rhadamanthys | hxxp://tinyurl[.]com/5xn2hnvx

Analysis

max time kernel
164s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-09-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tinyurl.com/5xn2hnvx

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

AeQfr3Blxw.exeaiJigsEuEa.exe

description pid process target process

PID 844 created 1372 844 AeQfr3Blxw.exe sihost.exe
PID 3180 created 1372 3180 aiJigsEuEa.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

248 powershell.exe
2052 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

launcher.exeAeQfr3Blxw.exelauncher.exeaiJigsEuEa.exe

pid process

5076 launcher.exe
844 AeQfr3Blxw.exe
5028 launcher.exe
3180 aiJigsEuEa.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	pid	process	target process
PID 844 created 1372	844	AeQfr3Blxw.exe	sihost.exe
PID 3180 created 1372	3180	aiJigsEuEa.exe	sihost.exe

pid	process
248	powershell.exe
2052	powershell.exe

pid	process
5076	launcher.exe
844	AeQfr3Blxw.exe
5028	launcher.exe
3180	aiJigsEuEa.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AeQfr3Blxw.exeopenwith.exeaiJigsEuEa.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AeQfr3Blxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aiJigsEuEa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\RG_Catalyst.zip:Zone.Identifier msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\RG_Catalyst.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exeAeQfr3Blxw.exeopenwith.exepowershell.exemsedge.exeaiJigsEuEa.exeopenwith.exe

pid	process
2032	msedge.exe
2032	msedge.exe
4852	msedge.exe
4852	msedge.exe
2728	identity_helper.exe
2728	identity_helper.exe
3788	msedge.exe
3788	msedge.exe
1460	msedge.exe
1460	msedge.exe
248	powershell.exe
248	powershell.exe
248	powershell.exe
844	AeQfr3Blxw.exe
844	AeQfr3Blxw.exe
844	AeQfr3Blxw.exe
844	AeQfr3Blxw.exe
2392	openwith.exe
2392	openwith.exe
2392	openwith.exe
2392	openwith.exe
2052	powershell.exe
2052	powershell.exe
2052	powershell.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
3180	aiJigsEuEa.exe
3180	aiJigsEuEa.exe
3180	aiJigsEuEa.exe
3180	aiJigsEuEa.exe
2944	openwith.exe
2944	openwith.exe
2944	openwith.exe
2944	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4852 msedge.exe
4852 msedge.exe
4852 msedge.exe
4852 msedge.exe
4852 msedge.exe
4852 msedge.exe
4852 msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zG.exe7zG.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1036	7zG.exe
Token: 35	1036	7zG.exe
Token: SeSecurityPrivilege	1036	7zG.exe
Token: SeSecurityPrivilege	1036	7zG.exe
Token: SeRestorePrivilege	3548	7zG.exe
Token: 35	3548	7zG.exe
Token: SeSecurityPrivilege	3548	7zG.exe
Token: SeSecurityPrivilege	3548	7zG.exe
Token: SeDebugPrivilege	248	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

msedge.exe7zG.exe7zG.exe

pid	process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
1036	7zG.exe
3548	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

launcher.exeAeQfr3Blxw.exelauncher.exeaiJigsEuEa.exe

pid process

5076 launcher.exe
844 AeQfr3Blxw.exe
5028 launcher.exe
3180 aiJigsEuEa.exe

pid	process
5076	launcher.exe
844	AeQfr3Blxw.exe
5028	launcher.exe
3180	aiJigsEuEa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4852 wrote to memory of 2616	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 2616	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 3140	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 2032	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 2032	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe
PID 4852 wrote to memory of 4908	4852	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1372
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2392
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tinyurl.com/5xn2hnvx
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0da03cb8,0x7ffd0da03cc8,0x7ffd0da03cd8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,15033510521333152144,5984169797391874469,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2608 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:792

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16571:84:7zEvent5825
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1036

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7194:84:7zEvent32673
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3548

