blacknet | e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97cb3fda3cff430377a866d6b437de8f.exe
Size

220KB
MD5

97cb3fda3cff430377a866d6b437de8f
SHA1

2359c8459c1e1dd133c2842b51d2982e63016f92
SHA256

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a
SHA512

e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f
SSDEEP

3072:alaJEgEXbfa9K4Em8wNBiXMhDJv7WehI2135eDRCyqTp0FUSVBOHfHAXTRsPCgfr:BEg4S9KqiSJvthI25ebqqBOKTRsaj2e

Score

10^/10

blacknet bot evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
true

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
behavioral1/memory/2084-42-0x0000000000070000-0x0000000000092000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
behavioral1/memory/2084-42-0x0000000000070000-0x0000000000092000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

furz.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	furz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	furz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	furz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	furz.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2556 cmd.exe
Executes dropped EXE 5 IoCs

Processes:

furz.exeUacTest.exeInpwdja.exeMnrjvryib.exeWindowsUpdate.exe

pid process

2084 furz.exe
2208 UacTest.exe
1504 Inpwdja.exe
2832 Mnrjvryib.exe
892 WindowsUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
2556	cmd.exe

pid	process
2084	furz.exe
2208	UacTest.exe
1504	Inpwdja.exe
2832	Mnrjvryib.exe
892	WindowsUpdate.exe

Loads dropped DLL 6 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exeUacTest.exe

pid	process
1932	97cb3fda3cff430377a866d6b437de8f.exe
1932	97cb3fda3cff430377a866d6b437de8f.exe
2208	UacTest.exe
2208	UacTest.exe
2208	UacTest.exe
2208	UacTest.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

furz.exeWindowsUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	furz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

97cb3fda3cff430377a866d6b437de8f.exefurz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	97cb3fda3cff430377a866d6b437de8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe"	furz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exe

description pid process target process

PID 2388 set thread context of 1932 2388 97cb3fda3cff430377a866d6b437de8f.exe 97cb3fda3cff430377a866d6b437de8f.exe

description	pid	process	target process
PID 2388 set thread context of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe

Drops file in Windows directory 2 IoCs

Processes:

furz.exe

description	ioc	process
File created	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe
File opened for modification	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2188 schtasks.exe
1828 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2044 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2040 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2216 PING.EXE
324 PING.EXE

pid	process
2188	schtasks.exe
1828	schtasks.exe

pid	process
2044	taskkill.exe

pid	process
2040	reg.exe

pid	process
2216	PING.EXE
324	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exefurz.exepowershell.exe

pid	process
1932	97cb3fda3cff430377a866d6b437de8f.exe
1932	97cb3fda3cff430377a866d6b437de8f.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2472	powershell.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe
2084	furz.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exetaskkill.exefurz.exepowershell.exeWindowsUpdate.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1932	97cb3fda3cff430377a866d6b437de8f.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	2084	furz.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	892	WindowsUpdate.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

furz.exeWindowsUpdate.exe

pid process

2084 furz.exe
2084 furz.exe
2084 furz.exe
892 WindowsUpdate.exe
892 WindowsUpdate.exe
892 WindowsUpdate.exe

pid	process
2084	furz.exe
2084	furz.exe
2084	furz.exe
892	WindowsUpdate.exe
892	WindowsUpdate.exe
892	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exe97cb3fda3cff430377a866d6b437de8f.execmd.exeUacTest.exeMnrjvryib.exeInpwdja.execmd.execmd.execmd.exefurz.exe

