rhadamanthys | e9c20fc894aaa64d5b2e4b00ab97194f6e0ceadd79bbc206cb41632567b5894a

Analysis

max time kernel
134s
max time network
131s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-08-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

game_2024.zip
Size

2.0MB
MD5

7c77a4f104c0d5f3ea91450d39720107
SHA1

b324b8486826ba1073fce3f869b2d4a997bf7c45
SHA256

e9c20fc894aaa64d5b2e4b00ab97194f6e0ceadd79bbc206cb41632567b5894a
SHA512

863760ac65c8857b6e79026e1a7ea7506177fd8465ed8875c390dd71a9907111b5e696e74b9d3417871f366dd095546788d4d070e86eb0f9902023dc95112d2c
SSDEEP

49152:Jf1XJrN8RWlJOc2AEvo8nAxL8TlBhp7lHFeEsj:J9XRF8vnAx4T/DlHFp4

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://154.216.18.122:2013/fb9e53a2cacd52/hkabqexs.2mj2h

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1480 created 3008	1480	start.exe	49

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4380	1480	WerFault.exe	106
3880	1480	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690358400592454"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\game_2024.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
1480	start.exe
1480	start.exe
4880	openwith.exe
4880	openwith.exe
4880	openwith.exe
4880	openwith.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3176	4512	chrome.exe	86
PID 4512 wrote to memory of 3176	4512	chrome.exe	86
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 4284	4512	chrome.exe	87
PID 4512 wrote to memory of 3480	4512	chrome.exe	88
PID 4512 wrote to memory of 3480	4512	chrome.exe	88
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89
PID 4512 wrote to memory of 3704	4512	chrome.exe	89

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3008
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4880

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\game_2024.zip
1⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba653cc40,0x7ffba653cc4c,0x7ffba653cc58
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1924,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=212,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5168,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3108,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4852,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5316,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1164,i,14401028538195606300,5332256861885842847,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3364

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4828

C:\Users\Admin\Downloads\game_2024\start.exe
"C:\Users\Admin\Downloads\game_2024\start.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4100
- C:\Users\Admin\Downloads\game_2024\start.exe
  "C:\Users\Admin\Downloads\game_2024\start.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 488
    3⤵
    - Program crash
    PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 484
    3⤵
    - Program crash
    PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1480 -ip 1480
1⤵
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d56c90cf1ff6567d934977fb178605c0

SHA1
2ba4bf90593b46f86073a990dc239b2ef9c15bec

SHA256
e4961ea48767fcd80a6c626350ec730c8fbcf7c84ce5a5097beb96af7aac2fdb

SHA512
6dee81c94e4b04831a3087c3016666a06a001ef0f5da9dbb0a1102e2da6caf60dcbd479e47a18bc39a7f8da7c0a3024a05c2913408a8acf2c890e19b2d9ee0db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c78e530000eac2c7649adcb661f523c5

SHA1
5fd450318376602052fac738f467f413c8d09c0e

SHA256
b736a5ac01ec750b468a1e23b4f98ffd7dd0e10ec4e851faeb7e41f16e953bd0

SHA512
e601351651282d43c342d46f46f1219af276f9ebc7311b9c42884f5fcf91d32673a261a840688f3603aa936fe1096a6da0e19a8b41e4afc74413d17abafee195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
135bfdc48f4918bd4486f6ffc4e60733

SHA1
0dc99aed626e45bb107fb589cc232b07566764bb

SHA256
9407d3c8dedc1dee405ea7c1fc268f6b2899c35ea0289cbf608fc016b6aca114

SHA512
9355eebe2d731ffbf289c40d2e1c4f4de58a49e33788275299ed409716fde3f2df3c88a7b22953278bfd6c45342825d6d66e57aa9d916549f877bc4b14986bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
920084da9e8399dc7bf34df6862473a9

SHA1
fb3ad1956d6524b1f8d9ffebef23cd2443be4261

SHA256
cd6c0539ba1b96d61ab74c66ba72888b60f0e9b6b0fb7aa21573ea1283b841ea

SHA512
d43fee70465df996441adb5a02e02722c48eec9a5988f75ca7a21a34307852e48305362e1d1a1a05ac5716ae1cfc905db09d5844431afd539973a2b1412b9e71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
924ddc18ad776b7d51e2f4e57de51527

