rhadamanthys | 7526d982e57b6147b1a57a9bf4f65ef8558951484e123dfabc9260b164f10f7f

Analysis

max time kernel
27s
max time network
34s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/07/2024, 02:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software_Setup.exe
Size

63.9MB
MD5

9ff7e52416b7d3ca8b7e035d4b15f60d
SHA1

ecf06e8679da62922f3d52d2b9e756ba311e4203
SHA256

ec4cd02feeae2e57341cb7ff396fac7d635c914775357b95a0ae3bb73ced8703
SHA512

974b9d2d21ffc0d780fb5bb531db3f4edf979e032e2b0fa9048310885fa7cac06fc138b4aa5a9d6bb19a7fc7676c72e98a9ba9c60b35428a699774b34af474af
SSDEEP

1572864:jDkFLa2/bDkFLa2/bDkFLa2/bDkFLa2/bDkFLa2/z:j6/6/6/6/6f

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4932 created 2968	4932	winhlp32.exe	50

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4376 set thread context of 4932	4376	Software_Setup.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4624	4932	WerFault.exe	85
3996	4932	WerFault.exe	85

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651376575068635"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
640	chrome.exe
640	chrome.exe
4932	winhlp32.exe
4932	winhlp32.exe
900	openwith.exe
900	openwith.exe
900	openwith.exe
900	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
640	chrome.exe
640	chrome.exe
640	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3320	640	chrome.exe	76
PID 640 wrote to memory of 3320	640	chrome.exe	76
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 3276	640	chrome.exe	78
PID 640 wrote to memory of 4948	640	chrome.exe	79
PID 640 wrote to memory of 4948	640	chrome.exe	79
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80
PID 640 wrote to memory of 300	640	chrome.exe	80

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2968
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:900

C:\Users\Admin\AppData\Local\Temp\Software_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Software_Setup.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4376
- C:\Windows\winhlp32.exe
  "C:\Windows\winhlp32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 524
    3⤵
    - Program crash
    PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 516
    3⤵
    - Program crash
    PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb2c1f9758,0x7ffb2c1f9768,0x7ffb2c1f9778
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:2
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1876 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:8
  2⤵
  PID:300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:8
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1652 --field-trial-handle=2012,i,16113490365008881130,18248475048483174149,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4580
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x234,0x258,0x7ff67a487688,0x7ff67a487698,0x7ff67a4876a8
    3⤵
    PID:4244
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:492
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff67a487688,0x7ff67a487698,0x7ff67a4876a8
    3⤵
    PID:408

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4828

Network

DNS

raw.githubusercontent.com

Software_Setup.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133
GET

https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/main/mainbebrax.txt

Software_Setup.exe

Remote address:

185.199.111.133:443

Request

GET /AromatcHEBUYRKOS/chekingbebra/main/mainbebrax.txt HTTP/1.1
Accept: */*
User-Agent: Chrome/95.0.4638.54
Host: raw.githubusercontent.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 577536
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "0dfe2c54d0a6ed46d57358f8ea80cc8c9b2350abdfbf112cb39bb7a58adddb8e"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: F38E:1221DE:26D86E:2F4B2C:668F3FF3
Accept-Ranges: bytes
Date: Thu, 11 Jul 2024 02:14:17 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600067-LCY
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1720664057.248109,VS0,VE165
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 95877815415eda44347c036aff9c8d25734f5d22
Expires: Thu, 11 Jul 2024 02:19:17 GMT
Source-Age: 0
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CO/zygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

202.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.212.58.216.in-addr.arpa

IN PTR

Response

202.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f101e100net

202.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f10�I

202.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f202�I
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

4.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.180.250.142.in-addr.arpa

IN PTR

Response

4.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f41e100net
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.180.14
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=106.0.5249.119&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.62.0%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D97%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D97%2526e%253D1

chrome.exe

Remote address:

142.250.180.14:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=106.0.5249.119&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.62.0%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D97%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D97%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

14.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.180.250.142.in-addr.arpa

IN PTR

Response

14.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f141e100net

185.199.111.133:443

https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/main/mainbebrax.txt

tls, http

Software_Setup.exe

20.7kB
601.3kB
441
438

HTTP Request

GET https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/main/mainbebrax.txt

HTTP Response

200
142.250.180.4:443

https://www.google.com/async/newtab_promos

tls, http2

chrome.exe

2.2kB
9.8kB
23
26

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos
142.250.180.14:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=106.0.5249.119&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.62.0%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D97%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D97%2526e%253D1

tls, http2

chrome.exe

2.0kB
9.4kB
15
17

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=106.0.5249.119&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.62.0%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D97%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D97%2526e%253D1

8.8.8.8:53

raw.githubusercontent.com

dns

Software_Setup.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.111.133

185.199.109.133

185.199.110.133

185.199.108.133
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
8.8.8.8:53

202.212.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

202.212.58.216.in-addr.arpa
8.8.8.8:53

3.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.178.250.142.in-addr.arpa
8.8.8.8:53

