rhadamanthys | hxxps://www[.]youtube[.]com/redirect?event=channel_header&redir_token=QUFFLUhqbmUtSC0zRE5ZbjBUV1ViZVEwa3l0WWVoQUhHZ3xBQ3Jtc0tsVUFVRHdldFdjOFRaU1BHWVl2U2dMQ3haaTk2bUlOdklTMlh4THo4eW1zUk96MlJyNDJURXBzZEI1dVg5Wkl6YUszUHZCNmZMaDZpV2tUcmE1am82bGJRUEN2R1EtWENqWC02UXByMTRlSHJxdEVhUQ&q=https%3A%2F%2Fwww[.]dropbox[.]com%2Fscl%2Ffi%2Fgg03euqc666i85vxu348f%2Flauncher[.]zip%3Frlkey%3D3pe412ttsoqn88rlj1epcc2dh%26st%3Dy1dutk2h%26dl%3D1

Resubmissions

12-10-2024 13:31

241012-qslc9sxdmq 10

Analysis

max time kernel
70s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=channel_header&redir_token=QUFFLUhqbmUtSC0zRE5ZbjBUV1ViZVEwa3l0WWVoQUhHZ3xBQ3Jtc0tsVUFVRHdldFdjOFRaU1BHWVl2U2dMQ3haaTk2bUlOdklTMlh4THo4eW1zUk96MlJyNDJURXBzZEI1dVg5Wkl6YUszUHZCNmZMaDZpV2tUcmE1am82bGJRUEN2R1EtWENqWC02UXByMTRlSHJxdEVhUQ&q=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Fgg03euqc666i85vxu348f%2Flauncher.zip%3Frlkey%3D3pe412ttsoqn88rlj1epcc2dh%26st%3Dy1dutk2h%26dl%3D1

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

gk0hJGfGTs.exetML3kZSmS0.exe

description	pid	Process	procid_target
PID 1948 created 2552	1948	gk0hJGfGTs.exe	42
PID 1148 created 2552	1148	tML3kZSmS0.exe	42

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
3732	powershell.exe
4460	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

gk0hJGfGTs.exetML3kZSmS0.exe

pid	Process
1948	gk0hJGfGTs.exe
1148	tML3kZSmS0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

gk0hJGfGTs.exeopenwith.exetML3kZSmS0.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gk0hJGfGTs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tML3kZSmS0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exegk0hJGfGTs.exeopenwith.exepowershell.exetML3kZSmS0.exeopenwith.exe

pid	Process
1068	msedge.exe
1068	msedge.exe
3480	msedge.exe
3480	msedge.exe
2288	identity_helper.exe
2288	identity_helper.exe
2728	msedge.exe
2728	msedge.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
1948	gk0hJGfGTs.exe
1948	gk0hJGfGTs.exe
3492	openwith.exe
3492	openwith.exe
3492	openwith.exe
3492	openwith.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
1148	tML3kZSmS0.exe
1148	tML3kZSmS0.exe
1496	openwith.exe
1496	openwith.exe
1496	openwith.exe
1496	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

launcher.exegk0hJGfGTs.exelauncher.exetML3kZSmS0.exe

pid	Process
648	launcher.exe
1948	gk0hJGfGTs.exe
4840	launcher.exe
1148	tML3kZSmS0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3480 wrote to memory of 3688	3480	msedge.exe	83
PID 3480 wrote to memory of 3688	3480	msedge.exe	83
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1672	3480	msedge.exe	84
PID 3480 wrote to memory of 1068	3480	msedge.exe	85
PID 3480 wrote to memory of 1068	3480	msedge.exe	85
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86
PID 3480 wrote to memory of 1992	3480	msedge.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2552
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3492
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=channel_header&redir_token=QUFFLUhqbmUtSC0zRE5ZbjBUV1ViZVEwa3l0WWVoQUhHZ3xBQ3Jtc0tsVUFVRHdldFdjOFRaU1BHWVl2U2dMQ3haaTk2bUlOdklTMlh4THo4eW1zUk96MlJyNDJURXBzZEI1dVg5Wkl6YUszUHZCNmZMaDZpV2tUcmE1am82bGJRUEN2R1EtWENqWC02UXByMTRlSHJxdEVhUQ&q=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Fgg03euqc666i85vxu348f%2Flauncher.zip%3Frlkey%3D3pe412ttsoqn88rlj1epcc2dh%26st%3Dy1dutk2h%26dl%3D1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ffa8b5646f8,0x7ffa8b564708,0x7ffa8b564718
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,8165426684650612705,8223495276733938880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3264

C:\Users\Admin\Downloads\launcher\launcher\launcher.exe
"C:\Users\Admin\Downloads\launcher\launcher\launcher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:3700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\gk0hJGfGTs.exe"
  2⤵
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\gk0hJGfGTs.exe
    C:\Users\Admin\AppData\Local\Temp\gk0hJGfGTs.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1948

C:\Users\Admin\Downloads\launcher\launcher\launcher.exe
"C:\Users\Admin\Downloads\launcher\launcher\launcher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:3732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\tML3kZSmS0.exe"
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\tML3kZSmS0.exe
    C:\Users\Admin\AppData\Local\Temp\tML3kZSmS0.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4dc047a462fc55fcca068c7f71ffa3d0

SHA1
2dac1b341c1288054aaa5f80eb7b94d1743f37d5

SHA256
37ebeabc0d3dd682b0d41be1e1c77d0a5073b035f1573de5352cefa8f534e237

SHA512
4baf27ad1bfe050d9d5c06e43873b62c2912bb6161b0e2c18aa7abb4ff88db578b18b38efa1ee1749c985594d9c4ca473a02535642d67d4f32b664c35b0b92d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e52e994ef2391a1b3d573106d6b956e