C:\Users\Admin\Downloads\launcher.exe
"C:\Users\Admin\Downloads\launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:3088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\AeQfr3Blxw.exe"
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\AeQfr3Blxw.exe
    C:\Users\Admin\AppData\Local\Temp\AeQfr3Blxw.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:844

C:\Users\Admin\Downloads\launcher.exe
"C:\Users\Admin\Downloads\launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:2920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\aiJigsEuEa.exe"
  2⤵
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\aiJigsEuEa.exe
    C:\Users\Admin\AppData\Local\Temp\aiJigsEuEa.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
295B

MD5
aa9e706e9768f915347bba53580bb017

SHA1
19655f4030c6a965e9a6724f5a061ab941e59132

SHA256
437bcec0f5553d162643f5eea4a4bc68c9bea0482fd89f8ba99631b5afaf006f

SHA512
3980c8d3848abec5dd178fb7f7f55a98584a4ca11c2e8c4a4d5f5e3da3feca8e502394a64897832de6d2a02ed69102b2df233db8bb309b83bb1b2ace46b97daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39a077343407360ab51b2e27447e4ea3

SHA1
77d2d94a53112abaa8959bcbc5682a08c3939ce9

SHA256
93108da7242927f48fbfab19796e43042ab902b79dc22084b129440b830ce47f

SHA512
5b73148cbd7e57725a9c213532171a38fcd6464c2b8bbe13e44cb9ca15b6b5cd9f81f6b524333a7c87521b1a34b7ed87da9c73e83c2e6dcc531c298b0e7c653b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a6d4b1317b4eda9893c9d3d97b0f74e4

SHA1
0d6fa744bb704503fc1f1b6314f1a90df9123b98

SHA256
e1a5dbd2d69602e857c74d741c4186e4a101bc103a7fa3d9fdb9a8e94326ee0b

SHA512
0c405ef30ae79d9f07f86a5ada289d2b9a48b71360a6d72d7c83a11f2cd925901f1e1cfe6d329a8bf88df87aec78f901814a3a12cd93f45970f65cf0cbcf65fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0cef6ead3175d4a71f1f1b58baadb516

SHA1
4a9d022aaae8160db27e7766864355ea0726b4c2

SHA256
828f524212a410fb5a27075ad3260aaa1985d7fb59558a4a236ba17c01ad0628

SHA512
0bbb9cc0822118d953c3eddfec4e6029e8f2da461a47a96c26892e7281dcc3f55f8484438ededdb6cbe8f62be6a8d1114e3139780007cd4aadd6d34f47183574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a8aac02b5b36909d799455ba766d591b

SHA1
ef9e7e80c6ab3c0566f2dfbe40aa2f17ddc2e549

SHA256
9deee200c08e29e2e7599840eef742df679e8c321c9909de3eeb8da9c4265b3d

SHA512
8a9fda4e171b2e8dfbd9f8beefb250878b14b2a6b9a6e9b91108bd5238096472822c6107e38e6bc146b8226af02cb8a3107e1c4748c0288e20de5c36b56640f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AeQfr3Blxw.exe

Filesize
5.1MB

MD5
588a46f868c4f4dac5b9b255f2584362

SHA1
f6b4502c0abe6f2ba66cf98b84a90dae89efcd97

SHA256
c396b25bf0b7ad349be220d1e1a78604eb1f83b6c42776c53cbb93155ef57a15

SHA512
ea1294e53bf6aee1266de52d38f40be8689f0f8056a43cba04c57c63b7640f9e1b84e1431e79d838b8a9d61956b1044e730b58883882a71e5f02ff477b17972a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3p2cjvbo.x5o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\RG_Catalyst.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\dnsapi.dll

Filesize
783KB

MD5
02254694b3bf9dba71bd326b808696a6

SHA1
ad3626204aaee615330eb7f7e80096b5de681e4b

SHA256
7940c4a9774781f0b2227522e5c61815c09b1a33622ba922fde3d038c0d22b50

SHA512
4fa2809784a6a216a57ed041c19cb8b778a52cfa470a57bc3b3624baa19c05be0cb7d1f0f128f13de4c76e3b9130e41af35113b7e5e37b441e2b892ce6d4e667

