rhadamanthys | 7c4d18253a31342fcc83a7f7748ba843f6ee00bff18b9204a4e9c447919fc989

Analysis

max time kernel
127s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grewgrwegrwgerg.zip
Size

105.3MB
MD5

2729006ef77840dcfe5c09cf65c140ae
SHA1

b4214ac9d95d1dc3c3c330b99dff2a6f29364236
SHA256

7c4d18253a31342fcc83a7f7748ba843f6ee00bff18b9204a4e9c447919fc989
SHA512

b629dfdedf5165b5e1381c9673171a7e16b3d3cd3ce8e4f29c99d0d8e1646f82f3a6de03ea314aae557a276c4bec1355ec8003189c5166e55f242899fccffa97
SSDEEP

3145728:KzOKlEsLrPj13xTycB+44cGODfPCOCrwV:KzOK97tx9+L0iOCrK

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

nq5v9DfNCB.exezVitkHBf7X.exe

description pid process target process

PID 3868 created 2952 3868 nq5v9DfNCB.exe sihost.exe
PID 716 created 2952 716 zVitkHBf7X.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3304 powershell.exe
2412 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

launcher.exenq5v9DfNCB.exelauncher.exezVitkHBf7X.exe

pid process

2932 launcher.exe
3868 nq5v9DfNCB.exe
2628 launcher.exe
716 zVitkHBf7X.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	pid	process	target process
PID 3868 created 2952	3868	nq5v9DfNCB.exe	sihost.exe
PID 716 created 2952	716	zVitkHBf7X.exe	sihost.exe

pid	process
3304	powershell.exe
2412	powershell.exe

pid	process
2932	launcher.exe
3868	nq5v9DfNCB.exe
2628	launcher.exe
716	zVitkHBf7X.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

nq5v9DfNCB.exeopenwith.exezVitkHBf7X.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nq5v9DfNCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zVitkHBf7X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718143500675132"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

chrome.exepowershell.exenq5v9DfNCB.exeopenwith.exepowershell.exezVitkHBf7X.exeopenwith.exe

pid	process
4628	chrome.exe
4628	chrome.exe
3304	powershell.exe
3304	powershell.exe
3304	powershell.exe
3868	nq5v9DfNCB.exe
3868	nq5v9DfNCB.exe
3740	openwith.exe
3740	openwith.exe
3740	openwith.exe
3740	openwith.exe
2412	powershell.exe
2412	powershell.exe
2412	powershell.exe
716	zVitkHBf7X.exe
716	zVitkHBf7X.exe
512	openwith.exe
512	openwith.exe
512	openwith.exe
512	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4628 chrome.exe
4628 chrome.exe
4628 chrome.exe
4628 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

launcher.exenq5v9DfNCB.exelauncher.exezVitkHBf7X.exe

pid process

2932 launcher.exe
3868 nq5v9DfNCB.exe
2628 launcher.exe
716 zVitkHBf7X.exe

pid	process
2932	launcher.exe
3868	nq5v9DfNCB.exe
2628	launcher.exe
716	zVitkHBf7X.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4628 wrote to memory of 5080	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 5080	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 4696	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 720	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 720	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe
PID 4628 wrote to memory of 1752	4628	chrome.exe	chrome.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2952
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:512

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\grewgrwegrwgerg.zip
1⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8124dcc40,0x7ff8124dcc4c,0x7ff8124dcc58
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2236,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3332,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5228,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4280 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4404,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5448,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5184,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:2644

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5000

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap2868:88:7zEvent2325
1⤵
PID:4764

C:\Users\Admin\Desktop\launcher.exe
"C:\Users\Admin\Desktop\launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe"
  2⤵
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe
    C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3868

C:\Users\Admin\Desktop\launcher.exe
"C:\Users\Admin\Desktop\launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe"
  2⤵
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe
    C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e52c18e6a7e441538f6851a1fa240580

SHA1
97858d0834d241f7369c3ec7f9affd2e804d8409

SHA256
42918e3f73b2fb31a83e9cf0ab4628a13ea62dba52436acc46967abedd710c80

SHA512
225496ee8a47339de06664c2ff7afc18d2763170903f824914cbddcd9df87c20853474c4937982e93c702715c6ae5bcf0e09f93b84c94439fc4321c781036512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e615c9d91b5dfe42ed3b40e8ff218ba1

SHA1
681a67bc2688070397f93ec97aff567867699e16

SHA256
be744ef3a6eed642ae950c4e5602b91e4eb49c83f309cbb0f6a4385b3254f0ee

SHA512
ce9e680e96f9ce48c7c81e74c4485832e6ec4505dd933094cedde78d03e79a1a93f79ea35574614c78db9ab491eb8251605c3bbccaf34e25b05a2d7aa83834cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
370ba33b577957a448e354274e2c3b63

