rhadamanthys | hxxps://github[.]com/LarMXK/RobloxBloxFlip-Predictor/blob/main/BloxFlip[.]exe

Analysis

max time kernel
107s
max time network
109s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
27-09-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/LarMXK/RobloxBloxFlip-Predictor/blob/main/BloxFlip.exe

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://195.3.223.126:4287/9d0dc091285eb9fbf2e/o8f3c8oj.8rdif

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3648-341-0x0000000007100000-0x0000000007500000-memory.dmp	family_rhadamanthys
behavioral1/memory/3648-343-0x0000000007100000-0x0000000007500000-memory.dmp	family_rhadamanthys
behavioral1/memory/3648-342-0x0000000007100000-0x0000000007500000-memory.dmp	family_rhadamanthys
behavioral1/memory/3648-344-0x0000000007100000-0x0000000007500000-memory.dmp	family_rhadamanthys
behavioral1/memory/3648-348-0x0000000007100000-0x0000000007500000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

BloxFlip.exe

pid	Process
3044	BloxFlip.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
33	camo.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

BloxFlip.exe

description	pid	Process	procid_target
PID 3044 set thread context of 3648	3044	BloxFlip.exe	94

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3664	3044	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BloxFlip.exeAppLaunch.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BloxFlip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133719389763928154"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exeAppLaunch.exe

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
3648	AppLaunch.exe
3648	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
440	chrome.exe
440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

chrome.exe

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 440 wrote to memory of 3652	440	chrome.exe	70
PID 440 wrote to memory of 3652	440	chrome.exe	70
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4372	440	chrome.exe	72
PID 440 wrote to memory of 4464	440	chrome.exe	73
PID 440 wrote to memory of 4464	440	chrome.exe	73
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74
PID 440 wrote to memory of 340	440	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/LarMXK/RobloxBloxFlip-Predictor/blob/main/BloxFlip.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0x44,0xd8,0x7ffdb89b9758,0x7ffdb89b9768,0x7ffdb89b9778
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:2
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4492 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4500 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=764 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4480 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:1140
- C:\Users\Admin\Downloads\BloxFlip.exe
  "C:\Users\Admin\Downloads\BloxFlip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:3648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 220
    3⤵
    - Program crash
    PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=688 --field-trial-handle=1624,i,3362201900337716836,12821147449220262431,131072 /prefetch:8
  2⤵
  PID:4120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2680f190-817e-4717-9283-9ba4704157e8.tmp

Filesize
150KB

MD5
35ab9faa332b4e6d73bd1b57ae2a789e

SHA1
9b7882c48198cf1bf98b45f8843cb31c3c86836a

SHA256
f44df259e141bedaed56c121a0042c528335b8929dff5aab143bab11441c5221

SHA512
98dc02a796fd2ffbc8b830a3772454315664ad65df9d78387ebac910271a55358449362e36de09607302012c3ddfe9c4f4a549341177b99d90d6c0b1eb278222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
de0bec35f3f3e7f04275ebc604b4694c

SHA1
1e03e4328737624a4610e8962ba917ba32fda19a

SHA256
d8691e2f46546e48fb1109d22310457f55efae2405ae42963df87454eee0cafa

SHA512
32f18100d5fe0959cac040bafe2c95a5fb5e031920551a0045645579a176c08135dcde71f9269f2b8ccdbb93446dbf91f0ccc40aa794be349ee8d6d1d1e3896d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
adb22913cf11bd920d8ef0eb0e9123b2

SHA1
b9687e59ab939342012f9a7b33ede09015ca2ce1

SHA256
fb5827e209ff6efa25fdee43e553ed8c24ab166a638be59a282df4c0ac9b7f77

SHA512
cb05c9a3b38bf6c9c3f85cdb57784c3d9cf72224cd120be949824088f594e8a2a1ba318991f07aeaadee43fcbc33d80df34fc4126c0234f5a512caf150371a56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
873B

MD5
605936a55e57b898849f7797abc89352

SHA1
2eef9d33288e47d5ea99000f45422eadec1fd3cf

SHA256
a3a6616000309eb0991307f0f0b1ad018356a0878a5738877a2416bacf5b5e4b

SHA512
791f48934b6add30f8e0bef5a9d5d5c5ae946177c62759db5b6226de9c91f9b606882b48d6e34caf5ea97616178e78de57e3efc224deddcb8c4033e34bbca783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9f21cf9c3c55eb8c3721abbd6cbae1de

