Resubmissions
12-07-2021 16:55
210712-cvz622xsbj 1010-07-2021 13:25
210710-pdfh7kft96 1009-07-2021 23:00
210709-hewxkm1xlj 1009-07-2021 16:08
210709-5ql27kyjqa 1009-07-2021 14:08
210709-pt977a4bhe 1008-07-2021 22:09
210708-3ypfnj5j7x 1008-07-2021 13:30
210708-4hsk7y9f2x 1008-07-2021 12:14
210708-8t5f9z9egj 10Analysis
-
max time kernel
1801s -
max time network
1279s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-07-2021 13:25
General
-
Target
toolspab2 (14).exe
-
Size
315KB
-
MD5
1d20e1f65938e837ef1b88f10f1bd6c3
-
SHA1
703d7098dbfc476d2181b7fc041cc23e49c368f1
-
SHA256
05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
-
SHA512
f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
1
C2
45.32.235.238:45555
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 35 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (14).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (14).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (14).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (14).exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\8D03.exeC:\Users\Admin\AppData\Local\Temp\8D03.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8E5C.exeC:\Users\Admin\AppData\Local\Temp\8E5C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\912C.exeC:\Users\Admin\AppData\Local\Temp\912C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\912C.exeC:\Users\Admin\AppData\Local\Temp\912C.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\912C.exeC:\Users\Admin\AppData\Local\Temp\912C.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\94C7.exeC:\Users\Admin\AppData\Local\Temp\94C7.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RbFMPZ6MXJ.exe"C:\Users\Admin\AppData\Local\Temp\RbFMPZ6MXJ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RbFMPZ6MXJ.exe"C:\Users\Admin\AppData\Local\Temp\RbFMPZ6MXJ.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\94C7.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\96EA.exeC:\Users\Admin\AppData\Local\Temp\96EA.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9BCD.exeC:\Users\Admin\AppData\Local\Temp\9BCD.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A062.exeC:\Users\Admin\AppData\Local\Temp\A062.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A7A7.exeC:\Users\Admin\AppData\Local\Temp\A7A7.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\teecswcC:\Users\Admin\AppData\Roaming\teecswc1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\teecswcC:\Users\Admin\AppData\Roaming\teecswc2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\teecswcC:\Users\Admin\AppData\Roaming\teecswc1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\teecswcC:\Users\Admin\AppData\Roaming\teecswc2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\teecswcC:\Users\Admin\AppData\Roaming\teecswc1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\teecswcC:\Users\Admin\AppData\Roaming\teecswc2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
120KB
-
Filesize
6.0MB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
1.3MB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
1.3MB