SHA1
f437f1cb12068aaf3e2ecad409505b65fbcf1b77

SHA256
a0d7dac49beeb6a639c4a85b835be217cbfae7b715c7bd94a86f103ab50a627b

SHA512
d41e94e1240eef333ae8581fb926b80c317ff8bfbce26d2bcbde5f11ff3b4af74782d6d5020ce5030344c648ecc217fd9c7f3631365f1b91ed05dcabfb7766ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
20338fa41cda7defa69c695231bc5d6c

SHA1
5fccfc5de27ea03ae45ba421f907724cc55f7326

SHA256
92bc6c1cf2c7f9502637eca7168b570ef04d55f9d0af000b45d4e2856fb9d3f9

SHA512
db991761f14814ed594ee7d4513e7cd8185d9d1731f9431dde696983123254d470d39e47aee3d01e6d4cf5cac50fcd85a16164ada79fdedfb1f1013a6bca9897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5bb058930da96f61cdef5a1679b14e09

SHA1
5b1ad41d7fd01613432667d92ecb046eecec62f5

SHA256
57cb7e676a87e309dfb1cd6f04aeb6d07a669655067f5cea02e6574d2ab23b37

SHA512
15dcf811b7aaa9300fdd3822485209c51e8fe09ec8fe4c561c1f8f423f9b328cf3c1a7068de4565ad5ef22793bf403c64a0abc60daaca09f5da2a246e8d8b2aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
51995fffed083291c1a15c03b8ba157f

SHA1
c02f2053660dc95f44a6373c4cdec53da718b629

SHA256
65db123d78991ba99bbb6c0d4fcd677eeca9d3756fb45a3c62614bfba6438784

SHA512
d35c02910382398f28dd74da1cca60b652271da02887b1769c89ef82ae38a36056dbee3d14b8d7ef7371a95bcaf2a200762f4ad19a5163f338f17e3b0755eb03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a86a1731c40dc0cd81daec709a480528

SHA1
f5ef1a070868e1160422ab0eb40ca59d34baea37

SHA256
ee497da838f77713ae1db291a0ec65f2061873f1f24c6f0f4f55711c5f9780d6

SHA512
9bc9bd2e5f5048e2d4d22a6a9847590afc36caaf5a8db8919db2b77dd4aff17eb96dc63d82f63f0846a2429d330e2a0447f804088f1950cf0b96feeda622468a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1ac8cdef2780a61caf49cc022756675b

SHA1
8143b0eaee93a126eedd9d1e4b8d06e749759c30

SHA256
eac7d441f4592b67ff4d6721fcdec9fcf2c7709487ceb75e980378a34eafd4c0

SHA512
1c8f4b67a1346a3444e00660ee73bfc099f878cf662343ecb109d6efd4e236220c1803f9909ecb85903c00d7f4169a4e58fed5ee09db813622434e1a8936d094

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f01cafab662af9624ccff54391b19bea

SHA1
26a2b842ea74d27bc98b10ede401aa15c0d88029

SHA256
0cac7d27a4f79da4f8d2eacba5deac55866cc97cddf2d731087dd940cea006f5

SHA512
9a1ff8f9b7abe701fe8dbf3dc83faa52bd718c4f346678579add881f855c720268aa9e072e095c3f9fd41eb45f709e9c825ad1310902fbf3c4c4a01ffa314667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
67467a1fe6c2c58d59d14d985708f7ec

SHA1
0f36a213bbaeb9c4d1e48807ae5cc34a32cf6160

SHA256
03c0f4f80b25971b606494e267fcc4f04c30b1063ad18e4839dec6726c0561c1

SHA512
bc600032a231c0ad89b20d3dc87c215fcad1b26af118f41519b5da998dd65dcfe8e88b533f125ab7732ed0ebbdaee0eec796fe9ed23ab60fcdfb3cbadc3f03ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
206fc226a63f1ada9b4e19bbb3600d92

SHA1
6f0aef1bd97206d7373c40f12cb214f36111120a

SHA256
94040b9f2775791a346c78a8e991c496978cc0f1be487fc42cd015bf14bf26b9

SHA512
76f56eb1c12e529de1b02566aef884e3b146e6453f3cedc37ad66eb0c68445747b1554f4476ad10a4bcb859d3d9af092faac9ee109336a06db7994a5c95457c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
29514cf5cb223d74542143c1f23f294c

