rhadamanthys | 1b7d670fcf08ef982ebf0eacd19f4242d75216b5f3ad754b48eb7def379c2e16

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-fr
resource tags

arch:x64arch:x86image:win11-20241007-frlocale:fr-fros:windows11-21h2-x64systemwindows
submitted
30-10-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Promo Contract for partners WEB VERSION.exe
Size

673.3MB
MD5

39143e9f9467951d7481c92f9b47bb94
SHA1

3f90c3c3024ad5a14de664692671177f707b890f
SHA256

1b7d670fcf08ef982ebf0eacd19f4242d75216b5f3ad754b48eb7def379c2e16
SHA512

e2a88feb46c95f9f34b00293ec465919ec492191c07cc96181e7e65e9d9ab16f4fc3828d37a5b53a52ad7dfea2b2c13d498c9344b02328e19a3b9270a68593a4
SSDEEP

98304:4KxPH1rO5v4CRsJHOj8GxN28jJnMW4SNGXc3f:4GV65v4NF+818VnMW4Ts3f

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://79.137.205.215:443/9b6ab5e6833f57f95b/ev08gahp.er889

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3592 created 3208	3592	svchost015.exe	51

Executes dropped EXE 1 IoCs

pid	Process
3592	svchost015.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 3592	4840	Promo Contract for partners WEB VERSION.exe	82

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1624	3592	WerFault.exe	82
1280	3592	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Promo Contract for partners WEB VERSION.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133747814777152514"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3592	svchost015.exe
3592	svchost015.exe
6080	openwith.exe
6080	openwith.exe
6080	openwith.exe
6080	openwith.exe
3636	msedge.exe
3636	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
572	identity_helper.exe
572	identity_helper.exe
2872	chrome.exe
2872	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3592	svchost015.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 4840 wrote to memory of 3592	4840	Promo Contract for partners WEB VERSION.exe	82
PID 3592 wrote to memory of 6080	3592	svchost015.exe	83
PID 3592 wrote to memory of 6080	3592	svchost015.exe	83
PID 3592 wrote to memory of 6080	3592	svchost015.exe	83
PID 3592 wrote to memory of 6080	3592	svchost015.exe	83
PID 3592 wrote to memory of 6080	3592	svchost015.exe	83
PID 3176 wrote to memory of 2288	3176	msedge.exe	99
PID 3176 wrote to memory of 2288	3176	msedge.exe	99
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 1100	3176	msedge.exe	100
PID 3176 wrote to memory of 3636	3176	msedge.exe	101
PID 3176 wrote to memory of 3636	3176	msedge.exe	101
PID 3176 wrote to memory of 5492	3176	msedge.exe	102
PID 3176 wrote to memory of 5492	3176	msedge.exe	102
PID 3176 wrote to memory of 5492	3176	msedge.exe	102
PID 3176 wrote to memory of 5492	3176	msedge.exe	102
PID 3176 wrote to memory of 5492	3176	msedge.exe	102
PID 3176 wrote to memory of 5492	3176	msedge.exe	102

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3208
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6080

C:\Users\Admin\AppData\Local\Temp\Promo Contract for partners WEB VERSION.exe
"C:\Users\Admin\AppData\Local\Temp\Promo Contract for partners WEB VERSION.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 472
    3⤵
    - Program crash
    PID:1624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 492
    3⤵
    - Program crash
    PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3592 -ip 3592
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3592 -ip 3592
1⤵
PID:3100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ShowMeasure.svg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb44db3cb8,0x7ffb44db3cc8,0x7ffb44db3cd8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,16924754474138447891,16782442150388470519,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,16924754474138447891,16782442150388470519,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,16924754474138447891,16782442150388470519,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,16924754474138447891,16782442150388470519,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,16924754474138447891,16782442150388470519,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,16924754474138447891,16782442150388470519,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4a87cc40,0x7ffb4a87cc4c,0x7ffb4a87cc58
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5212,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,17461765402357859804,4065603634757086440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3028

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0c2c5e35ddea7df58237fbf5e08af57f

SHA1
6b577e1a30cbabd81cb76928c7869aea31a5c355

SHA256
5e9bd306b757d85088ff99615dbb28f5a072e728b6cd4c0308339437b9d9793f

SHA512
5e1af373384aa1cb8f0a56adf265dcfb7cb7e41fa68e376116a8075394e8c30a6564baf93d01e7713b5ba5166d6141fcb5f5422f8f5e6aa0a1e35d00ef6a57ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9fc419e5377d8f5737245ee66e14215b

SHA1
72b794964698e6932c885706f3879f18475c586c

SHA256
7c07ef377bfcefebf23343753d1d817a64d729cc906a3224c943e860e7aae163

SHA512
d3f33e0190230c6bf9f4566da97a5d0f21230f046c31aad2cf8616af47d0b5285125a3955dad855d3bd11de90bf7bfe0c642a33bd55af712f42a3fbb6174f361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0611c7e1af22aa7cde18e1da269790a4

