rhadamanthys | f0fdacf36c7b831b9fc142a87b30f78102890791de309ac1046a12f30473a728

Analysis

max time kernel
78s
max time network
76s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
23-09-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

link.txt
Size

20B
MD5

76c9d029aef0ec75fcb3ac8a247d5a3d
SHA1

302c59ceceefa9ce234aa5fb932411da8f7c4098
SHA256

f0fdacf36c7b831b9fc142a87b30f78102890791de309ac1046a12f30473a728
SHA512

b8c5bff79717729da1ce04decd2138ba7a26c80332005608013e80d1e14b7869686e97a8c160aad8a4da1c8954084ece30a71237347061de94a8732c7dbf7e05

Score

10^/10

rhadamanthys discovery evasion execution stealer themida trojan

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

h7D7jZw1Lm.exe

description	pid	Process	procid_target
PID 1036 created 2928	1036	h7D7jZw1Lm.exe	49

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

h7D7jZw1Lm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	h7D7jZw1Lm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
800	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

h7D7jZw1Lm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	h7D7jZw1Lm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	h7D7jZw1Lm.exe

Executes dropped EXE 1 IoCs

Processes:

h7D7jZw1Lm.exe

pid	Process
1036	h7D7jZw1Lm.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x000300000002aac5-207.dat	themida
behavioral1/memory/1036-208-0x0000000000D80000-0x0000000001219000-memory.dmp	themida
behavioral1/memory/1036-210-0x0000000000D80000-0x0000000001219000-memory.dmp	themida
behavioral1/memory/1036-211-0x0000000000D80000-0x0000000001219000-memory.dmp	themida
behavioral1/memory/1036-212-0x0000000000D80000-0x0000000001219000-memory.dmp	themida
behavioral1/memory/1036-213-0x0000000000D80000-0x0000000001219000-memory.dmp	themida
behavioral1/memory/1036-222-0x0000000000D80000-0x0000000001219000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

h7D7jZw1Lm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	h7D7jZw1Lm.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

openwith.exeh7D7jZw1Lm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h7D7jZw1Lm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133715861139815558"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	cmd.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ehtherthtrh.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
3720	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exepowershell.exeh7D7jZw1Lm.exeopenwith.exe

pid	Process
3404	chrome.exe
3404	chrome.exe
800	powershell.exe
800	powershell.exe
1036	h7D7jZw1Lm.exe
1036	h7D7jZw1Lm.exe
2316	openwith.exe
2316	openwith.exe
2316	openwith.exe
2316	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

launcher.exeh7D7jZw1Lm.exe

pid	Process
3396	launcher.exe
1036	h7D7jZw1Lm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exechrome.exe

description	pid	Process	procid_target
PID 3540 wrote to memory of 3720	3540	cmd.exe	79
PID 3540 wrote to memory of 3720	3540	cmd.exe	79
PID 3404 wrote to memory of 4476	3404	chrome.exe	83
PID 3404 wrote to memory of 4476	3404	chrome.exe	83
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 3464	3404	chrome.exe	84
PID 3404 wrote to memory of 224	3404	chrome.exe	85
PID 3404 wrote to memory of 224	3404	chrome.exe	85
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86
PID 3404 wrote to memory of 2284	3404	chrome.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2928
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\link.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\link.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff97eecc40,0x7fff97eecc4c,0x7fff97eecc58
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4540,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5104,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5132,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4312,i,13505999309990775861,8996155043345704172,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3060 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4756

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4992

C:\Users\Admin\Desktop\launcher.exe
"C:\Users\Admin\Desktop\launcher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\h7D7jZw1Lm.exe"
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\h7D7jZw1Lm.exe
    C:\Users\Admin\AppData\Local\Temp\h7D7jZw1Lm.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
61f6e3e2d9df469c374ff452d80b66fc

SHA1
8451e12f5b6c9dd5d41de8252ad764c6075299c4

SHA256
7369ec8e3d190bc5ab7312c24e5c4aff2a842b5907be7bfd13c870cb7625ae1b

SHA512
d890428770dd5c4768f0d2cf6068ae36bc919fa1d97b731762a8970b1b6f884ac9ca382a39973c01303e1f9f9a01cee96db5b71e38bbf5b41f71704201216217