SHA1
c79081f870c2dab4cb464dca622ec5765d1429a9

SHA256
02eeea442e73f619ec5e3ee871fba91df7900915cf2abffffd0b04c3efbbb462

SHA512
f11370dad2989b1473fef5bb07fa848de636bd1947296ff2f30dadf041e4904dcb5edd2b1589936b5e5499d974faf16031d94a2be9f377cc1823a769f55b500d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0ce715b8475784e2d0ed53555c31636b

SHA1
a39856745dcb976002211186c2019d7ffa425788

SHA256
81023937303dc562ebf3527e867c91ef3d4f532a84cbca4bae14b8c5eacd2341

SHA512
d79c812f5a9dd627d0affa1a29e0f68bfff3acf58d06521b5847901568382c58817b62fc9801e27e127fd7f2983e44b565406e5f0165c7f1d8eb79d7cd3733c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9783124a89dbab1d87daad8923f2db2

SHA1
7ea527aa010298aa40b5b84e9700977f7f1a8033

SHA256
139248083feb2e539a4718f5b25639e947f8e3d2d43051e5098f3204ab8f5751

SHA512
9cb4716881f880e4594fffa755ccd46e78cff6366d9e721a37600c2556a62931b672b7b6c50519b6c804f5a7221a539305c9638c10d0390c5b3a749b7a01691e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e8cb944eccf30a164cbea5cfe0fa6c49

SHA1
92c6d83e568ec7d4f24223d8d7d440029156500f

SHA256
9e62e7f43ab44f628be7c4e0c00bda1fcb0624c51716f681df13e79586c38183

SHA512
46a978932db487b381aeba7bce6019d3d5b2e7ac009eddfc9ba50b32bf835bda388f5d4055c3d3eb3ac2620142a03f045f26c1b047c3f2ca617c56c2368640c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7ac99df5f8ab62889d6433e61653c26

SHA1
b9ebe3d5ec3128823e14d056e25c2b2bc79a4ea5

SHA256
bed639ea1ea2298025cbe311d2ef205001549003fc4c23912d1fccfe53046e31

SHA512
40727b696e5021b1ab8eebf2a4867102971e8c006b998055eff1a2f19b7ce8aacc4229ff41acb052be08b710300799bc77fcf0682290388ac3342382c67af82e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d40b0513407a52b907f8e1709ae4d91

SHA1
583d434e3759789c1e561a60c9d8d5965af532d4

SHA256
3000a60b956b80b5f878b60b48d10677d5c6ff3c3edf7020b3c92eec488228b4

SHA512
85f5acffbd26288868f40f3b1a199209e10fac1c1be41a10ff2148010cd57006eb911922fc34da970a7f09612ef35cc63e808dd5d58f775411a39e3dae9383e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
422d8b7646caa30d514013e62a3bc437

SHA1
13b263789f1cd854df8ad7ecdd8679b8862b58dc

SHA256
ee95440df2bcfe6a0408ca2fb5465491ca658accf239fde08db5b41ce38190f4

SHA512
2d7a175358606637c054dc80f423e928ccaf5edd1de95fa1000102869c137ccfa11d9739771011152a933f14f824f490358e7eaee0a99461d54b8c0f9f7a2ce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a121f00fe3c2eadcf070ac8c84876a26

SHA1
00761089da24b1fd0437345f217770e59eade3d8

SHA256
911eeab93c6852094b02ed95c4677f3ffa25d796a2ac37ebef175dda37d8cb42

SHA512
4d84f4b79d3a59d655d9e3431c34df7cc02df792ee9453309af056306b7f5f65363d8585f623dd1c5f157ecbeaa64bcb5759e8e232fb9aba5a167e06d50a35af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9fc3af864568f9f7e9816f70d7895dbf

SHA1
a9a356b551158986f67af0f010e30f57c2f6572d

SHA256
02f0b2cb48f9314db462462d6e0dee6188ed00a664c1708d19baefa09a7993f8

SHA512
24ec23337c563009121205959d9f3624661231e5ef302ea73b260bbb3392f94fc8e7b0ffceba2ca40790b8a7ba0962e79557766a781b0ba20488f6318db42a85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d78e914c524192bee30f1c205094fd1

SHA1
9c2228a765eed344c6eae7b151efee4dd07b3c8a

SHA256
4898b04d7e683aa38c2798f8fdf4bbc1165759dae797d7baa343d4fc35947e04

SHA512
d3ba00511583a8f10235ad11022666fa61e7e9fff608aa5c03917eb76d7ce582af298948166987cc63829621cc98a972da075a0aaf4733ec144cd0670d4e71e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
57d3ea65c57ca16a50d9c202bad8c79d

