redline | 32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e

Analysis

max time kernel
169s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe
Size

1.5MB
MD5

e50b7895d94328e78c7d87112733df53
SHA1

84706f8bc877723c29899dd8401848cebe8c0f0b
SHA256

32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e
SHA512

227ea07e7604e0f9ace5815948a52de8ef455213cf1a924e0a10c628f0a59d566155dcd4e5b6ed9df13d3d8443a268060e81a4640e1fa1676e1f82f52fec45fd
SSDEEP

24576:TyAbKDgrXZfMdyoKetu6h90GSes8metN4xtoxqDalZDYc993XT28:m+KDMpfMUmu090GboxKxxlZDYYHC

Score

10^/10

redline smokeloader breha backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1RN46Rx2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1RN46Rx2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1RN46Rx2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1RN46Rx2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1RN46Rx2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1RN46Rx2.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4776-92-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1056-31-0x00000000024B0000-0x00000000024D0000-memory.dmp	net_reactor
behavioral1/memory/1056-36-0x0000000004AD0000-0x0000000004AEE000-memory.dmp	net_reactor
behavioral1/memory/1056-38-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-39-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-41-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-43-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-45-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-47-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-49-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-51-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-53-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-55-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-57-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-59-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-61-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-63-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-65-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-67-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor
behavioral1/memory/1056-69-0x0000000004AD0000-0x0000000004AE8000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	5wu0hp2.exe

Executes dropped EXE 8 IoCs

pid	Process
3736	rz1IV14.exe
2524	we3Hl18.exe
2612	cs6YO90.exe
1056	1RN46Rx2.exe
2628	2uA4592.exe
532	3Xx58My.exe
4208	4Hg383EM.exe
1076	5wu0hp2.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1RN46Rx2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1RN46Rx2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rz1IV14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	we3Hl18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cs6YO90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 3600	2628	2uA4592.exe	106
PID 532 set thread context of 4992	532	3Xx58My.exe	111
PID 4208 set thread context of 4776	4208	4Hg383EM.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4576	3600	WerFault.exe	106

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1056	1RN46Rx2.exe
1056	1RN46Rx2.exe
4992	AppLaunch.exe
4992	AppLaunch.exe
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found
3240	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4992	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	1RN46Rx2.exe
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 3736	552	32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe	88
PID 552 wrote to memory of 3736	552	32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe	88
PID 552 wrote to memory of 3736	552	32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe	88
PID 3736 wrote to memory of 2524	3736	rz1IV14.exe	90
PID 3736 wrote to memory of 2524	3736	rz1IV14.exe	90
PID 3736 wrote to memory of 2524	3736	rz1IV14.exe	90
PID 2524 wrote to memory of 2612	2524	we3Hl18.exe	91
PID 2524 wrote to memory of 2612	2524	we3Hl18.exe	91
PID 2524 wrote to memory of 2612	2524	we3Hl18.exe	91
PID 2612 wrote to memory of 1056	2612	cs6YO90.exe	92
PID 2612 wrote to memory of 1056	2612	cs6YO90.exe	92
PID 2612 wrote to memory of 1056	2612	cs6YO90.exe	92
PID 2612 wrote to memory of 2628	2612	cs6YO90.exe	102
PID 2612 wrote to memory of 2628	2612	cs6YO90.exe	102
PID 2612 wrote to memory of 2628	2612	cs6YO90.exe	102
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2628 wrote to memory of 3600	2628	2uA4592.exe	106
PID 2524 wrote to memory of 532	2524	we3Hl18.exe	108
PID 2524 wrote to memory of 532	2524	we3Hl18.exe	108
PID 2524 wrote to memory of 532	2524	we3Hl18.exe	108
PID 532 wrote to memory of 4992	532	3Xx58My.exe	111
PID 532 wrote to memory of 4992	532	3Xx58My.exe	111
PID 532 wrote to memory of 4992	532	3Xx58My.exe	111
PID 532 wrote to memory of 4992	532	3Xx58My.exe	111
PID 532 wrote to memory of 4992	532	3Xx58My.exe	111
PID 532 wrote to memory of 4992	532	3Xx58My.exe	111
PID 3736 wrote to memory of 4208	3736	rz1IV14.exe	112
PID 3736 wrote to memory of 4208	3736	rz1IV14.exe	112
PID 3736 wrote to memory of 4208	3736	rz1IV14.exe	112
PID 4208 wrote to memory of 4776	4208	4Hg383EM.exe	114
PID 4208 wrote to memory of 4776	4208	4Hg383EM.exe	114
PID 4208 wrote to memory of 4776	4208	4Hg383EM.exe	114
PID 4208 wrote to memory of 4776	4208	4Hg383EM.exe	114
PID 4208 wrote to memory of 4776	4208	4Hg383EM.exe	114
PID 4208 wrote to memory of 4776	4208	4Hg383EM.exe	114
PID 4208 wrote to memory of 4776	4208	4Hg383EM.exe	114
PID 4208 wrote to memory of 4776	4208	4Hg383EM.exe	114
PID 552 wrote to memory of 1076	552	32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe	115
PID 552 wrote to memory of 1076	552	32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe	115
PID 552 wrote to memory of 1076	552	32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe	115
PID 1076 wrote to memory of 2648	1076	5wu0hp2.exe	117
PID 1076 wrote to memory of 2648	1076	5wu0hp2.exe	117
PID 2648 wrote to memory of 2248	2648	cmd.exe	120
PID 2648 wrote to memory of 2248	2648	cmd.exe	120
PID 2648 wrote to memory of 2656	2648	cmd.exe	121
PID 2648 wrote to memory of 2656	2648	cmd.exe	121
PID 2656 wrote to memory of 1160	2656	msedge.exe	123
PID 2656 wrote to memory of 1160	2656	msedge.exe	123
PID 2248 wrote to memory of 1508	2248	msedge.exe	122
PID 2248 wrote to memory of 1508	2248	msedge.exe	122