description	pid	process	target process
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2388 wrote to memory of 1932	2388	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1932 wrote to memory of 2084	1932	97cb3fda3cff430377a866d6b437de8f.exe	furz.exe
PID 1932 wrote to memory of 2084	1932	97cb3fda3cff430377a866d6b437de8f.exe	furz.exe
PID 1932 wrote to memory of 2084	1932	97cb3fda3cff430377a866d6b437de8f.exe	furz.exe
PID 1932 wrote to memory of 2084	1932	97cb3fda3cff430377a866d6b437de8f.exe	furz.exe
PID 1932 wrote to memory of 2208	1932	97cb3fda3cff430377a866d6b437de8f.exe	UacTest.exe
PID 1932 wrote to memory of 2208	1932	97cb3fda3cff430377a866d6b437de8f.exe	UacTest.exe
PID 1932 wrote to memory of 2208	1932	97cb3fda3cff430377a866d6b437de8f.exe	UacTest.exe
PID 1932 wrote to memory of 2208	1932	97cb3fda3cff430377a866d6b437de8f.exe	UacTest.exe
PID 1932 wrote to memory of 2556	1932	97cb3fda3cff430377a866d6b437de8f.exe	cmd.exe
PID 1932 wrote to memory of 2556	1932	97cb3fda3cff430377a866d6b437de8f.exe	cmd.exe
PID 1932 wrote to memory of 2556	1932	97cb3fda3cff430377a866d6b437de8f.exe	cmd.exe
PID 1932 wrote to memory of 2556	1932	97cb3fda3cff430377a866d6b437de8f.exe	cmd.exe
PID 2556 wrote to memory of 2216	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 2216	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 2216	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 2216	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 324	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 324	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 324	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 324	2556	cmd.exe	PING.EXE
PID 2208 wrote to memory of 1504	2208	UacTest.exe	Inpwdja.exe
PID 2208 wrote to memory of 1504	2208	UacTest.exe	Inpwdja.exe
PID 2208 wrote to memory of 1504	2208	UacTest.exe	Inpwdja.exe
PID 2208 wrote to memory of 1504	2208	UacTest.exe	Inpwdja.exe
PID 2208 wrote to memory of 2832	2208	UacTest.exe	Mnrjvryib.exe
PID 2208 wrote to memory of 2832	2208	UacTest.exe	Mnrjvryib.exe
PID 2208 wrote to memory of 2832	2208	UacTest.exe	Mnrjvryib.exe
PID 2208 wrote to memory of 2832	2208	UacTest.exe	Mnrjvryib.exe
PID 2832 wrote to memory of 2516	2832	Mnrjvryib.exe	cmd.exe
PID 2832 wrote to memory of 2516	2832	Mnrjvryib.exe	cmd.exe
PID 2832 wrote to memory of 2516	2832	Mnrjvryib.exe	cmd.exe
PID 2832 wrote to memory of 2516	2832	Mnrjvryib.exe	cmd.exe
PID 1504 wrote to memory of 2976	1504	Inpwdja.exe	cmd.exe
PID 1504 wrote to memory of 2976	1504	Inpwdja.exe	cmd.exe
PID 1504 wrote to memory of 2976	1504	Inpwdja.exe	cmd.exe
PID 1504 wrote to memory of 2976	1504	Inpwdja.exe	cmd.exe
PID 2976 wrote to memory of 1072	2976	cmd.exe	cmd.exe
PID 2976 wrote to memory of 1072	2976	cmd.exe	cmd.exe
PID 2976 wrote to memory of 1072	2976	cmd.exe	cmd.exe
PID 2516 wrote to memory of 2044	2516	cmd.exe	taskkill.exe
PID 2516 wrote to memory of 2044	2516	cmd.exe	taskkill.exe
PID 2516 wrote to memory of 2044	2516	cmd.exe	taskkill.exe
PID 1072 wrote to memory of 2040	1072	cmd.exe	reg.exe
PID 1072 wrote to memory of 2040	1072	cmd.exe	reg.exe
PID 1072 wrote to memory of 2040	1072	cmd.exe	reg.exe
PID 2084 wrote to memory of 2472	2084	furz.exe	powershell.exe
PID 2084 wrote to memory of 2472	2084	furz.exe	powershell.exe
PID 2084 wrote to memory of 2472	2084	furz.exe	powershell.exe
PID 2084 wrote to memory of 1196	2084	furz.exe	schtasks.exe
PID 2084 wrote to memory of 1196	2084	furz.exe	schtasks.exe
PID 2084 wrote to memory of 1196	2084	furz.exe	schtasks.exe
PID 2084 wrote to memory of 892	2084	furz.exe	WindowsUpdate.exe
PID 2084 wrote to memory of 892	2084	furz.exe	WindowsUpdate.exe
PID 2084 wrote to memory of 892	2084	furz.exe	WindowsUpdate.exe
PID 2084 wrote to memory of 1828	2084	furz.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe
"C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe
"C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\furz.exe
"C:\Users\Admin\AppData\Local\Temp\furz.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
4⤵
PID:1196

C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
"C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"
4⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
5⤵
PID:2152

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 892 -s 1048
5⤵
PID:436

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1828

C:\Users\Admin\AppData\Local\Temp\UacTest.exe
"C:\Users\Admin\AppData\Local\Temp\UacTest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
"C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7C62.tmp\7C62.tmp\7C63.bat C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- UAC bypass
- Modifies registry key
PID:2040

C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
"C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7C61.tmp\7C62.tmp\7C63.bat C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\system32\taskkill.exe
Taskkill /IM cmd.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
4⤵
- Runs ping.exe
PID:2216

