rhadamanthys | hxxps://www[.]mediafire[.]com/file/gzw1efzjudap9dq/CryptoFinder[.]zip/file

Analysis

max time kernel
50s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/gzw1efzjudap9dq/CryptoFinder.zip/file

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://135.181.4.162:2423/97e9fc994198e76/6ukbhvcl.3ql92

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of SetThreadContext 1 IoCs

Processes:

CryptoFinder.exe

description	pid	Process	procid_target
PID 4048 set thread context of 2396	4048	CryptoFinder.exe	116

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4536	2396	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CryptoFinder.exeRegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFinder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713509172069593"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
3732	chrome.exe
3732	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	Process
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe

pid	Process
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 3732 wrote to memory of 3972	3732	chrome.exe	83
PID 3732 wrote to memory of 3972	3732	chrome.exe	83
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 3020	3732	chrome.exe	84
PID 3732 wrote to memory of 4484	3732	chrome.exe	85
PID 3732 wrote to memory of 4484	3732	chrome.exe	85
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86
PID 3732 wrote to memory of 2920	3732	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/gzw1efzjudap9dq/CryptoFinder.zip/file
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd15f7cc40,0x7ffd15f7cc4c,0x7ffd15f7cc58
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4400,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4728,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4980,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5152,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5352,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5356,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5652,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6072,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5844,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5820,i,17855263841234838568,16624263733824130523,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3624

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:628

C:\Users\Admin\Desktop\CryptoFinder.exe
"C:\Users\Admin\Desktop\CryptoFinder.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 568
    3⤵
    - Program crash
    PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2396 -ip 2396
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
89f10307a4e87f78ad0b6081cd8e23f6

SHA1
a26e92f89231b60cbd742d0a259d63eebe2388d0

SHA256
dcf169dc4a6449c4cc490dbdb448505ec91dd219619f32496100649c259388b9

SHA512
5845e6b34d0effafa10ba9c5eded904c13af64128ce3a152a3c2cad9c6fa38b7358916a0948eb6288c9c9ead23bd5195e16c77c49971fb53d6ceabc1e276f0f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f5b198d5fe540a70b102936f99a99596

SHA1
405e6d5a23663b86da8b7fa43f27150aac322dd7

SHA256
386d4230eba3df6547f14ffa090c818a2b2256695ba1b75d6aedf916228bc381

SHA512
ffcd721cd0c42e017583823fa71d04dcea9587f4bd6079feddf9f1e20aef7959f4f67a6dd07c137fe2250d96e9b6f7683c825b871e0bcd27d036cd20850004cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c2932f0ae852d849d400a26c6a9a7d40

SHA1
c2633be4fb510e8695421f0dfcb943eba2b77a44

SHA256
7091d4d4be9611877565c3b10212089007467579f040c6126eac9d8c489e4442

SHA512
ff0d2dfe8e670b707179f371df93832d37d580a017dbba6c9485c5a3d8a5e9996b96928135667570882d548447da45795703d163c40d964ced6c5093f9da6007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
2271e12548546405671f8eae5e6ab10e

SHA1
97b10b7b8cb16a24d81d9c464145d039b96813fe

SHA256
feb13fc09382aacf8396dc197eb4da1530ae02e60b7e8eb580ea7fb8bf843bde

SHA512
e92533e7b50a30759c32674e596c62c83247195c7ca98df3129512cfc9d58648a1291e1a3879d768571464104b7c43f4e27326664f71166601915e3908c44b89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
17KB

MD5
3ac5c61c93d5daf61a28e30863b9feb8

SHA1
c8806bc9399d2fce00b813fbd6328f78c5ae015c

SHA256
a73e3b07a15461c45a20931cd358df2ffec33678c2bf895ab1c713a7281bbc14

SHA512
4363c4935f167f522d3d43839068449a883b50c6fe7004f4ad7ecfdb2abbc7f068a91a8cf30f34e2a06314df0d791bb2eae716228d8da4211a836e4c7afb2659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
9d7407f6e8d2fda040a6414b4a1ba7e5

SHA1
53b21b65cb924c152598817ab0086a36a1c29a95

SHA256
aebd5d23c508454c4c67f542e7c343e08e4d9b82c2dd4de555f180d70039b438

SHA512
2e22d4c07ec66ed7adc82a2b87cde548fc8fd2c50c93fa205a899a30069d6d0ce15ab9821370e8521ff80285e17ac58699f7e0486cb0f607d30d1a428c325bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
35a20313a53d6b515405dda4cb5a0db4

