Analysis
-
max time kernel
865s -
max time network
871s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
11-07-2024 01:31
General
-
Target
248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe
-
Size
1.8MB
-
MD5
18cbe55c3b28754916f1cbf4dfc95cf9
-
SHA1
7ccfb7678c34d6a2bedc040da04e2b5201be453b
-
SHA256
248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b
-
SHA512
e1d4a7ab164a7e4176a3e4e915480e5c60efe7680d99f0f0bcbd834a4bec1798b951c49ef5c0cca6bea3c2577b475de3c51b2ef1ae70b525d046eb06591f7110
-
SSDEEP
49152:Eau0Bnly1l8B6hLa5vMIKHVo5W1v2mS0la98MT:Nfy1Wo+JK19eFE6
Malware Config
Extracted
redline
frant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe"C:\Users\Admin\AppData\Local\Temp\248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 5766⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 6006⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 5765⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 5724⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\975E.tmp\975F.tmp\9760.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb8f9546f8,0x7ffb8f954708,0x7ffb8f9547185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8f9546f8,0x7ffb8f954708,0x7ffb8f9547185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10836221626593307347,11876089297897806218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10836221626593307347,11876089297897806218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4956 -ip 49561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1456 -ip 14561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4256 -ip 42561⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb9f82cc40,0x7ffb9f82cc4c,0x7ffb9f82cc582⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1960 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2280 /prefetch:32⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2348,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2360 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3200 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3916,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4672 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4860 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5064 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1Filesize
264KB
MD51e44b59b0381d269602e644b4175592f
SHA106fd9d0f1d4e31913d58b69aca85ce8ba6dccad6
SHA256980f9753f254994604eb2077fd2e705a711e88f90c56bb2ba786fbe8b438fa32
SHA5125e502ea4c009fa85eef19367c9c4f40d19d0fe69fe994d6c3f0d6969ffaa704a509fef2d8b51473c697a98ef4f8b0f4271611e4f17dff7ad6bc32dfd6dd336da
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD532ef000063feb6439a4567c71d5dad85
SHA14e8b832e4e4638be0c9685ca95d460650b8d3469
SHA25637f5643f4463dbb90acf4dce69505f31b16c885a247e006052c8d6a6a4ea3476
SHA5122cbf7d6fccd12745f38241e7757df0aca8da7d6d7f42caf8b8849601efd9249de4638b1226f5c2a3a6b78bcb18d22e4fd8a849a8655fdab9966c92adbe57809c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5e8eaa377e19d847e804639337845ce16
SHA1def7a2c4aaf9a5aff46a6928909fe31060f245c2
SHA256a57831f994f8fa38dc15ea9b3f946b595dda53ffe281b33e3cdcec236ba976d8
SHA512ca8afeb037bc51e475fbefffe1ac921e97670352c5c39747ed375e7dbf9071a3eed5766dc44a89d17da185929d3493987c0449103626a640d2dfd62fe2ce850d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5f59afbf66754f44b47e4b8fb0801c213
SHA131938dafa6b88f5c8f4308cef05a0adee3732754
SHA256ae98ec2a9871b195e687edb4165fb9b573eb69c2e596d4aedfc6969064651b5c
SHA512440b1a8ca8b2fd7793995aa104d67e33d37d947d6ef4e6bdf87d02a1bc070c754410ee1e1791b4f60a226e36da82ac0bb7229fada27dc855b6c64e97e22fbecc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD500a71d54e7899bfeddb01155890f7614
