rhadamanthys | e08634027ca7fc719e50bf15f94ed5148fb34d0d589c2df0b81ec348b8b45371

Analysis

max time kernel
91s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-08-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.pdf
Size

1013KB
MD5

64c3529b5e79230e3b3c36f1069bf394
SHA1

aba241bfbb588bee372efe8953b5f1ad73d3c713
SHA256

e08634027ca7fc719e50bf15f94ed5148fb34d0d589c2df0b81ec348b8b45371
SHA512

e8e453c9883fd5ddfb6204971f346acc237f8afaeeb083d83af94fae1acae476453beb5b0ecf6edc57668968a7736fc095e23a87436154767dd8af8a10686b63
SSDEEP

24576:VRtydZmeb9tvRTBbR0kjQ+gcdcenmGevpEA8D:iZ1bNBvfcOeBERD

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://154.216.18.122:2013/fb9e53a2cacd52/hkabqexs.2mj2h

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

start.exe

description	pid	Process	procid_target
PID 2092 created 2848	2092	start.exe	49

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2872	2092	WerFault.exe	113
1996	2092	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exestart.exestart.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689993343187779"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Release (4).zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exestart.exeopenwith.exe

pid	Process
5004	chrome.exe
5004	chrome.exe
2092	start.exe
2092	start.exe
4188	openwith.exe
4188	openwith.exe
4188	openwith.exe
4188	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

AcroRd32.exechrome.exe

pid	Process
3724	AcroRd32.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid	Process
3724	AcroRd32.exe
3724	AcroRd32.exe
3724	AcroRd32.exe
3724	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 5004 wrote to memory of 2880	5004	chrome.exe	84
PID 5004 wrote to memory of 2880	5004	chrome.exe	84
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 748	5004	chrome.exe	86
PID 5004 wrote to memory of 2212	5004	chrome.exe	87
PID 5004 wrote to memory of 2212	5004	chrome.exe	87
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88
PID 5004 wrote to memory of 2140	5004	chrome.exe	88

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2848
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9cf72cc40,0x7ff9cf72cc4c,0x7ff9cf72cc58
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3116 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4940,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3216,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5136,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5396,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5388,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5764,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5912,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5892,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5568,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6412,i,10293477161071902498,300939478111423865,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:4700

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3368

C:\Users\Admin\Downloads\Release (4)\start.exe
"C:\Users\Admin\Downloads\Release (4)\start.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1116
- C:\Users\Admin\Downloads\Release (4)\start.exe
  "C:\Users\Admin\Downloads\Release (4)\start.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 488
    3⤵
    - Program crash
    PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 484
    3⤵
    - Program crash
    PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2092 -ip 2092
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2092 -ip 2092
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8c70a081513b9b6b57176170ad4631f2

SHA1
1fef79c42e99fcdb28e4032cc189ae07a043bf23

SHA256
da3d4c9598cc59f71715904a8aae6fe3caf08f8e6230e086e6a63d7c44036c85

SHA512
14a64ad5052b86ec163da43beb47044818da8742db259eccbdb2b98f9bdd211717bd73367dba1f5c229f6470c67d3af191ebbd63767d045a3eca446a7a25a478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d9571106ed7a9a68f1d50834524b8489

SHA1
f1af68fffe230a095a0636e4e9722fc32bfc12bd

SHA256
8eb3e664f02220910603795e248f6ee5d623aa2ce4aaf88488e53317f690d305

SHA512
ea82351c231365a2cdfd8db77e6259acf55ffe560ed470adb5cf42ff457f26912d9c9d30c8182b9542d0ac4ac5b350d3dce25334edb62e0d613687d4460636f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
86a8f4a7f06d462f70620be2af0acafa

SHA1
2cffa38c7d56c8b7ff5d44ff51a6c45a414fb495

SHA256
2168b5d1c0d740dc33664cc3e09dcdb472891331f2c2e9b8e58aba5138b2c796

SHA512
a285cf09b9f7b3766d054912c8a17d903c769b7cbb2f27cafd84fb517c39aa4a8e864ae9d0572e4a5edc5c114ef389243efc7503a0c7d2660aa4bf8c7edc3978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
350B

MD5
f39ad15f90dc5b90e6a35d9131e2f9d1

SHA1
eb5f1eca86cabd23ed6127f5cbe0a1a523676876

SHA256
fda970391c5389834d606450b663b370d1e673fe0ce51ac3fcfda6494853794f

SHA512
ea61a0c94e4b2fe6d9cfa73f294faf6083d3ac92cd58924f5476c01421896617e63c96dbe41691d2691cfaeb5dcb58888d0de9480c1f7a5f086a938c2f8cd161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
846B

MD5
0c2f50f575a222842dbdb4a1db99d834

SHA1
5fe625fbf936f1835e88b88950e2a1023caa7dd7

SHA256
19c73ecf64f8b64babf2949f4d7d6a58abca738ea8bbe59c6c5c0ba449a4103e

SHA512
4e7e3fef8635147c55057b816af0904bbef86bce9931a7ef9c3140c7359e78d61151d7001bb95c01bcb1d4e6824b568482f5f3fbcbf2e23a15e990bcb535eb57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ed09a871d25ac39bc162ed993340d16b

SHA1
05886f4c8da91b171d5c5489c79e4c804ac56f62

SHA256
34b9ee60d9846b23bdbdaf33662e1dbd5b4cf15df2da7869b17dc57a84a96c4a

SHA512
da48397d4d0147a3cb34e0d874adc75a307875a1fd9024e830f6ee5e18e7a3bf4f3879a8a22a9de1ce99427e5049b4c0aa222c17ed02546017ee95c92eaf9752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e352889f3865a046d8cda2ddbe01283