Download Submit
C:\Users\Admin\Downloads\launcher.exe

Filesize
35.9MB

MD5
3aadd19635ebe02045663fe176c882d6

SHA1
6aa6d16b230e9b9b6c93dad5712a971e22cb9bdd

SHA256
4abab96d0a6da2224135296fcc8511fd73792d82332383eef90b2af95edd3d19

SHA512
97f4da19434671e9921fff26926d2770bc4dc70e5048244a2b6321498cc9bc3e990e8fa1608d81048a58cd8026b58376cf4826b342b26456a101b50526d9f6a3

Download Submit
C:\Users\Admin\Downloads\ult.ucas

Filesize
2.8MB

MD5
3f79f1b8c67a57c6f87487de138ccd3b

SHA1
1ad50e59bc40464ca378e823745a69e1f6ed443b

SHA256
53d32aa885f04f1fe0a3594298b8ae05540c826c5b4ba4720944e2b91d8b7608

SHA512
6b2dbcf2bb2e7d6af0b6314409cf6c943174281318d264ffec79f10648d44eaf48262b50e139d57fdae93a4ea6409f343451feb11969ce4b7e3bd543bdfaac45

Download Submit
\??\pipe\LOCAL\crashpad_4852_XWDPUICVFQJJEDPF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/248-149-0x000002D3EE540000-0x000002D3EE562000-memory.dmp

Filesize
136KB

Download
memory/844-164-0x0000000003DD0000-0x00000000041D0000-memory.dmp

Filesize
4.0MB

Download
memory/844-160-0x00000000000E0000-0x0000000000615000-memory.dmp

Filesize
5.2MB

Download
memory/844-162-0x00000000000E0000-0x0000000000615000-memory.dmp

Filesize
5.2MB

Download
memory/844-165-0x00007FFD1CA00000-0x00007FFD1CC09000-memory.dmp

Filesize
2.0MB

Download
memory/844-163-0x0000000003DD0000-0x00000000041D0000-memory.dmp

Filesize
4.0MB

Download
memory/844-167-0x00000000763A0000-0x00000000765F2000-memory.dmp

Filesize
2.3MB

Download
memory/844-171-0x00000000000E0000-0x0000000000615000-memory.dmp

Filesize
5.2MB

Download
memory/844-161-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2392-170-0x0000000002DB0000-0x00000000031B0000-memory.dmp

Filesize
4.0MB

Download
memory/2392-174-0x00000000763A0000-0x00000000765F2000-memory.dmp

Filesize
2.3MB

Download
memory/2392-168-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

Filesize
36KB

Download
memory/2392-172-0x00007FFD1CA00000-0x00007FFD1CC09000-memory.dmp

Filesize
2.0MB

Download
memory/2944-208-0x00000000022F0000-0x00000000026F0000-memory.dmp

Filesize
4.0MB

Download
memory/2944-211-0x00000000763A0000-0x00000000765F2000-memory.dmp

Filesize
2.3MB

Download
memory/2944-209-0x00007FFD1CA00000-0x00007FFD1CC09000-memory.dmp

Filesize
2.0MB

Download
memory/3180-199-0x0000000000600000-0x0000000000B35000-memory.dmp

Filesize
5.2MB

Download
memory/3180-202-0x00007FFD1CA00000-0x00007FFD1CC09000-memory.dmp

Filesize
2.0MB

Download
memory/3180-204-0x00000000763A0000-0x00000000765F2000-memory.dmp

Filesize
2.3MB

Download
memory/3180-201-0x0000000003E90000-0x0000000004290000-memory.dmp

Filesize
4.0MB

Download
memory/3180-207-0x0000000000600000-0x0000000000B35000-memory.dmp

Filesize
5.2MB

Download
memory/3180-198-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/3180-196-0x0000000000600000-0x0000000000B35000-memory.dmp

Filesize
5.2MB

Download