SHA11f56956f7fe34ccb69e5e7138bccc51b8b955b43
SHA256d37259d5f9dd52646b63f1cb5129626d379ce17f13f1b4713186a9126707647a
SHA51231f5fd9da8bda2a78e57c19ae9d9b65e436fa6a0d4115dce83bd24fb7eb3d8daf03ab749277a54005d4a176ca856eb8bd46c8343835aa5b17fcb2ae7d82247d8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD54b719a811854cc97e250bead4c34b855
SHA1970ac13ff5c65140219af65290d0c2d5ba4c3483
SHA2560e3389400b60e4ef1254444de57e16e788f6aee5e170614f3cd95c31b5b0051a
SHA512a897bf3ab94877104e24754e549f8197f18798f640d1532e43704f1954c394237ce7c8fac505e6d2abcfe9ae62a33cdde7846521a0e32baac721fffea5173a40
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
15KB
MD579388f1be2a1aceef6259d605a536070
SHA18b5f53314d0e264e582190e7d2e2f441cf49c038
SHA2567c5e4a20dd8efa33233cb2f59b1f858325f3995ff3c91b3e893761617a6d012f
SHA51299ecb9ff21c1f016c8f29269b424462b79f937b6192f2595f96361a6e8e28be600610ce5830f4964a00e65c3ba2f0b947c9b657514ecbb73bc911056e5709074
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
181KB
MD52289e65c6d944b51108cd532b3df868c
SHA1f3c50dcf3cf082f1a2d4ff82fb3d84529a113b3b
SHA2569160e72676590a6e9b5654d3df01bc2f5b541569cfe99dbf97aace8b82ee5de4
SHA5121bcfdbc81e2a37555a1e1043ae6e78acd4a09bad7e0e20272bdb00e7383f38b0db3a472ee342f66d2498b97f95e0078c9da84533dc823ebf5fdebd9e8ef70205
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
181KB
MD552a1fba058313e2150755736b5b6b219
SHA190fb3b47d28285a21ddb42ac594fcf6670ad06cb
SHA256adbb38e83338e8f8be07b27d013bb43754bca8133d14b225ba9663bee44ca88b
SHA51298f138263e8333e4a948b2e9eebc3435c954f6a0d1e2cf58263b3af4878760b7343b8792d489945d20f04512c75e404a63b2cd1e692481de64b4c7ec7bb3c15a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5584971c8ba88c824fd51a05dddb45a98
SHA1b7c9489b4427652a9cdd754d1c1b6ac4034be421
SHA256e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307
SHA5125dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b28ef7d9f6d74f055cc49876767c886c
SHA1d6b3267f36c340979f8fc3e012fdd02c468740bf
SHA256fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37
SHA512491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5049cd22609724f9d1119437b38530ece
SHA110d242fd73876d6470455f11dde5b95ac38e3d78
SHA256ba51ae2cd8cc0265977ad920f798f14bacfe29e0d838683c092452abcfd31093
SHA5121548de16c2e08eb0ec857efc6a3f6ed68a1a2f33a7e1110e9d354afae212b3a8b940ba1130d69fd8149db1aafee7ebf1aac070c58fa7f6824db60dbfc0c39c43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5ea39b1d552a947e1b967911e5ea7491f
SHA1af8a487a2bab5c683c5e962f78f2047f6d2f0335
SHA256e9791a29c2d68ba8be6fc9356cea9c023088fb3ccdc6f9fd6c834e7f76aafe68
SHA512f1dc029cfe4237abb6af92acc23877f5627e0d0044768e311b4ce1850b04ba51234f2656ea281b66b80a3cae9ba0c3a4f7b1ca462dafce4cb34860a633bd5603
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5b92a9f448e43ed904e5c34576c5b3b97
SHA1764f4aa109c97668d08278b6ee990387191c4ee3
SHA2565baf87f6dc61262a0b8618fbe476e1fcb5e6259b0b34c0fbe5f93271ffc7915c
SHA512326b8593988c8351435543b754490d74f42723508892496c8723c570b0efce65574fa60e31d3540d9faa93c04dfb9241828d0e54491703bdd46fd547e33ee89e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD59a3ffb4036ecb70ca682122c948ec2a8
SHA1ed6d4a30e39c5dd4197cbcbf12cceab67bf372ee
SHA256428463234a0ae1f068a7f6afbf003e0418aef54bc6f03ddd0afe5219a3010a13
SHA51297b46014c36e133255fd2277b843c3babd8c429b9c5d750184757f294af0a2c82870d787ae7577548ec124ff493881883071514dfe1b50a3d6ce0ef95d485b11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5003fee1e5129039f8d49edaf6c80c1a6
SHA1a103490a2ac24b0540a2b0008475ab2994cdf101
SHA2567b08a26f6c4ed153831102d390cf7f4e0748deadf90bb22ce9baae3ae1eb96db