SHA1
cdcc147f8223f4b46b781edb1050cec06ea1aad0

SHA256
39cc44ce1af4ab85c0413e219cf8d323d6e269ac2b3033860a0d06e3cfe3b5f6

SHA512
4671908100556611abc57546442a68e295fa9bfa22de8aa468e53e73833848ff05e55236e025ed2c3dd83bba21f650b3a496cc8a3b406bb97cc9ffcb5bb0a3ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
27e9ae4bdc6a04ae4d8290e999d54a89

SHA1
86b71d14361c7d86574646100d55e648ed76f3f5

SHA256
06921c531c858566d9642f8a7920ad3d430063aeb27b5f5fe6de16ea74812276

SHA512
132e97930772c078b1feb4f081c004173f2eac50ea7d95bf01443b49102c876252405ae9216785f7f4b5cb0a3a3cf850936b34e2e0b318b48bcb96aaf9f3b2ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b92e49cb7748f0cd4c29d0504cfbfee9

SHA1
8ac3a170f2f3644fbdb69de7d51b6debe26a07b0

SHA256
bc420c5ff25c6f99b79138b8589432ce2f32a39d260d3f351951c5d0a8aec642

SHA512
4b24903a5110b1040553f5baa2d05fb4b97b60389c9173888ee04235ac107712885207d55f8508899d2857f64120c13b253f73cd6d1abf9fd08efe093e7311ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ae761740d25d9f86d51f65946f9bf84

SHA1
44ebcbee12754a8e9de7bd0509e44ea074e64c8e

SHA256
405abcbaed1d89a2e97863d09495a4664d238fb0b6c400573ced26b0b8de4a4b

SHA512
2724ca25b74706331a09fca6dc05d3d7da05c4b4b95bc42096fb2db00fd752aa245162989466b61051e10390655b5a703b3c3c6cee7791571a0743cd7f63f201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0e0ec18610b0e138afe3561c0bc403a0

SHA1
8ab863cdfa9887aad95e4f1c318ab8d80239bed7

SHA256
fe0f2744d1229cac7eb392de4144f59acfc5a3bd04ee3ef74890e14738d20b74

SHA512
329ee44014dea3b38b10ad860ff3f3dc6517a25feeb365c86a35cc96f18207f273bb3526544bed2113e4a41807b710395e580fddc29b16af6a7740dfcf7a4901

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cd288bbd-622b-45d8-9c58-79d198023f61.tmp

Filesize
8KB

MD5
7d7ba922d9e36983779aca8233eacfcf

SHA1
87660ee9738c799067238334a0b8909873ea5672

SHA256
13fce8fa19edf4f5435967e7d95250d1350c3ef16072ee4f82ee2fb322ef92d8

SHA512
96886382d557fa2958f1d3712df72ad2ab8f9a0308dd5d4129d626f38b77568ef8b36ed9b169400317d538d7221cfc5c2d426746dd6df2911316f51ae28deba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fa1aec4a-16ae-4c4f-8c64-a5fe8349c411.tmp

Filesize
8KB

MD5
ec9c128419facdb67536567c314daa3b

SHA1
a6157d5e9ab0ac58d6cbe2761d5ab52a0f19edff

SHA256
f80101b5d6f5e1f2f64fb1d2b339845752c6ef76e13ce9904be14acd853c85aa

SHA512
44c05effaae4031af775d669710fffd2cd1b18c7d17cc6d7ca011e5a6c393c27f9140730f4ab3fd67d0bd4658fb88423c764235e5e5cf416bf3d9a1b189b53d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
66de70a4cdeb24fe06ceef288e1f206d

SHA1
a3ec530747a6cb2caa8c7e62f57473b77fb8e28a

SHA256
b8093fa7dbab3c4364283bc6f889fe5c355b1d58d9d304e87d5e53d22da88fb7

SHA512
8f571c792f64c6d3efdb10f59a126b62345885289ebaec14dd61a65b79f156d065580cd641c7b1ce820281b87342ce0633a968486d22fbd09b9e46a8451e2dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
b1cd270514de5d7d65bb6a6e5e76af09

SHA1
95f1fe01f230556725c021801480ea6af39c2a61

SHA256
8a036eaceaa188f62d54e88bf3f943b47af5e70b36d382398d11ce77032766fc

SHA512
5256e8b6550df711ef834f41e09751854da7d5427d3e91ce3fa51a5b5d6a341afab1d4a0280d6fec1921abe0b646165568ad91d2dc270002ccb6c1f7e0c4b50c

Download Submit
C:\Users\Admin\Downloads\Release (4).zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_5004_KGIUMQYKCJQKMCRL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1116-348-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/1116-350-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/1116-347-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/1116-345-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/1116-346-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/1116-351-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/2092-372-0x0000000003F40000-0x0000000004340000-memory.dmp

Filesize
4.0MB

Download
memory/2092-371-0x0000000003F40000-0x0000000004340000-memory.dmp

Filesize
4.0MB

Download
memory/2092-373-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

Filesize
2.0MB

Download
memory/2092-375-0x00000000767D0000-0x0000000076A22000-memory.dmp

Filesize
2.3MB

Download
memory/2092-352-0x0000000000C20000-0x0000000000C9E000-memory.dmp

Filesize
504KB

Download
memory/2092-349-0x0000000000C20000-0x0000000000C9E000-memory.dmp

Filesize
504KB

Download
memory/4188-376-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/4188-387-0x0000000002BD0000-0x0000000002FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4188-388-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

Filesize
2.0MB

Download
memory/4188-399-0x00000000767D0000-0x0000000076A22000-memory.dmp

Filesize
2.3MB

Download