SHA1
70448571062c063689481eae186b41d4d16959ec

SHA256
b59475ce32b88f5ac5618ea223709ea11cc007b1f7f3847b2badbc640f916c9d

SHA512
8732981f756360da9d62835096c9dce647f9d5f3c28dbf4e6ff3accbc702916b66fc69e2b8c321eb25baf48130b341136ffa7d3f3d839fc6926fcc43117736e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
973072a687482896dd52b0f0030a25d4

SHA1
0de67e755ad247c8f798fbf39bf775495b87cfd2

SHA256
31e34aab0d6e241ed895c71eef724045d0e60f6a144ad2a556cd261b196644e4

SHA512
c4e123ddb613f971917368bee708165fba91fa96db36586184c41c297ba8695c8bb01b1b138aa455185bf33f5cd426e275c08f7f7181c35455512f77c3f8fdbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
169179c4b7bddcae16c26824e6b620af

SHA1
eaedbfd6e1b0a59d78b94355bb3a9a1f20b3849a

SHA256
6dd9652c8d963df9bb29cf459b1bdfef566f37801df2322e390dff86c6947663

SHA512
7397ee323f9420b67636671bee8d0d8626b253760bbaa3be6e9d3147f19c26401305ebc0e9615b11dc0e31af325d728039c74fd5d6b06da8d69f48cbf745f469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6d38e72b27db0b094f1ea11755c60549

SHA1
ad57ca4fd8f74a446700ff97b2eccaf9d14de055

SHA256
6b67e1e48e0095a2041980117f631f2da55281f457e24883b794ae49c0de11c0

SHA512
4eb7a8bafca35b35ef948e2381a2c918ee7b251799054237b1b77ca005012b36facab52dbe31e90f4bbd807b9f47f1db2be856d16f567eadefd5793b34dfdc62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dc87ad719a8b5336200537c579e02014

SHA1
e469664c3611d55fec2eea3e318b00586e20d635

SHA256
d5692faf0f6937ef89d01587eb77af268df81d108bf3a20a8b1fd486bccebc41

SHA512
09e215fd5f5e944ac2a5de48e19c46eb0ca09748e650dceea64b02dd020b3d902c581f9c0d8a66e82d376d3af2674b88fb3104f2d435263c78088320ffe58569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b65d6286970de9a1d016affee984fa28

SHA1
20ea444f34da82f77b42346a09b62fc826d5b8a2

SHA256
df854cae65c8067cc16ca959e23296495ffe8ce814184e9d21ec30d1c471dd66

SHA512
4062bd22c66531c52f4ab805b872401eb9af1f10d86951b59dcad40cb50148f8f6f7ed1ddd67a71b061b58d37bf24907d9c118fd2cd82f5e1fde2a13beddf612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e62a8db4ccde03611f06d3f8aee8dfb6

SHA1
e31464bb28da25d9ece7d20851da27bfef1f6dab

SHA256
e54d574dde5897124d4fc99395032261230aa649c069cd63bffd2561498371a2

SHA512
2d9798576e6195dc72d06cdaaa13cb72fbf6a33f203662e450150b7e5ad1c179e2517584f331d9c0f1280022be861991041926ee841c906b31969470fc740fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8d097cae7bf9e20d08d32224500d0d4c

SHA1
9c65331fca6a4d1f66a101da968d250bf40fc778

SHA256
2807e2cfbe1429ad97693dae313df7003761b2e347bcdc3c3424b88711cbd204

SHA512
8194844b7a1b45192516e3dd70ef14837acc99a9547b4af8b8bf1d2f91764d0868a30d7a3fdacf6f767e30223d86bbcd684f831c0437d12e05aa2c6ce614e1d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
79a8adacaef709c703df54bed9eaf316

SHA1
0b02d123fd1ea61c6b9c2c9f772cbe2d13197d56

SHA256
ba64abde658bd85760af7a9f764d902be74aaa248853a811f70270bcfcf524ce

SHA512
46f9ba493f94d2a8f637bb2f9e6476abae8f2fa36e87c0e25e35697c1997a77659a9d10309ebbdbba6ee8b77c46a11b5f2bbe7fd8db6c4823d5f0c02b5666065

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3ae757c41efa92de6eb496a752331ce8

SHA1
cfa0d4265edf27e7431ebbbb10693021f9436468

SHA256
b6f72ee14228075df384380924f4e60a29c3b1eb5ce1254758809f15efba67ca

SHA512
699c63f3fc3a0bdb2024dd436586122f39afbbcc6dc74af47ae498922c769e95cc6c3d2c29ad5759d6a00e34d530c9d2e69b69f99611c89164ebe09a214bb82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e07cf8bab35742cf8eb138116f483d45

