redline | hxxps://www[.]upload[.]ee/files/14981982/Injector[.]rar[.]html

Analysis

max time kernel
29s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/14981982/Injector.rar.html

Score

10^/10

redline sectoprat redline infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

redline

not-qualities.at.ply.gg:59219

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\build.exe	family_redline
C:\Users\Admin\AppData\Roaming\build.exe	family_redline
C:\Users\Admin\AppData\Roaming\build.exe	family_redline
behavioral1/memory/2768-304-0x0000000000A40000-0x0000000000A5E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\build.exe	family_sectoprat
C:\Users\Admin\AppData\Roaming\build.exe	family_sectoprat
C:\Users\Admin\AppData\Roaming\build.exe	family_sectoprat
behavioral1/memory/2768-304-0x0000000000A40000-0x0000000000A5E000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Injector.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Injector.exe

Executes dropped EXE 2 IoCs

Processes:

Injector.exebuild.exe

pid process

1888 Injector.exe
2768 build.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2732 1736 WerFault.exe

pid	process
1888	Injector.exe
2768	build.exe

pid	pid_target	process	target process
2732	1736	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133221659702560140"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeInjector.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Injector.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2552 chrome.exe
2552 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2552 chrome.exe
2552 chrome.exe
2552 chrome.exe
2552 chrome.exe
2552 chrome.exe
2552 chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

chrome.exe7zG.exebuild.exe

description	pid	process
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeRestorePrivilege	1636	7zG.exe
Token: 35	1636	7zG.exe
Token: SeSecurityPrivilege	1636	7zG.exe
Token: SeSecurityPrivilege	1636	7zG.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeDebugPrivilege	2768	build.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	process
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
1636	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2552 wrote to memory of 1080	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1080	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1968	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3784	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3784	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 3876	2552	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.upload.ee/files/14981982/Injector.rar.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc80009758,0x7ffc80009768,0x7ffc80009778
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:2
2⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:8
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:1
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:1
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4580 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:1
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4604 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:1
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4760 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:1
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5496 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:1
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6248 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:8
2⤵
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:8
2⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 --field-trial-handle=1788,i,17474209325234686912,2465886282111960696,131072 /prefetch:8
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5048

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Injector\" -spe -an -ai#7zMap25613:78:7zEvent25426
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 368 -p 1736 -ip 1736
1⤵
PID:2852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1736 -s 768
1⤵
- Program crash
PID:2732

C:\Users\Admin\Downloads\Injector\Injector.exe
"C:\Users\Admin\Downloads\Injector\Injector.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1888

C:\Users\Admin\AppData\Roaming\build.exe
"C:\Users\Admin\AppData\Roaming\build.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
c6b3d9656d4aac32d5152c95728f5f52

SHA1
60a085f69f9b4b7edce665c473ecfe5ff005676c

SHA256
dabc0b4f166dc4103a27e5612e6cf1b6d7b9a768ec3a4e8a2e87b9874b6ef676

SHA512
ad247e4beebab5a5393190297f3a19fb3ba964a60e1e914e06b0a2f93b68289eebe7f5c828e8dcfcd85372199c458ed7b8b96fbe48fb6434ff9ab62eb8931013

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b4f087b2d397cdc65418eb3ff9607e78

SHA1
2b077d86444d4fc9c198fe49ee75d067ed7f54d7

SHA256
dce10f5539b293591c600d2852a22fb0bfce82b35d378aecebb9add6ea441cfe

SHA512
d457ad88c50a912d824c7648bf909303a2687e6714341833d0b6d099c2f9144b1ab0e36a972497381a5011bd0867ff1a72293b4091a56c4570dd38190ca77fc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
13b281afab2eb48ea1b1608071b3b3a9

SHA1
1c58eb90a06c745348a2bff26f68ba5c127b3631

SHA256
b4ce26ab9b5780879939499297069d83712eb5b949c85b72cb94c253d77ff06e

SHA512
aff35bc60568b647c4a2ec9681d1e261f053bda26b2bb187565cee80566ca8d0f64d60def654ebdf27c9f39c411b10e895b8d2d5ef9fa1763a47761a4b926e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
82b73960471c41f8cd48ee03c68a9227

SHA1
7bb93cbe0b792492b0eea934f65ea9f07dddc7de

SHA256
9c54fd335c70032735fce60b187a2614e9525279b770c8fbb7ca7ec8e03629cd

SHA512
ff12013c1757b81412d86e46f61e5ffed4c8f0aeb48c216dc1b4fdf5e21b2776e70ca761a86da6e53257ce08214d098fafecab93e11b79eb0e38206e720e06eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
141KB