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b0fcbe64eebfed862ab5811bc0201fc6

SHA1
1c08b6b8dcecf3f1444916471cf453f537bef3f7

SHA256
ae2dcb92f9437b4a92d35ec47d341ef0767895758b610873bf43397e4aec1194

SHA512
5c7d9f0ab1058de52072628fae9e9bf8eb678ab4e16b380e8e292913ee4383a8ab6afc92478f3ab2aefdc664dcc6d6e057a908c620e9e2086064176b3d122280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
9122d16cf93b0032e811af7c9cfe2271

SHA1
1306aad26ea58dc561cdb9d7182660249c46c403

SHA256
ec79fd4e93ebfd10bd3f81742f5da96549e021d966cfa2e5949be2affb3744d6

SHA512
c7edad83bb5012eb300b63165fd474f5801c6af93b1b26f73e0980c02395f876a0858f9af6f905de2ed2246278178e9fd6f2378d743f20cd28125b97db528e5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f9590850047af35090aa8d3f74d3cce

SHA1
4def0ded86ce6dc96fe4776f11188a1dc99b96f9

SHA256
6b3875db1f7bc4b52fa76b376a26b849cf487fedd6565055d1412fcf941ce4dd

SHA512
b2dc832857e98afdeebbce11cfdf4a910bb7901ed12694be4cf8f7ccf0048d10f40e8511dd1f9da8ad0c91b808959fb5d938ff6116e9a7dfa331b91cf968c618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
953b14eb34406b64da55e72a22b242a6

SHA1
247675dca9ac3b1f964dd4705327887e3fd987a8

SHA256
e53e2e6a3de426ad74021cce24f810583bd6c2b675de6e67e4d624870cf11a0e

SHA512
c6c33d591de654ebbda2b0270e370b09265f04dacd789f326e4597ae20d17956bec47fe09d692b3b09f85bb05a2882abb631f2b77386f2d2227d7114ef0eb067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e90ffd9a25cbe2fd1b61c5e22eda8bb7

SHA1
e27be49259fe5809b15ed38aa12381c2525735f6

SHA256
cdf7f3ceeae502945cbfdbfdfdefa494ae3116d8eb01fe4db36f14eb9e5f9a49

SHA512
d350aac095a32e80cb9a5f67cdd485b081a30e301b15cff6ffdb9f87d84db6b011dae2e463ab7bbdb28f02cd3a4e773115b826280e144838a2cc3234a9bb1a3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d90e10200affc41197323beeac14116

SHA1
ffd7f80005190b406cd9dde6e28ae39587f9e4e6

SHA256
525e11124f359d3d456549d78fc3cc7e4d1fa166d9223de2a30b4d52b704ce8a

SHA512
ef7289628028de5d9fc709d5d84cb453d5a08ec1472c0ee2dc5042da9975fc9d0ae5a374f954dcf52a2fadd7daf38692d20b7dd06793ac23dd43d2067cd6f370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cd2f7468aadc2ec81440aaf3656e0d0d

SHA1
7689c693a8829cc29b8b6917ff4891bbd81bc990

SHA256
41f5695f55bb3e7feff1bc854b009560c13284a0e4f5366e2e87e4557f5e1788

SHA512
5701916ff76fd27433d575af47abb014b57693871486cc0e616bbbbcd84cb6721a9f3b8803f0b0a1397dbd454ba91525f0d19b1c92f474270c2323f2c3125197

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
1561da85d241a43e5a598503f06056a8

SHA1
7e00f86b36809fe4c1014fe3d42f6b015f6c8f0a

SHA256
cd38f320ea35b56af1ac0715dde7d7d08f7239d60a9d37e625ca4e4d6efbbac1

SHA512
ddf1d1e954f729f4364df94d0a6c269b291261e83f124328c96a8112237cef04c65dd9949b772a7112cc9b7aa448a987bd9cd210bde1c2bb96651e18148542d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
d4258d9ec3b18f248e618cb49b2b171d