4.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.180.250.142.in-addr.arpa
142.250.180.4:443

www.google.com

https

chrome.exe

4.5kB
17.5kB
19
22
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

142.250.180.14
8.8.8.8:53

14.180.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

14.180.250.142.in-addr.arpa
224.0.0.251:5353

chrome.exe

204 B
3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
944B

MD5
39901cb6d4c9a1064285f54916cbfd76

SHA1
e66678a581061a348026b736c6ff9b5fbd8a6c8e

SHA256
495cbaea42ba399e6c37e8b8b363018553163352e11c2b7084844f54a0f6f688

SHA512
31019a18937a7aee0a81c752aef8305a70b7706442aa4efaf468c4d27158bc4e9adf0442e10205a90c699a3c7a7a1c596744c20a474744a4e9b2a04f621f00a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
98c7731fe329019fdbb6d12a5e9e8a81

SHA1
fb3729daded95991d1a38213ed49231442e38ef3

SHA256
81c637d516f0fa4fdbb578bd8b8226f9878a1e750b1d3f5bdd95a326a345c046

SHA512
d62e8e0de484f6b7af99361b7deb7cf7214412c25f606af56f60db613e6af0334294a6f3f05e55859cdb74070f6347ff1d622cecfad82311bd3eb7701aac93f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0b3c1050821493549f8e31619d23f056

SHA1
ff0ae64ab065552f498090d2eb2a7b7d419dd7ef

SHA256
a6ca67754dfb585cdaa237cfc32fbcc31e4067e45be09b35f05418a200132670

SHA512
68aa75448fce1615128c3c921ac74eda821d66d436ddb4ea7c7ff5b7e03fa6acf3f2cdfb5a8c06626c5bd134c2fc1c9097f14dab8b98b00e89c3bc54af5ea733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bfa64f0cb04bc9f30bcf0e87ad715dc7

SHA1
c5f26bca2db3218125171d0cea4c66720e180c8b

SHA256
37ac4467f5399dd1811335235c57eb8ee4b8b75da7d721e6b77a8c24a235996e

SHA512
d6cbf67778dbcc4acb618edb82847b88f59098b3b8616adc7a85502e9bbeea79c58e31daa0abd8941424e57506699f61d6229a3ac154fedd27a92b4d97486a0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9ced25e3dcd171fb6c074a405d2c5c30

SHA1
4f3a5013c93f93fbdf301f9b957d46d4e18620e3

SHA256
b520c35b842d908693a744d4932e929752459b7b58781a982ed265118c0d4a16

SHA512
9d97b8efca574f5afeb819b26bf2b42e1209aed28f04980d4ef6fb5ec45ab7535793d893f8ff74c6363602d46531c9e067ddc70c1e84049c85b3960b9d084968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
913285ac0d4c6dd341d0d721d6a6af1c

SHA1
388b50cb1c214aa318bd0f2616dbfae2463c4400

SHA256
85ba9b42d0bb94875343ecb77b7543b7fa727e1504495c0b702e8904af1b1784

SHA512
40a98af55f5dad1a7563ef9ce5829d34e3e5bc57135c7579053f08586ede2a09ee710e9d3ae6b5ecadd01e8f4d6f40c8170481bc06b1f6b116cef924b2184c3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
e74f71c6bdbc2ce886d3c59ebeb6117c

SHA1
dcb75662c459f5c65b607c83e0a2fa09aac97ea3

SHA256
918c36cd4a87e15699ba9c21464450dc402e6201b7ebfee4475d56f2561c494b

SHA512
53b84fab57c56c5cfd25ab0b2c87535882c7f63e3d8d3d4b525abd9aa8328f227739ed1c1742437041517920e8ae675254d73a182bfc8bacff0b1022c097f00a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
6b2b96b7089e216fa73e724742653ec4

SHA1
0013ccd00a7248d3e63a6c5a103b5122b74da3ee

SHA256
d9903fb7940130f483997f549612947b045832e1ff8100efa638e7f011efd491

SHA512
c242b18a492da664ca44ca8cea58c442e16ceb10356432aad47dc8037ba01b1b194e41e5cbfdf79b26fab01fc0852d4123c2acd784e74b81a9cf3c5dde12d1a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3c2cf370210349cde17c84c1d8ab7a36

SHA1
5da67b2fa8a30e891b6a0e4cb39fa2d6931f17f4

SHA256
f98e79370808edb1c8f5f754bf6cc259c63618b47a58751f285c25786546c877

SHA512
3e869131d1fc22b6dba4a4ec246c720e480f6044d52f9a0e62ecdeff20268c290db373b341444bbfd6c6a6b1e3397a13f75f42ec9343beb8eccaad8a1143a4dc

Download Submit
memory/900-41-0x0000000004350000-0x0000000004750000-memory.dmp

Filesize
4.0MB

Download
memory/900-42-0x00007FFB37EA0000-0x00007FFB3807B000-memory.dmp

Filesize
1.9MB

Download
memory/900-44-0x0000000077130000-0x00000000772F2000-memory.dmp

Filesize
1.8MB

Download
memory/900-39-0x0000000002560000-0x0000000002569000-memory.dmp

Filesize
36KB

Download
memory/4932-35-0x0000000005720000-0x0000000005B20000-memory.dmp

Filesize
4.0MB

Download
memory/4932-38-0x0000000077130000-0x00000000772F2000-memory.dmp

Filesize
1.8MB

Download
memory/4932-36-0x00007FFB37EA0000-0x00007FFB3807B000-memory.dmp

Filesize
1.9MB

Download
memory/4932-34-0x0000000005720000-0x0000000005B20000-memory.dmp

Filesize
4.0MB

Download
memory/4932-25-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4932-23-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.