C:\Users\Admin\AppData\Local\Temp\32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe
"C:\Users\Admin\AppData\Local\Temp\32ef742594217fc70bacfbae5d49f77dd88f2c26e4c39f94ec164671dcc7950e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rz1IV14.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rz1IV14.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\we3Hl18.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\we3Hl18.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cs6YO90.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cs6YO90.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RN46Rx2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RN46Rx2.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2uA4592.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2uA4592.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 536
        7⤵
        Program crash
        
        PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Xx58My.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Xx58My.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hg383EM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hg383EM.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wu0hp2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wu0hp2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C891.tmp\C892.tmp\C893.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wu0hp2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffc3d8246f8,0x7ffc3d824708,0x7ffc3d824718
        5⤵
        
        PID:1508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc3d8246f8,0x7ffc3d824708,0x7ffc3d824718
        5⤵
        
        PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3600 -ip 3600
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
451fddf78747a5a4ebf64cabb4ac94e7

SHA1
6925bd970418494447d800e213bfd85368ac8dc9

SHA256
64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d

SHA512
edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

Download Submit
C:\Users\Admin\AppData\Local\Temp\C891.tmp\C892.tmp\C893.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wu0hp2.exe

Filesize
99KB

MD5
cbccb92e8aa9d211e0c60dc9ab503c04

SHA1
f95fc055cfe67003f8959f69d902e4336f2ceb76

SHA256
a39115365f5246023fc0851aafb81eb6d7252732a2303ff69ff52e9940e39af5

SHA512
da4901d79bcec7654c688f88f2cb442b9ae10756a638ba031990ac8548d2044636be077c569dc7b5426f7bdcc6f3709bb4337fe5ad34942eaa4b27e58e0b5568

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wu0hp2.exe

Filesize
99KB

MD5
cbccb92e8aa9d211e0c60dc9ab503c04

SHA1
f95fc055cfe67003f8959f69d902e4336f2ceb76

SHA256
a39115365f5246023fc0851aafb81eb6d7252732a2303ff69ff52e9940e39af5

SHA512
da4901d79bcec7654c688f88f2cb442b9ae10756a638ba031990ac8548d2044636be077c569dc7b5426f7bdcc6f3709bb4337fe5ad34942eaa4b27e58e0b5568