SHA1
d37f38ba4dbfd18e4371404b19845108b21cd755

SHA256
54b166468952fc39409e8bf8fd3a6c242470d508087604fc1ff5299513385e08

SHA512
06552defe3ca7a668bb22fd83137cadfced146ef5748e145d11ba6eb889f5dd0ef9877ca9946a2fb5de969c212b55537776704b5f7385cfa7b716255b9ce14bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
6757e9e20ad320192729460df0f3903f

SHA1
5b4ef4af1e214d50e2d9844d6ace60517eac0720

SHA256
61cabdc1aa7164b44dc00197b2c9ce47df067e36ed7349b60676a8d35c3a51f4

SHA512
c881bfbd47b342ad71ce413835a15993d60207ad8afdc8e9ea0ae42b387e7233def0e6f775e08d98c070a92cc2c4f4a24b2642ee1c9f7544cc89cc1fbce87e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
6d7406a6e8e786f2490c5cbce48f0c8c

SHA1
0232ee5fbde1e3cfd9d4c8a4fd45810f4ca44bc8

SHA256
40f974d3ebf2f6ce2c6f0bf2c47e404763cb0fa75b07276c05a12e1407fecf4f

SHA512
d152601d1fa6704cfacef72945dd05c864e5f2a0a2b09e5000b949490f93ae6b5bd32cb514ad19db36574918e84a0807e0ba9960ad73e699cdac1cad1746fec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
167KB

MD5
cdfa6f926ea9053fb28c8975a905817d

SHA1
482c7917e223e50e26010530ed3a8399d40aac19

SHA256
eb6ea11161898ba2cc39d371581d89389118799cf27a41bc7f39b78932ad064f

SHA512
5eafb5503b71cf4b4450fc88b9c452f136e00939007872ff9228827ea5749fe1f8a907ffd8e1d7a7a913c3a0a29fc44078e0d2ba18b35dcc2085c68d2d0a8b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
ad7576b5b5b02a660fde235f491d7f92

SHA1
99be72a19753befae63d3fa2f458aa6cc8574809

SHA256
070774c632af3d35595105f593a80bef04d764d11533fd954c7ae56099cdb38c

SHA512
435c86bce8bc5643c0f5fb521c275c85a0e18cc66a2f8e24f699dadf74710305ac8dcbc54f58a354f70241d535a9e04a483f58e7e8a3f190582dd16c4616e4f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
478ec433353630e2342b04e332612cc0

SHA1
4d595c0423715935d8cbfa4e722cb80bca83b7c1

SHA256
ab15c89dc1f6a0240064d4f3ca6bc1ffe321f1db76ef4dd02e137ab53ac48a2c

SHA512
ceeb8c73ebe5493c4cc08e323837df08f1539bc6a23802ae2653c03989fb50cde3fa3a946f0f688009b914dd078df12c34b4784e9ff94d539e4d88b621b60dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58e395.TMP

Filesize
97KB

MD5
7bfcdf28bcc4a22b71fae4cffbd9f8ac

SHA1
57e1a6302d5dcc83bc4830d1f72ad292b2534168

SHA256
63814d19f933b0b9e837f7081380e98f9bc6c8cd708ae6ff70178decf2f036d9

SHA512
7a4212ea109e931d0122e0f3709c882a486e2121ea541850566e72ba0ddc9c127fa81c76b02aa944bbbfc9a5b784523d057b8a2e692939a8ed25b316c7bf8141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\BloxFlip.exe

Filesize
702KB

MD5
5e8eefdad5b8ab9b1b47f269ca27d8f7

SHA1
ba66cf53cfe996d904e57b9409b349da62bb5d27

SHA256
e915dccc9e65da534932476e8cec4b7e5446dbd022f242e9302ac18d2a041df5

SHA512
3f353dd053e4cd18cb7c56237230d026404a8c217084e740b152ff3e9e3c8ecf0649dbdc5e98617d82086f2b340588741c7afdf4326e1f6bf56242bf7a8c58a8

Download Submit
\??\pipe\crashpad_440_UTDVXHGEHVYWGXZI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3648-340-0x0000000005530000-0x0000000005537000-memory.dmp

Filesize
28KB

Download
memory/3648-341-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/3648-343-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/3648-342-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/3648-344-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/3648-347-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3648-348-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/3648-330-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3648-329-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3648-325-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download