SHA1
92a255de72ad452963189a90e550f80080a38230

SHA256
d97f309b78bc7d381687e7c70c32d85abfd3447b86d4d71f48fb4a080b7bb39b

SHA512
f568c56aed4afb14daa60354c75ce7dc95ef87f0abbf312f3e9371739a734a80f88882e53e19fe6348466f23c50bbfee451103ad2325738abb82692dbb83f02b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f8644e0387ccd802c831586e7aa2acb

SHA1
38f19b939cf62adc76b4b15624a143c49ebbb277

SHA256
ff09a9861502cbb7800ffd7e8e29197f0c1cc41b7358e38441317c34854c8bd7

SHA512
bdc6545413395cb648fd73a42d138009b2bf41eba50a11d057ae4854b46d83b6b72d0e65814593bd38982c5f6ab22de2d2ce4e1940b60063a65f5ed97a2e6069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
55ebfe7f66b475c0b817d0006d97f65e

SHA1
dbb37c2a9cbf10bcb9acbc9f77d6e252e9763f07

SHA256
6fc74e19187b9e1be7a5d2dddc4b71d5ab60e57ffa41f24a2e9b049f1b86b769

SHA512
6f1b8c4e2d58d0cf9dbe865eac80b1fc813516fb63f2a61fda3edc632a39b05ba0254bcf26120143a4f4f576e2dcec2256f5ec174858d083ddf92f0a847eebca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
4706b88c48a24b64b057417cd155d8d2

SHA1
eb0833afd1b499965b371791a5fc3c1f009c9507

SHA256
8a38853df8dd3a69ac098e92db38108315bde1608cb0f348f794db06f617fef2

SHA512
a11edf8c387bd00e05a20cd67363a6cedabdb2cb204c229f75b4d2ea9de91de2ebe0eca20e221b430467e069ec64da6e1c0d366617a1351fd523f2320d314921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83f5226caadf5316b7260cdef610c38d

SHA1
f6f9179241b11036d05b2d2126ce67042b079bf2

SHA256
c776cd0aa83393b780efdcca447438da1b4d4ae390eba38e87b649535a06027c

SHA512
8cb1ecab00d076a73ffa07a3862a2444433340b15f88376ea05410b063e0c52c240eb5864ce964975977e59d1349ed0d02b44bab044e981c719170cceb1f5eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c13a2ae1-dc32-4b93-9fb8-87c6be09447a.tmp

Filesize
5KB

MD5
0361e62810833bf94b87913b1264dc7d

SHA1
4c40f55ad72361be39cdcf3a47458f776bc604fc

SHA256
d8db89340195a09727806df1cfa562ce82e029246163217dd97242df4d234630

SHA512
a7b22792de2fd8b111e3ed414e11dfefafcbedf07f1cdfc4658033be44e7b78eb4611ca4b11f87798a4656ad0613336f3e87b6154e9618f45dcc2911a0acaa20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
14c219d7941793bfbc60f8738c0517ce

SHA1
c441daef02ba9ccbfb8a500fc9b0a97ee985e99a

SHA256
2d9cd73d3ca774be4744e8d4743bea28e6880412f7776b0c43ad6b002ba8b69f

SHA512
c5aea133e0d508e70e5658ea226cb03dbb424b820f8dae5fd42916373d5c4f005d196fe24332ebb6674bf56133d1956836cbf9ea12843aac2877a5c70384e0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
memory/3592-12-0x0000000003460000-0x0000000003860000-memory.dmp

Filesize
4.0MB

Download
memory/3592-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3592-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3592-4-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3592-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3592-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3592-14-0x0000000003460000-0x0000000003860000-memory.dmp

Filesize
4.0MB

Download
memory/3592-17-0x0000000075050000-0x00000000752A2000-memory.dmp

Filesize
2.3MB

Download
memory/3592-15-0x00007FFB579A0000-0x00007FFB57BA9000-memory.dmp

Filesize
2.0MB

Download
memory/4840-0-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/4840-10-0x0000000000400000-0x0000000000867000-memory.dmp

Filesize
4.4MB

Download
memory/4840-2-0x00000000030C0000-0x000000000340F000-memory.dmp

Filesize
3.3MB

Download
memory/6080-18-0x0000000000360000-0x0000000000369000-memory.dmp

Filesize
36KB

Download
memory/6080-21-0x00000000022B0000-0x00000000026B0000-memory.dmp

Filesize
4.0MB

Download
memory/6080-22-0x00007FFB579A0000-0x00007FFB57BA9000-memory.dmp

Filesize
2.0MB

Download
memory/6080-24-0x0000000075050000-0x00000000752A2000-memory.dmp

Filesize
2.3MB

Download
memory/6080-26-0x00007FFB579A1000-0x00007FFB57ACA000-memory.dmp

Filesize
1.2MB

Download
memory/6080-25-0x00000000022B0000-0x00000000026B0000-memory.dmp

Filesize
4.0MB

Download
memory/6080-28-0x00000000022B0000-0x00000000026B0000-memory.dmp

Filesize
4.0MB

Download