SHA1
ee1c9a0001442eff94e74286f7318b40273693a4

SHA256
f53db0950e5ce04ceef9f364246377528656348973ea91c58c088b49a98f1f05

SHA512
981467092dc32e699a5a3e04e310228459e226e048f92a644f83a47af7524b123e07d44eab030807e1d75e35796625869274ba1fdbd4538bf0fed8b6e697192d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
1742cf0814ef6dc6450a9569f009ad1b

SHA1
f18f105f8616f088baa65cef159a23769c78cfcf

SHA256
ce1089548ad12975dbed8b4468fd2a9b80733d2f40092dc0d0c4e1b11ad3cdf8

SHA512
85a293c5df3d8450c38176b17fdb9494edf1b92e46e114da6047ba821b794d4e271541b1c6c505bde885773a5f0ac8a50ece9f3152d575f8614595ca1c0a3b8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b8ab42855aec19c40e8699f7f05ada08

SHA1
e33a2f2015425a194c67171cc000e4b970fd0eaa

SHA256
b9e6576bb49c8570042b0f5a742d48183f98bcf35b36f10833d367659ae73d5b

SHA512
5786b5765517d9e4002dc032a9f9fe007bfccbf949e716442d2f29d420760fa8735f2bf105551961d49f087f692d59199ea64aa0bcc6acd585644b24de94129a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6131c7c4700ed0b57605bd7573f75cb8

SHA1
51bbaf0edd6bb30dbc88e8c8f3cc4c512b637c7d

SHA256
1014afd9a03a66d8a855d0f97d688fc7d2297214502994cca089e36bad96595d

SHA512
2e55243cdebea5617307edc159e41444ea1de884697311075f8ca5316881d9fe7891b43925864fe08b5b88fe368dae372b2230cd73e3042feed82206b3a3d6d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d0137605-1341-4136-a359-096c80acf7a7.tmp

Filesize
9KB

MD5
feee55eb94e77931464432b9e249f2a7

SHA1
51d3cc71cf0942991143cac8f34aec491e3e451c

SHA256
701c47884ae139834257af62af05541617572c3d436ba1e11ee18a1d732447f5

SHA512
4da6ae9ccb94c5c12ec3d5076f7f12c1379f5c7c5c664d25610a20ee1d3ea3229b29c1200a6fcfa564c9644997adb0fd6e71c76becb006ba282717d6e25bb140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d167ad758515e832860705f9419afe10

SHA1
761f783760084ec5ecae3b47bcdbced9057aba00

SHA256
3b8ce5e921029ed309f4b0d62b687b256092d71fc7bccb41f8ee9a42b6398238

SHA512
1d960027f53c42daf3238950e0a44aa9f22822a92a5cf35f598a8b2c2615f88923626044c42d122843f658f8f1953b3d13ffc6dac7dc122d19a2f652fbba2c00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4bb733e6236fc95cc6ed465bc23bc83f

SHA1
46e09ed2d2384828a00a8c6cfa00dba36f10b0b0

SHA256
9d19c83c204ff36eaeef5bbc5ca1ebaae0bedb89c5a2d08a6db614a92c41aa34

SHA512
8fba51f26d06cc8e1e1c1f89a0467aa89be36fb779437fbffd373dde4f08346a53b28a3e185ceb30d8750df15e0b54b464586776f02cbb87a7210952e5c95dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
754554d2608c60c39215a9ad6f280e41

SHA1
71c28e75355a01ad8053dd820a930e7f5f3d8886

SHA256
a5a1cd018a8f61108db0f31504f29b866d846ba45c1f1b15ce03bfd99865360a

SHA512
6baac108d2c2968b8d9102767fbe0c34858e15aa236cbf7359ac8379c1dc2b4ffe8c4ae2d51bfde452954ed452e9c79e6af36a4d6609e3b59bd973f2123a7800

Download Submit
\??\pipe\crashpad_3732_KZSXUCPPTLAAAPHI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2396-433-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2396-427-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2396-430-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2396-431-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4048-424-0x0000000000410000-0x0000000000482000-memory.dmp

Filesize
456KB

Download
memory/4048-425-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4048-429-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4048-423-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/4048-434-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download