rhadamanthys | hxxps://mega[.]nz/file/0zcHiZCI#0EaOlcOfcgQyXTT4Y0B2GGhRiZimZgbjfH30mBV-PH8

Analysis

max time kernel
145s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-09-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/0zcHiZCI#0EaOlcOfcgQyXTT4Y0B2GGhRiZimZgbjfH30mBV-PH8

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://135.181.4.162:2423/97e9fc994198e76/6tst7rbp.97pue

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description	pid	Process	procid_target
PID 2368 created 3048	2368	RegAsm.exe	49

Suspicious use of SetThreadContext 2 IoCs

Processes:

NewSetup.exeNewSetup.exe

description	pid	Process	procid_target
PID 3304 set thread context of 2368	3304	NewSetup.exe	107
PID 4976 set thread context of 4868	4976	NewSetup.exe	116

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
764	2368	WerFault.exe	107
1456	2368	WerFault.exe	107
1864	4868	WerFault.exe	116
1288	4868	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NewSetup.exeRegAsm.exeopenwith.exeNewSetup.exeRegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeMiniSearchHost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Setup.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeRegAsm.exeopenwith.exemsedge.exe

pid	Process
2984	msedge.exe
2984	msedge.exe
5116	msedge.exe
5116	msedge.exe
3320	msedge.exe
3320	msedge.exe
2992	identity_helper.exe
2992	identity_helper.exe
4180	msedge.exe
4180	msedge.exe
2368	RegAsm.exe
2368	RegAsm.exe
3132	openwith.exe
3132	openwith.exe
3132	openwith.exe
3132	openwith.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description	pid	Process
Token: 33	276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	276	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid	Process
2488	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 5116 wrote to memory of 4908	5116	msedge.exe	78
PID 5116 wrote to memory of 4908	5116	msedge.exe	78
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 3824	5116	msedge.exe	79
PID 5116 wrote to memory of 2984	5116	msedge.exe	80
PID 5116 wrote to memory of 2984	5116	msedge.exe	80
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81
PID 5116 wrote to memory of 1852	5116	msedge.exe	81

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3048
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/0zcHiZCI#0EaOlcOfcgQyXTT4Y0B2GGhRiZimZgbjfH30mBV-PH8
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef9473cb8,0x7ffef9473cc8,0x7ffef9473cd8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,6175681071864091857,11819764519233227908,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2624 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1592

C:\Users\Admin\Downloads\Setup\Setup\NewSetup.exe
"C:\Users\Admin\Downloads\Setup\Setup\NewSetup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 528
    3⤵
    - Program crash
    PID:764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 524
    3⤵
    - Program crash
    PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2368 -ip 2368
1⤵
PID:3436

C:\Users\Admin\Downloads\Setup\Setup\NewSetup.exe
"C:\Users\Admin\Downloads\Setup\Setup\NewSetup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 492
    3⤵
    - Program crash
    PID:1864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 500
    3⤵
    - Program crash
    PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2368 -ip 2368
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4868 -ip 4868
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4868 -ip 4868
1⤵
PID:1356

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NewSetup.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
adb21c717807f78a0644dea6febf67a1

SHA1
d66fef9a10cea05a220e650d8e598319badc7c07

SHA256
0d91bc9e31642fbfe65c73f0d2c38b7692755190e04b04dd6d11c015d76ef6f1

SHA512
4d4b2cb75417ff805fb64b98a1e438205ca7fd316838d62207e04df3012170057da518d37d4e6a9d4433cfa88cb91eadec3d82e4ce7eeb41779710288c70b167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d937ae80a0981ea70f3a07d6baebe25

SHA1
7192d593469374de89ccc1aad9d53c298239a4b1

SHA256
5c723fb1e615f06757d5d93f337723dbff5f8d2521c93cfa7708cf02c94d5ca9

SHA512
30e28d7ceed6780e4e95ca6e078cb46bf4995b843481de6192da09001123c885e2898d839363c2d335e6a33c5c3c24b020de9faa3aa9f05a6ae21db4507f558f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e3d95dab4c25d42b0bc555798ca5d9ff

SHA1
af104af58c76ec8ad6b821709b417748d12de749

SHA256
fdcd8b51ce35170a8e471f89c246ad4aea23af49beb9af9fd33d9ba03d5a5d79

SHA512
439600100c2625187ac947de58d4291cd272db83b031bc35b92eeddd805e53805b975565ed1667a254481d724226ed0135714f2e8de9ae8cafa594c91fbb5d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dca51af729a7672173be70898c8cc1da