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
4⤵
- Runs ping.exe
PID:324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
77dd3474261346c50a9d8c177a11940c

SHA1
934ccb59b6096c21dd908cc16f4da06683ccaf4d

SHA256
fc4bdc1a0c1ca3d150b305a2727d6791e93158ccfe61f9c3eb698affcb114869

SHA512
40eff43f944003aeb9f1de5ed3b72e8c78e6546845669114a107052faa04498a05fd1d73b60e28db6d910183cddd3ed275d7adc54eb1c6b2cd3b458c6c1bf59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C61.tmp\7C62.tmp\7C63.bat
Filesize
34B

MD5
4f4ecd10fc86be6be730390c06be67c8

SHA1
4c59c25907109fd48d8d94caaa8b8266ffa3c7c3

SHA256
a9bf329ec3514d7d5698851137d508b763b1a627747b1ce40ddd5c524538459c

SHA512
b4e89c807071e770b9327693032c8d1ebc06811dfeccfe0892e00deb449b75cb5d921ed2f7ae53d3fae00837bd6eed3fcb0bfc7168cad0f0c44997e51e4365f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C62.tmp\7C62.tmp\7C63.bat
Filesize
187B

MD5
befbbfdadeef80e445fdd152a121a6d1

SHA1
67019f2a12662f2ff92dc7977769b0debdbf564e

SHA256
0848f1ac65974856844e59ff3b8d492c88acf43f0fd64505d5bf3fd4e43d9da6

SHA512
867c4ee6cb22ba7ba0d5aa9c16d321f36013588b6057e3f3f0e6de670481ab1f7d46c1553b9410ff753de7e923d1b774db0c8297091fd9c852bdc96fee43ee32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9BE4.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C92.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3538f05f0a34bdae564393bea37181fb

SHA1
4d8e73dd8fa0583bee3eef1a756d61a5c6912243

SHA256
85000cb813f5441dbd516a7999a0a1da62bd5b552aceac3efc1716286a29bed2

SHA512
c7b8909518b3d107839098de546a973f02d87040a71d152c74cc3aee0c2e093d39662a7a0afd7f45453301ba0ce4cf5fbbba41a11238fbde00ded97d69d32248

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5DSDDG183ILPXAGUSU5C.temp
Filesize
7KB

MD5
93c479fe065ecb6048d9ac0fd1377d2e

SHA1
d93aeff04706495649aad2346612b494822fc327

SHA256
02359c293f0cdfbe4ece047cab0ed0b5859ea9f1605eb439c16c4615557e8c7e

SHA512
378f2d3ad146b1e5f87c227bd80af8a118b164cf1221597254f5825a6d760aabd8c817281fc70ec7a74c0ffe9e388f661872c2a1faef9478f46d71ea6dff3275

Download Submit
\Users\Admin\AppData\Local\Temp\Inpwdja.exe
Filesize
88KB

MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
Filesize
88KB

MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
\Users\Admin\AppData\Local\Temp\UacTest.exe
Filesize
140KB

MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
\Users\Admin\AppData\Local\Temp\furz.exe
Filesize
117KB

MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
memory/1932-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1932-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1932-21-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-22-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/1932-23-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/1932-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1932-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1932-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1932-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1932-41-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1932-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2084-137-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-143-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-156-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-43-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-42-0x0000000000070000-0x0000000000092000-memory.dmp

Filesize
136KB

Download
memory/2084-155-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-154-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-69-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-70-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-71-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-153-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-152-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-151-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-150-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-149-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-148-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-147-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-146-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-84-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-145-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-144-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-121-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-122-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-123-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-124-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-125-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-126-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-127-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-128-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-129-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-130-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-131-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-132-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-133-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-134-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-135-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-136-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-45-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-138-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-139-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-140-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2084-141-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-142-0x000000001D8F0000-0x000000001D9F0000-memory.dmp

Filesize
1024KB

Download
memory/2208-68-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2208-44-0x0000000004550000-0x0000000004590000-memory.dmp

Filesize
256KB

Download
memory/2208-40-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-17-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-1-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-0-0x00000000009B0000-0x00000000009EE000-memory.dmp

Filesize
248KB

Download
memory/2388-2-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2388-4-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/2472-83-0x000007FEED000000-0x000007FEED99D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-76-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2472-77-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2472-78-0x000007FEED000000-0x000007FEED99D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-79-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2472-80-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2472-81-0x000007FEED000000-0x000007FEED99D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-82-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download