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rz1IV14.exe

Filesize
1.4MB

MD5
2ce45fae670e8ba7c83caf180c87a1dd

SHA1
63a2464e6eae60e2c193dcd542f6685f5b64ee81

SHA256
2fb43663dc235df1feb5c3cb6f05493f5fc56a41a1a21ab3cf9ffb41dfbc688b

SHA512
e57b6490e330b15f7c65b881e067e212c922b59fdbe4d1bcfc86f0b0e6f8af9afef06a69afdcfa46336cf1a6866c8c75f384c87641b88cb02625e8b7b81a769e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rz1IV14.exe

Filesize
1.4MB

MD5
2ce45fae670e8ba7c83caf180c87a1dd

SHA1
63a2464e6eae60e2c193dcd542f6685f5b64ee81

SHA256
2fb43663dc235df1feb5c3cb6f05493f5fc56a41a1a21ab3cf9ffb41dfbc688b

SHA512
e57b6490e330b15f7c65b881e067e212c922b59fdbe4d1bcfc86f0b0e6f8af9afef06a69afdcfa46336cf1a6866c8c75f384c87641b88cb02625e8b7b81a769e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hg383EM.exe

Filesize
1.2MB

MD5
267ef1a960bfb0bb33928ec219dc1cea

SHA1
fc28acaa6e4e4af3ad7fc8c2a851e84419a2eebf

SHA256
b462fedfb5904509e82387e2591bdb1ddfe6d12b6a28a189c6403a860050965e

SHA512
ba09e6c6b71426e09214c1c6773114d0a46edd133d711f81960390f940a81a695550971b30c1d292109873b524db94b596ecaebfaf379e6c6bcfd4089379e38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Hg383EM.exe

Filesize
1.2MB

MD5
267ef1a960bfb0bb33928ec219dc1cea

SHA1
fc28acaa6e4e4af3ad7fc8c2a851e84419a2eebf

SHA256
b462fedfb5904509e82387e2591bdb1ddfe6d12b6a28a189c6403a860050965e

SHA512
ba09e6c6b71426e09214c1c6773114d0a46edd133d711f81960390f940a81a695550971b30c1d292109873b524db94b596ecaebfaf379e6c6bcfd4089379e38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\we3Hl18.exe

Filesize
1006KB

MD5
790a0deea6c165a82d5a81c56e485d8d

SHA1
ac42ec6ecf8289afd0fcce62c486e14c1a861c35

SHA256
e475c8814aee8a1790adfb5ed6f6f803d6457701d98035bde61c1c1fef305c55

SHA512
f49f5baa5eef2ae8fe9c335a1b79b6bb6062743cb7fa9a7495f48fa76afd4552f1515269a507d1d7298147108ba0116da9bbb48a2d71bc3b3d108d745043648f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\we3Hl18.exe

Filesize
1006KB

MD5
790a0deea6c165a82d5a81c56e485d8d

SHA1
ac42ec6ecf8289afd0fcce62c486e14c1a861c35

SHA256
e475c8814aee8a1790adfb5ed6f6f803d6457701d98035bde61c1c1fef305c55

SHA512
f49f5baa5eef2ae8fe9c335a1b79b6bb6062743cb7fa9a7495f48fa76afd4552f1515269a507d1d7298147108ba0116da9bbb48a2d71bc3b3d108d745043648f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Xx58My.exe

Filesize
973KB

MD5
5dc4be46727c1853e63ebdd240ec9bd9

SHA1
6265b41bbecbb96cf666d2b4cbd6f209f44d7a2d

SHA256
1df63e2de3adac7ff425c75b3f649078fd7a8e0008e5063bd290adb1cdba2446

SHA512
59828cba7af9fb26c6717eb3e655eec07f732ec92d3ec0cce7ed2df1acf6095dec2d97cdbbd3591ed96c08cb2adcff12c31534a93b48757ff8976c0a4233062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Xx58My.exe