SHA1
2bf78fa598619bcb0cf6e05e0056e3b2dfc7b518

SHA256
fc335225f5819ae9aa108b53f951e7eaee9556f41feb33af8023fb155a1fcfb3

SHA512
c217cd2ee26b9be2bc76c8837f288206c70c66f63b5608c56c67e93610efda908774cdf1e6d2848827b5b742ce6c3ec6a351591d1d059ccaa74ca6aa5337ac77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bb88ed11870b2b5e2a1e07219d9c20e0

SHA1
8d199c3908b20618a491d5e008da93013b2c5524

SHA256
8270c6dc7cc06de0da758d0d8ebc075e33cf024a78e8a0b4880aac72f1bb1a81

SHA512
9cc3ce6feacc21832169b1e51e43cc54235d769ea5286445ff4f55d6d6f3ebd847c897d05b1f9fe14aa0246028d2ca2950d3e16984f0eb7297536916231e8a6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583330.TMP

Filesize
48B

MD5
2ecb298cfdb56b920d664f1c51c478f1

SHA1
7d6ff39dce87c25d7a0ae34ca5216644d2aef27b

SHA256
36213f7c362ab4625800ccb03f97c026e56896686e1dd630f63e43ddb9e756ad

SHA512
43d13f9de6a4243c80a97dc74ad5bdcdb7acdd42ef45d0790b008dd960d4a59fed6b2d99e9b22298ee11f77770f9ac06c6881dbc59679e29d8955192867b93ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
738107ca30cbe6516772bf7bed77a09d

SHA1
a0d81e48a6d63d462a0c6302ff882473e0875731

SHA256
f71284c23bfe7783db9835c637459db72095ed079d5e0515a14ef269643fc065

SHA512
56b2d66cf9e36d0f2c01295c7d5eb7422c76661cc7f074a7544678218e86039debb83d081bdacc1fa6e0f2b90afd263d10f1123d02fdd121f5d0ea5919260486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd34f6cb71fcb950d8d92fa7c4103779

SHA1
65a7d3769ed3dadfd9f1065c26c53c4b064cff73

SHA256
0ea8a83bd8aa3ad643b5b7fb44d0bdd50c8a5a8b73752af925a9236dc13fe798

SHA512
324c752c64e8b774f713c66579b5f5b79b61cf4b497f8c9bfccf098d2ab2a2411bfeda370dd4fa62b13839d2576a380b1dc7494c1193f28e9059648f36a4592a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
439957cc22c5dcd3d25fd3511906c565

SHA1
ffdc840596e92ebf3d6b28bff3bc0bdf5a549c5d

SHA256
b60be905f15ea69f1c5c577936bbb80a871c6494835e355f9267d63b1a593736

SHA512
412204e94707d4221ebb3b755df9aa6462e6c94c9ae2041c7ce2607b097f1e54f61c870d3987544a488a30a213ad70aa1d5b0224d0685b00f0f6250b3af3cdae

Download Submit
C:\Users\Admin\Downloads\Setup.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_5116_JPXRVUONESTRXNST

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2368-233-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2368-239-0x0000000003910000-0x0000000003D10000-memory.dmp

Filesize
4.0MB

Download
memory/2368-240-0x00007FFF05120000-0x00007FFF05329000-memory.dmp

Filesize
2.0MB

Download
memory/2368-235-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2368-242-0x00000000770F0000-0x0000000077342000-memory.dmp

Filesize
2.3MB

Download
memory/2368-237-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2368-238-0x0000000003910000-0x0000000003D10000-memory.dmp

Filesize
4.0MB

Download
memory/3132-248-0x00000000770F0000-0x0000000077342000-memory.dmp

Filesize
2.3MB

Download
memory/3132-246-0x00007FFF05120000-0x00007FFF05329000-memory.dmp

Filesize
2.0MB

Download
memory/3132-245-0x00000000021E0000-0x00000000025E0000-memory.dmp

Filesize
4.0MB

Download
memory/3132-243-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/3304-222-0x0000000000EB0000-0x0000000000F22000-memory.dmp

Filesize
456KB

Download
memory/4868-254-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4868-252-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4868-256-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download