SHA1
2fcdd0021bcaa4af1ef3781a318d04dd598c25a3

SHA256
040e5e4e54ef536dd804f83343ba6d080f2f04ab6dd3ad1b9c8f2061ac0952fc

SHA512
6702f4559babe8a7eba31078cc7de33dcb2bae95ca7cab2036a9775c9a53210815ce67457b47df7f7010d1c5c96a32cf18a2ea898e1be632dc7c76d4b8d2a2da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
4df4a70a5772cd620ca28c406d0e5a0a

SHA1
54b203900b95072fa46242572184f5d199991a7e

SHA256
4db6627876f0d4333a571ab8cb41dd723f6f2f9dbcad9b24e3c4d2175c6a7141

SHA512
ef5481c8ecc50684b4e553b78a282c69312059233e434775710de04b8204d793333260c2b7c5b8d8405ff09bfaee444a83a93641a90c8c5ea7a3fff30451fedc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
11135a62990ad63aa5c215cc03c73e5b

SHA1
b160427fa1e970ceb1f55c952b84ee58afe78f49

SHA256
f8470817c73bf489c28a3f4bbb77e53143c1a6c3e8091f87cf9f5cb627ac1c87

SHA512
40c496805ee5559f6bd120bb93eb17e46052f7f09eeb2c71916af47103958bff77ff2922e622604880cacd19dc509f97ac2ceed1c708d2ad949af3952f04219f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
55a52eea25a7ce03f86589deb410301c

SHA1
f307e023a50605060d8dcd72c7669903730a426d

SHA256
a064007ab01bc613d96f395e3892bbb4f197d251a8683720b900a98f1f5fef1c

SHA512
39b0db2efc999b3b7135e370f010063572319f281bd79e6750e9455ef0b88649800d3c0c4174f0f95c051864d620d2bc9fa4de4172ba5b8f1166deaf093d84ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
4941cb860f677741b8f6d81c81e5907b

SHA1
1faaa7da0f1dce4b29e3975bfcdd709817c3263d

SHA256
001053b968161fa4a3171783e001e2afbf84db660b4e3a4f68da8321df96f07a

SHA512
c9f7aff1bcf9e9992928e8dc71aff6c97c33ac4d3955487b462a63933f020c4228ff4242279e3e973ad5ebb4edcc35a99df50ba948dee060f9c48b74737295bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
43418af563b8831b6ad3e1757522fcbf

SHA1
af1db1cc1c65f399fe9bcc90b7b7857eec3d02c8

SHA256
a91af2bd22ea55714f0b0855b2ea9e5feffc76f86cef13edc9bbf00c52539891

SHA512
c748221a8012b902a59ff3cacd97672f4447b0779a4e66c7a7d62b125b8643ea3e789d52db97b80248ce0d919614da056ccf5d253230368f4eb0b76e9f8ccb38

Download Submit
C:\Users\Admin\Downloads\game_2024.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1480-278-0x00007FFBB5C40000-0x00007FFBB5E49000-memory.dmp

Filesize
2.0MB

Download
memory/1480-275-0x0000000000720000-0x000000000079E000-memory.dmp

Filesize
504KB

Download
memory/1480-272-0x0000000000720000-0x000000000079E000-memory.dmp

Filesize
504KB

Download
memory/1480-280-0x0000000076C90000-0x0000000076EE2000-memory.dmp

Filesize
2.3MB

Download
memory/1480-276-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/1480-277-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/4100-269-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/4100-268-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/4100-274-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/4100-273-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/4100-270-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/4100-271-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/4880-281-0x0000000000CE0000-0x0000000000CE9000-memory.dmp

Filesize
36KB

Download
memory/4880-286-0x0000000076C90000-0x0000000076EE2000-memory.dmp

Filesize
2.3MB

Download
memory/4880-284-0x00007FFBB5C40000-0x00007FFBB5E49000-memory.dmp

Filesize
2.0MB

Download
memory/4880-283-0x0000000002A00000-0x0000000002E00000-memory.dmp

Filesize
4.0MB

Download