99060e3a504071edfac9ddf15230bfa1f0a39ed62cace8588c

SHA512
1e857e1cc393ab18e327fbfa18ae72b6bd89ed5c92b89d3efe0cc1b9b1eaa4159eb1de828b77a6b675eb733b927c0586f7dcd7ba30410f1a2e64b45b514f3dcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5c049df23a8f338bb6046bee1df7e318

SHA1
b895d7a1be81b5107416e544070e2464c5a86128

SHA256
c8761d840862e0582c4f7f5427c1a865f4b450c64f7d2b6e34948765cc1f56b1

SHA512
095bb2f06a19394cca734cad29c1852ea8ff84dfe1c6a212d817af4b3d1e914b9a077e15501c25c3d05380c6ea779dc82fc13e54268cf51b39134c5863c5e04d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
02ec21b1584984fa31b74513c2bf8fab

SHA1
19818b47527c25dca0252b44710c551b0cf98efa

SHA256
1061ead68c5cbb83a7215d643cd91a9bd283b9934aa8c428160c720afcb95c51

SHA512
ba876dd6e32fb5e3efa848defc58337184545fa08b725918e8b72e8fed6703c5fa3461411425788e00793c603f6b520d4e32cf6f6b5ed61ea6fa426f41ee1d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
5826866580fc24a9cb7b072971b2ac48

SHA1
609d6b62dad442269837d522ad82f181bc3dd61d

SHA256
9762ab50df77c3d46a45b9e223f48040b34ad0134a19c8a374323293e59dcb61

SHA512
fc9626169a0b190e18de91cf6e34f933cfe6dfcc23dff6ee2e9bfab6eae3fea75f41954aeb130464b2f5a2a6ca2579dbcdd24d196f08f6e910edf8d1ba663b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
90KB

MD5
48afe6012d2a6254b937d8cf449ba2d8

SHA1
0b32f448ab3d515aac4a7af5c3e77ba6a8ab6202

SHA256
7bdf099eabdcca49e8eaf4983a17940b648fdeca8fdc0f9b95f87d6b2c50c683

SHA512
5427e91b1de853c7e48af16b21a2c657cdf037810a91332aec1e9f4b8612b22182be1539aee62cde80f218b5470148881797f992cfce17e3d2cee2674fe6dc7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe596306.TMP

Filesize
89KB

MD5
1bea01d2388777eed193e5ab78583d8b

SHA1
66a57d4e1b234f6cab1430d89b62a1eb815cf8c2

SHA256
d61d7ba99188c5ce29f62215fda965055968e2e541b065908b72c7766d651695

SHA512
b500950974b8db6d467825950a299319bb9e43ec9279aa11ec78f6b0e1b52e43c17fede198a7d5e6b5a76f1e72280efdb85c6ca9dfe776225e1003491e356f37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tewt54f.cps.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\driver1.exe

Filesize
608KB

MD5
54579c50ad2796b9263f2506e32b8899

SHA1
09006f17a2d00943f851ca13888f1ed5aa0421ae

SHA256
f8014184354ad703efd84671a6591834da69134de97a2b8e8d4cfbfe77695bcc

SHA512
d11687e72b91458154f32c5af3a56afcc7071da824fd00b9f0d5b6115f39073f7d6b8ecec9de75ead17e28ae0b80e49866c03c8e0ee95fdef4aeee25818385ee

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
63f8443149e331271aea55d9053a573b

SHA1
af49add37669d931e444efa9d4e9df56f0dde88a

SHA256
c81d3499bc16c4e9d45aa56bdcb3d56cde7b07647d1586538f5a2c5f7d84c8a0

SHA512
f6da06a6863a41f498f1a7a80ad92b24dca92bf51af1c651f6ab1f260d39151fe3e14b8082ce864891d9fc4e1a1d586e4618de978d18e6c864a1ceaef90b9844

Download Submit
\??\pipe\crashpad_3452_YIEKEMXIEARQEITT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1448-54-0x00000000771D0000-0x0000000077422000-memory.dmp