SHA1
4909e460489108321785f67e478236bf72fc43a9

SHA256
0e578d7d16d997d05360e39c4d7c36d89af2e0674fbe4f2461857d27d54b3bf9

SHA512
b2dfa19b71f130b4107408cf8dd4321d788ef8bb83915c62fe632b52394afdeb52ec32fd5f1b6b1fac2b0c1d6e610fcce6c6e1ad89deaec2d18b484f4f8ea69f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
a90aa3151b6d340276c33ab96229cc16

SHA1
dbac8cf9392b679b199c19019994bebaad8d2399

SHA256
5b98cd64e6afdf661c2b853aa99eff3c9e0e16bc75b6041bb40003eb3d919590

SHA512
76333714e2a65c14621dfb8c8a41c71611a33484f20a29b23d7ae768df0eebe6c7d6d93b5c06d6fb89e604b298f69c12d75f721d4291718019a48ad2d8e3687e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
b51dd2432808c5df9003d8943fe05328

SHA1
a56e11a4167181d5087bd3a825b268409249d9d2

SHA256
2083903864b8f6e4f0e5fa585dd8de3529d15f0447b5859138074211f265cf6c

SHA512
7af872a04ff6b58de0f5e23b1b68cdf95a0db43759b41b5b2e38f95632269c8473b79b5940027060401140503e3e904667137d976b608839e95e9cdb9017bc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2b54ovnj.r3j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\h7D7jZw1Lm.exe

Filesize
4.4MB

MD5
df66021182d1293be836a1868e977f03

SHA1
a7db7bbd2ca7fcc4b52934628cdbe78e7d491341

SHA256
32c1b3ce14b6444ff5ab04e126ea58c2d3d686e44093e1f153bf68997913de64

SHA512
69ffca08a00b81040baa3c629784ed675a025decf09c1003d5d5b49344e6660bf4686869c5dd6b201ee843fbe9bb4097538fd8af4df77feb95000f0a1eabe744

Download Submit
C:\Users\Admin\Downloads\ehtherthtrh.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_3404_EZKTUJLZFMCQRZOE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/800-199-0x000001C87E1D0000-0x000001C87E1F2000-memory.dmp

Filesize
136KB

Download
memory/1036-216-0x00007FFFA6C80000-0x00007FFFA6E89000-memory.dmp

Filesize
2.0MB

Download
memory/1036-208-0x0000000000D80000-0x0000000001219000-memory.dmp

Filesize
4.6MB

Download
memory/1036-211-0x0000000000D80000-0x0000000001219000-memory.dmp

Filesize
4.6MB

Download
memory/1036-212-0x0000000000D80000-0x0000000001219000-memory.dmp

Filesize
4.6MB

Download
memory/1036-213-0x0000000000D80000-0x0000000001219000-memory.dmp

Filesize
4.6MB

Download
memory/1036-214-0x0000000004250000-0x0000000004650000-memory.dmp

Filesize
4.0MB

Download
memory/1036-210-0x0000000000D80000-0x0000000001219000-memory.dmp

Filesize
4.6MB

Download
memory/1036-215-0x0000000004250000-0x0000000004650000-memory.dmp

Filesize
4.0MB

Download
memory/1036-222-0x0000000000D80000-0x0000000001219000-memory.dmp

Filesize
4.6MB

Download
memory/1036-218-0x00000000756C0000-0x0000000075912000-memory.dmp

Filesize
2.3MB

Download
memory/2316-219-0x0000000000B70000-0x0000000000B79000-memory.dmp

Filesize
36KB

Download
memory/2316-226-0x00000000756C0000-0x0000000075912000-memory.dmp

Filesize
2.3MB

Download
memory/2316-224-0x00007FFFA6C80000-0x00007FFFA6E89000-memory.dmp

Filesize
2.0MB

Download
memory/2316-223-0x0000000002B20000-0x0000000002F20000-memory.dmp

Filesize
4.0MB

Download