Filesize
973KB

MD5
5dc4be46727c1853e63ebdd240ec9bd9

SHA1
6265b41bbecbb96cf666d2b4cbd6f209f44d7a2d

SHA256
1df63e2de3adac7ff425c75b3f649078fd7a8e0008e5063bd290adb1cdba2446

SHA512
59828cba7af9fb26c6717eb3e655eec07f732ec92d3ec0cce7ed2df1acf6095dec2d97cdbbd3591ed96c08cb2adcff12c31534a93b48757ff8976c0a4233062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cs6YO90.exe

Filesize
621KB

MD5
a2fe0f0be286b4462030d645bd052706

SHA1
0ffa9748042d1fc2c6b6724092a0db076f1ebaf2

SHA256
7cc104c85321545d1ac2ce6d5f1544ddd56d72419c5b13ceed90a7f9aba83154

SHA512
1f540d1c2c4b5e92d5043ce81b4a611d106550054f01553236cd50b097bdec65003bd0c6b7ee15e81e982e564a813a7df1af94bbe224639b8b08800cb52c454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cs6YO90.exe

Filesize
621KB

MD5
a2fe0f0be286b4462030d645bd052706

SHA1
0ffa9748042d1fc2c6b6724092a0db076f1ebaf2

SHA256
7cc104c85321545d1ac2ce6d5f1544ddd56d72419c5b13ceed90a7f9aba83154

SHA512
1f540d1c2c4b5e92d5043ce81b4a611d106550054f01553236cd50b097bdec65003bd0c6b7ee15e81e982e564a813a7df1af94bbe224639b8b08800cb52c454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RN46Rx2.exe

Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RN46Rx2.exe

Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2uA4592.exe

Filesize
1.1MB

MD5
a1c1c44e837edbc2d55d33ba9620a109

SHA1
0ba4e08d7b6f17f968d1f7cad75d0a3885bae998

SHA256
4160c00350706d7630b0a8bfb47722e7ec956858ab07d5adc9345e37ccb751e5

SHA512
75267e9d0652e006107506457c5253fe701149888ad977d95f52d215410b18e3b145c8779ae389b718f090c5aa41d614e45deb38a96852a07a299a5b075c02bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2uA4592.exe

Filesize
1.1MB

MD5
a1c1c44e837edbc2d55d33ba9620a109

SHA1
0ba4e08d7b6f17f968d1f7cad75d0a3885bae998

SHA256
4160c00350706d7630b0a8bfb47722e7ec956858ab07d5adc9345e37ccb751e5

SHA512
75267e9d0652e006107506457c5253fe701149888ad977d95f52d215410b18e3b145c8779ae389b718f090c5aa41d614e45deb38a96852a07a299a5b075c02bc

Download Submit
memory/1056-61-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-63-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-41-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-43-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-45-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-47-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-49-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-51-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-53-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-55-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-57-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-59-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-38-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-33-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1056-65-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-67-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-69-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-71-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/1056-37-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1056-36-0x0000000004AD0000-0x0000000004AEE000-memory.dmp

Filesize
120KB

Download
memory/1056-28-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/1056-29-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/1056-30-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1056-31-0x00000000024B0000-0x00000000024D0000-memory.dmp

Filesize
128KB

Download
memory/1056-35-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/1056-34-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1056-39-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

Filesize
96KB

Download
memory/1056-32-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3240-88-0x0000000002640000-0x0000000002656000-memory.dmp

Filesize
88KB

Download
memory/3600-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3600-75-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3600-76-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3600-77-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4776-92-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-93-0x0000000073E70000-0x0000000074620000-memory.dmp

Filesize
7.7MB

Download
memory/4776-97-0x0000000007380000-0x0000000007412000-memory.dmp

Filesize
584KB

Download
memory/4776-99-0x00000000075D0000-0x00000000075E0000-memory.dmp

Filesize
64KB

Download
memory/4776-100-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/4776-101-0x0000000073E70000-0x0000000074620000-memory.dmp

Filesize
7.7MB

Download
memory/4992-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4992-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4992-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download