Filesize
2.3MB

Download
memory/1448-47-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/1448-58-0x00007FFCFC920000-0x00007FFCFCB29000-memory.dmp

Filesize
2.0MB

Download
memory/1448-57-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/1448-55-0x00007FFCFC920000-0x00007FFCFCB29000-memory.dmp

Filesize
2.0MB

Download
memory/1448-53-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/1448-51-0x00007FFCFC920000-0x00007FFCFCB29000-memory.dmp

Filesize
2.0MB

Download
memory/1448-50-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/1448-49-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/2088-40-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/2088-32-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2088-42-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/2088-44-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/2088-43-0x00007FFCFC920000-0x00007FFCFCB29000-memory.dmp

Filesize
2.0MB

Download
memory/2088-56-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/2088-46-0x00000000771D0000-0x0000000077422000-memory.dmp

Filesize
2.3MB

Download
memory/2088-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2088-41-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/2088-35-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2356-62-0x000000001D100000-0x000000001D110000-memory.dmp

Filesize
64KB

Download
memory/2356-61-0x000000001D1D0000-0x000000001D204000-memory.dmp

Filesize
208KB

Download
memory/2356-68-0x00007FFCDA6A0000-0x00007FFCDB162000-memory.dmp

Filesize
10.8MB

Download
memory/2356-65-0x00007FFCDA6A0000-0x00007FFCDB162000-memory.dmp

Filesize
10.8MB

Download
memory/2356-64-0x000000001D100000-0x000000001D110000-memory.dmp

Filesize
64KB

Download
memory/2356-60-0x000000001D100000-0x000000001D110000-memory.dmp

Filesize
64KB

Download
memory/2356-63-0x000000001D100000-0x000000001D110000-memory.dmp

Filesize
64KB

Download
memory/2356-59-0x00007FFCDA6A0000-0x00007FFCDB162000-memory.dmp

Filesize
10.8MB

Download
memory/3220-9-0x00007FFCDBAD0000-0x00007FFCDC592000-memory.dmp

Filesize
10.8MB

Download
memory/3220-10-0x00000188EBDA0000-0x00000188EBDB0000-memory.dmp

Filesize
64KB

Download
memory/3220-12-0x00000188EBDA0000-0x00000188EBDB0000-memory.dmp

Filesize
64KB

Download
memory/3220-11-0x00000188EBDA0000-0x00000188EBDB0000-memory.dmp

Filesize
64KB

Download
memory/3220-15-0x00007FFCDBAD0000-0x00007FFCDC592000-memory.dmp

Filesize
10.8MB

Download
memory/3220-8-0x00000188EBDB0000-0x00000188EBDD2000-memory.dmp

Filesize
136KB

Download
memory/4172-69-0x00007FF682270000-0x00007FF682368000-memory.dmp

Filesize
992KB

Download
memory/4172-70-0x00007FFCECF60000-0x00007FFCECF94000-memory.dmp

Filesize
208KB

Download
memory/4172-71-0x00007FFCDAFC0000-0x00007FFCDB274000-memory.dmp

Filesize
2.7MB

Download
memory/4172-84-0x00007FFCD8FD0000-0x00007FFCDA07B000-memory.dmp

Filesize
16.7MB

Download
memory/4172-118-0x00007FFCD8A10000-0x00007FFCD8B22000-memory.dmp

Filesize
1.1MB

Download
memory/4908-38-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/4908-37-0x0000000002A40000-0x0000000004A40000-memory.dmp

Filesize
32.0MB

Download
memory/4908-29-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4908-28-0x0000000004E80000-0x0000000004EFC000-memory.dmp

Filesize
496KB

Download
memory/4908-27-0x0000000005030000-0x00000000055D6000-memory.dmp

Filesize
5.6MB

Download
memory/4908-26-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4908-25-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4908-24-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4908-23-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/4908-22-0x0000000002800000-0x000000000287E000-memory.dmp

Filesize
504KB

Download