SHA1
4ae6ad472ebe182c76c9ba34a897a857c6801daf

SHA256
da5aca60d486688aa8adb21fb621a4b1018b844e656ecb664cf67c78b641a66e

SHA512
eef0a3fdf6e668cc8de90b4a5baeafe60f4bb03226e4ad9a87ef805c2003f9cc8f268a63e803d59ec5a97baa5e9177254b93e6a1e59393d62ad2f69fdfaca41e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a10734b9cbb522dd00358fc2269b91aa

SHA1
7fe192744850eee2daba806d6baeb6f6f362b3fe

SHA256
66ca5eae8ac3b57a83dfe1cb99eae22aa14ebb6b9d812ef3a84b5b7a50f0acf4

SHA512
f86eb40b656ca93254cbbf8239f5d962e8f5873e0e4fbc85485cbea2968bd6dde7e381cdedfa823328b7fb4ccf98d88d21cfc64e3c18fd255527bc8094c0c1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
af7dbe4428fa1cd3502903696f3a78cd

SHA1
d4c712dbfc89af6fd79ade235924bad51106648f

SHA256
9c44e96e957caa0caa926a02f40392f2dc0fb47b5fd0ae0003d77b5189646bc6

SHA512
320f5092de15d532e47be61a89d8f9473e3e6c7284cc3da669ca2256c19c834b6ae3d944fd75337121abf4345c26f8e797e0f879698f5896d7c45ebf3580d7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f506c923ff0a18c59fc9520636fadf80

SHA1
ef8315d307ebd6e3a9e7dceb3f1f89074b2df545

SHA256
b69cb9c23e1590aadf3b27ba76fa0a715c97742f2ebf6502aaa0974fa496ebde

SHA512
f1d565f4ad03992425d92eef015227f8e77984b6ad00ff5d4b4d10a87da754e81244739fcaccb98a546c1166f5f23b43ec4ed92e1e2d9abff505166159493dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a154efa7af25bb8b94d0d9c7b4f15cd

SHA1
5e0e04103e4eef1bc7ef242b730aed1958f98e1f

SHA256
c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce

SHA512
fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xe0nzlv.tfk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gk0hJGfGTs.exe

Filesize
2.5MB

MD5
0ec4b9b5f2c28fbf2492589a344b8664

SHA1
ec46f875687fbddf48290fd117a40750d510c837

SHA256
eb8966926eb86c0b7207bcbeb56a8540c88f3b4c002e8778405fb16c645ef286

SHA512
95e047410b7ba7a8f929e9d9bec1b7da87c863094651f65b5940d7217faa0101316d019e1965f82ee2cdd7d4004b08f2169a5bf5d9e42df57dfe344f4f24e7f2

Download Submit
C:\Users\Admin\Downloads\launcher.zip

Filesize
13.4MB

MD5
0d09102590621fdc32d7bdbd302a9e3f

SHA1
4cf577548b6575ff84aeca8a0e9e9a6ced76f4ec

SHA256
12053a39feabd429dedc85c58cf8e8bf7b58136683ec043d85a318094116f92e

SHA512
0da119520a3138c780d524309eb856413240f2a27bb424c50cebf1db0da5995a1051f70aac04efd5f4555566180e2acee4e25c40c7e812f5a409186b5fcdf8da

Download Submit
\??\pipe\LOCAL\crashpad_3480_BWJDELYXFWMASHLT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1148-149-0x0000000000400000-0x00000000007F9000-memory.dmp

Filesize
4.0MB

Download
memory/1148-154-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

Filesize
2.0MB

Download
memory/1148-153-0x0000000003410000-0x0000000003810000-memory.dmp

Filesize
4.0MB

Download
memory/1148-156-0x0000000077730000-0x0000000077945000-memory.dmp

Filesize
2.1MB

Download
memory/1148-163-0x0000000000400000-0x00000000007F9000-memory.dmp

Filesize
4.0MB

Download
memory/1496-162-0x0000000077730000-0x0000000077945000-memory.dmp

Filesize
2.1MB

Download
memory/1496-160-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

Filesize
2.0MB

Download
memory/1496-159-0x00000000021B0000-0x00000000025B0000-memory.dmp

Filesize
4.0MB

Download
memory/1948-117-0x0000000077730000-0x0000000077945000-memory.dmp

Filesize
2.1MB

Download
memory/1948-120-0x0000000000400000-0x00000000007F9000-memory.dmp

Filesize
4.0MB

Download
memory/1948-110-0x0000000000400000-0x00000000007F9000-memory.dmp

Filesize
4.0MB

Download
memory/1948-108-0x0000000000400000-0x00000000007F9000-memory.dmp

Filesize
4.0MB

Download
memory/1948-113-0x0000000003620000-0x0000000003A20000-memory.dmp

Filesize
4.0MB

Download
memory/1948-115-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

Filesize
2.0MB

Download
memory/1948-114-0x0000000003620000-0x0000000003A20000-memory.dmp

Filesize
4.0MB

Download
memory/3492-118-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

Filesize
36KB

Download
memory/3492-124-0x0000000077730000-0x0000000077945000-memory.dmp

Filesize
2.1MB

Download
memory/3492-122-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

Filesize
2.0MB

Download
memory/3492-121-0x0000000002CF0000-0x00000000030F0000-memory.dmp

Filesize
4.0MB

Download
memory/3732-84-0x00000203FC510000-0x00000203FC532000-memory.dmp

Filesize
136KB

Download