SHA1
a04f873749234ec967e66d018d0892b53fd1877d

SHA256
9f1280d91c0e8a0689adf195a43f9ad3e475974c81f2e4dcc72890b1e57a369a

SHA512
22708098df6fded16a3e9493922fcbc1c6f36ff83bcead4a9e989eed9834d028b6983b877383e68a1d9d73bd5410022184a4308536e4a5143bb022ac38ab3c16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
029d4f9374edf28fe59746f363fd3bfe

SHA1
0cc03e98dedcc07e02b01faf40519fb30ab0aba4

SHA256
de7c2015c05712dfef9928274bc891ff0c4160c81cc72e107ae0cadb51f1c95c

SHA512
30de46a5a3a0bc3b8e95131e773003472b72538ff5a2ada2e08911c88efed7ef7d0b99dfdc6cdb36b4f4b852441a8653530131698a464437d16edfebac981273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
089c9b17d1b1f212486ac9d19cb8f324

SHA1
941e8e84dd24df67bcb139e81a921904d2a366bb

SHA256
d767f6aec7f9c43b1623adfb252b63038bfc65d773b78ebd3e39aedb1b65f6db

SHA512
f49ec5554836ac60dd86fcdb9d6f125d00dbd02da78f5164d510bc552e5ee7fb877542502b34ae09002508dcb3f9ce44a4963a073afcce35ade6e3b353da3d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ib1baae.fys.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe

Filesize
2.4MB

MD5
ec96e65299b7639d4aa60dd315acad80

SHA1
7196b8eb744f769810b390c02371872d11c33bbd

SHA256
c1df546782a82cb03e27ccfea0002f304c56bb26b3fc3d9d8e76ff7c7f61e529

SHA512
db187aedfc8046e2c3e8c49ad7e3741b56c4280e6ea0017835dc2f0121234f69ae9a24fd5a4eab19f8f3682f0d47279b3441aedb331cdb54a38951ac5626c883

Download Submit
C:\Users\Admin\Desktop\launcher.exe

Filesize
35.9MB

MD5
d4eca6136281d617dcfac5bae3349e70

SHA1
c6941cd9df4f7db4bdf6bd163869016a2520d644

SHA256
0777bba437bc66725d3e00f17810a1dee973fef63808d3d14aa046503a5589a6

SHA512
a17b7bc6985304008649b8b6a009f675b3570e14a39e0073ea6cd00dca5ffecc0acedcc67f9c250e35b09d3c941540e74b338795f1cff12172c137d525afeb8a

Download Submit
\??\pipe\crashpad_4628_CRTCHKTXEKTWDVAC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/512-231-0x00007FF823C10000-0x00007FF823E05000-memory.dmp

Filesize
2.0MB

Download
memory/512-233-0x0000000077780000-0x0000000077995000-memory.dmp

Filesize
2.1MB

Download
memory/512-230-0x0000000002A30000-0x0000000002E30000-memory.dmp

Filesize
4.0MB

Download
memory/716-226-0x0000000077780000-0x0000000077995000-memory.dmp

Filesize
2.1MB

Download
memory/716-224-0x00007FF823C10000-0x00007FF823E05000-memory.dmp

Filesize
2.0MB

Download
memory/716-228-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/716-223-0x0000000003640000-0x0000000003A40000-memory.dmp

Filesize
4.0MB

Download
memory/716-219-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/3304-149-0x00000210FE020000-0x00000210FE042000-memory.dmp

Filesize
136KB

Download
memory/3740-175-0x0000000000C50000-0x0000000000C59000-memory.dmp

Filesize
36KB

Download
memory/3740-178-0x0000000002780000-0x0000000002B80000-memory.dmp

Filesize
4.0MB

Download
memory/3740-181-0x0000000077780000-0x0000000077995000-memory.dmp

Filesize
2.1MB

Download
memory/3740-179-0x00007FF823C10000-0x00007FF823E05000-memory.dmp

Filesize
2.0MB

Download
memory/3868-174-0x0000000077780000-0x0000000077995000-memory.dmp

Filesize
2.1MB

Download
memory/3868-176-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/3868-172-0x00007FF823C10000-0x00007FF823E05000-memory.dmp

Filesize
2.0MB

Download
memory/3868-171-0x00000000036A0000-0x0000000003AA0000-memory.dmp

Filesize
4.0MB

Download
memory/3868-170-0x00000000036A0000-0x0000000003AA0000-memory.dmp

Filesize
4.0MB

Download
memory/3868-167-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/3868-165-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download