MD5
df7e54dbfd5d52313f6ce4ae1cc93037

SHA1
6f372ebf1627801dd7fd48ada23991907ddf7af8

SHA256
f66c101016bec117d276b006c2e580b3ff32d39560d240029adfada36263cfc7

SHA512
60c42f28fc4347c3889ffb3dbcc5bc64724a4febf694ba2ab39b417593506c4d146c7bbea7441cd43fd66330fb4a20da002506d0bb02a786d3097d75d9ccb152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe
Filesize
95KB

MD5
401ae697c9602127ccadf631c1fbd437

SHA1
53290d042e2890626421f2657a9d258ecb59aa33

SHA256
9887f49e92ce29898cf42e5c0e8113f0d3d4b61fb98d7f56a9abc27ee885858f

SHA512
723e6edd5f9dd5d730571ba17aa99c255e143ab4bf16b7c24e81f28536ff15b1c1fd9d5acb3cf3e19059e1f42790c3609721d364c156d67db5aa05e209f0b338

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe
Filesize
95KB

MD5
401ae697c9602127ccadf631c1fbd437

SHA1
53290d042e2890626421f2657a9d258ecb59aa33

SHA256
9887f49e92ce29898cf42e5c0e8113f0d3d4b61fb98d7f56a9abc27ee885858f

SHA512
723e6edd5f9dd5d730571ba17aa99c255e143ab4bf16b7c24e81f28536ff15b1c1fd9d5acb3cf3e19059e1f42790c3609721d364c156d67db5aa05e209f0b338

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe
Filesize
95KB

MD5
401ae697c9602127ccadf631c1fbd437

SHA1
53290d042e2890626421f2657a9d258ecb59aa33

SHA256
9887f49e92ce29898cf42e5c0e8113f0d3d4b61fb98d7f56a9abc27ee885858f

SHA512
723e6edd5f9dd5d730571ba17aa99c255e143ab4bf16b7c24e81f28536ff15b1c1fd9d5acb3cf3e19059e1f42790c3609721d364c156d67db5aa05e209f0b338

Download Submit
C:\Users\Admin\Downloads\Injector.rar
Filesize
76KB

MD5
4be8bfa91659a5ae448f4df53351c386

SHA1
7ee5fa5662c9100014315f37fd2790dc4bc47e7f

SHA256
7f556a6f2b093284ee98f1321ce9c09b04c09b8dca93624e5f52363f1838d242

SHA512
24babaf4f2b2c951fe7dcd0a18e4d4157951acd976a969246b93cdb9f94744fd75e775e7f384e1d62d925b4a8ec04b676ab158735d2e91fab1b437577f3a7562

Download Submit
C:\Users\Admin\Downloads\Injector\Injector.exe
Filesize
93KB

MD5
a317f4394c353c241aa4230bf7af273e

SHA1
13c3dedbe62ec638f8a7d4a41a2aa6a7af3bfebf

SHA256
d9504058bb52273f740c96093e08d81259b82a22ede153398a1e2b3102c15466

SHA512
019b241819e93504caaf096cc0485ce4a4aa280b67fc03e3c1184ada6da334a47e2c407ba5ca4dc075fd931ed853a7e9a39e3cec158a0f7f9bf05f5b2c6a9741

Download Submit
C:\Users\Admin\Downloads\Injector\Injector.exe
Filesize
93KB

MD5
a317f4394c353c241aa4230bf7af273e

SHA1
13c3dedbe62ec638f8a7d4a41a2aa6a7af3bfebf

SHA256
d9504058bb52273f740c96093e08d81259b82a22ede153398a1e2b3102c15466

SHA512
019b241819e93504caaf096cc0485ce4a4aa280b67fc03e3c1184ada6da334a47e2c407ba5ca4dc075fd931ed853a7e9a39e3cec158a0f7f9bf05f5b2c6a9741

Download Submit
\??\pipe\crashpad_2552_XBRWASSZLLQJMTJA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1140-203-0x00007FFC8CE90000-0x00007FFC8CE91000-memory.dmp

Filesize
4KB

Download
memory/1140-202-0x00007FFC8D100000-0x00007FFC8D101000-memory.dmp

Filesize
4KB

Download
memory/1888-234-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1968-137-0x00007FFC8DB90000-0x00007FFC8DB91000-memory.dmp

Filesize
4KB

Download
memory/2768-305-0x0000000005A30000-0x0000000006048000-memory.dmp

Filesize
6.1MB

Download
memory/2768-306-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/2768-307-0x0000000005450000-0x000000000548C000-memory.dmp

Filesize
240KB

Download
memory/2768-308-0x00000000056E0000-0x00000000057EA000-memory.dmp

Filesize
1.0MB

Download
memory/2768-309-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/2768-304-0x0000000000A40000-0x0000000000A5E000-memory.dmp

Filesize
120KB

Download