SHA51235fc5e7d5285f6b2d8606cb651df941bbb675d5b5306b68e208ff52b3ba86901eb085ea95402f02213b698c6b71122fceea3675918c3d30311217f46ff84a887
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD570a401eaf61e298ad761e14eeeefaeeb
SHA14e7e4b132facc49266f1e1815b462fd612ae5766
SHA256cb07e29bfc0b919a2e70993a499d689e5880b1731a2307c318d8cdfff8da8dd9
SHA5127599447d686d403d625bffa4536202641b84179b71fff9df82567801a4ef301e748ad1030199342118a2d24a2fb04fa4428dd93c9fb8da985b8a59e3f48d1637
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
872B
MD5630d74744605c3bdd8463e63027532f1
SHA17bdc9fc513c1fb2fdf7b3f29796f9542afda9bc5
SHA256dde0ccead67a388c5d0a24e34229e9aa3770b8eb425dce4f120fd0145186805e
SHA5122ce5caa617f00a0bbf794a23e85e2531614ee51e577849f261a085e661d4e3cf49d32de264424097408a8ebf526daf65dc3d434c1dcea84092e5027078355e02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
872B
MD5572adbb4b49e6bc394134c8471e91287
SHA135a1116a7ddfb179c1a909879bacbeb8d7e286ad
SHA2568faecb928ef71d728d4e5a7e7c6dc27b9d732f5e7520bc02217d0c45421ae225
SHA512ea3aa67793a536b96b7e18ee7db6b0cce710b588b6f6087099b570e5543ac73fdbad5ad18222e86e89b7f55a65b499e77a8cdd59d0b68ee06ef3d8513713b607
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5804dd.TMPFilesize
872B
MD5f6448035ef7bfec7ff9ed9b4cb15841b
SHA1b634d97f6130165f00575fcb73954f044d59df21
SHA256bc2477ea298656d59cdd8f5c68ebf1656c4fb07fe1c474ab85abbdc71b508fed
SHA512f97c15d156d940d48a11c0efb67526901fb8ac1c85bc5477b145dc7ff9a0bda1a2e7efdd028dac73adce7c88d3ef66d5ec9c47d296bb1da9c754a05b2930c3db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f08fd8cb60221fffa7169e32438dd114
SHA19738390512d4d98b77f78c035392c733ac1e2edd
SHA25680737748102c5f2157c304bee54cc7d2f2f242f311f58da23deb5950067f487a
SHA51243b58ef9ceefa34306f8b88cf3730266c91507d77f5b6e957f62be6bcd947e442db5baabca13506d0ae6548d5b8c4c4f6950f24a6a767caea7a26cce106407c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59bb2aed20e43acc2e317718b10d8319c
SHA1cad04df38ae9cb59efee6446cd581125858655ae
SHA256b61787b153b8c5e0b9dbe9cd54903f0dff780b40cbe59b6afcc88f70fbff6eaa
SHA512e9802a05a49f7f2bcc123e1c289907d1dae2ae536ed40bc5a1aecf90189bcd7adf4850955f63f3e4e00ddaad331644dea69bc516404ca98cec37d836f02fb315
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD57ca54fb7fbbae8809ea3a77dc2f7b87c
SHA138eecbd80713ad744c68c09fab3622f9277beb3f
SHA2568806cc5f4bcf4d62e8314e57f8d64c460c5b3e4e0be5f0e5dd569046b6d3c8eb
SHA5120bafd37aaeb9a911c484d01d0e292dd68f9f666defa90b71d8d46352636c18c6d1e123798631e717f9514093c025caab4f0ccb3c0a799f088074b7f8c2dbc5f8
-
C:\Users\Admin\AppData\Local\Temp\975E.tmp\975F.tmp\9760.batFilesize
90B
MD55a115a88ca30a9f57fdbb545490c2043
SHA167e90f37fc4c1ada2745052c612818588a5595f4
SHA25652c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA51217c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exeFilesize
100KB
MD5e0f8b21b36fee4e7738a6b5a1ab83673
SHA1e305d55d4d47bfa62eae5f8e6f34e5b133a6f40b
SHA256c567d825d19e24343647ed36c77033fb1f46f420384745a9734618684cb7d384
SHA512716e6624ff87c859d08e2bbcda1137a2386d30b5b9ef545daf2c6585bc3366561773b9ad6c719a1ad99f1bacb219544ae4556629b355250e2234a7f87d24e238
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exeFilesize
1.7MB
MD5847ee3021803e4adaefcc00aa8283017
SHA187644df0985b5ef9791c72ce79f423350629659e
SHA2564611614d9c95b0d0e4bf4aa486cc700db6e49dbef7fa2726b20f165e6798a9f7
SHA5121aaea476c061160439439d2dadc05e451166faa5614ccf8960b592df6933d07c867ab8813c08026b8b2c35b20b03dc0d26641e228fe06cff8c4938367e515b38
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exeFilesize
1.8MB
MD5cfbb3be155b12d0cc69e3d932fbb81eb
SHA1fb5ed48a80131043c4dd2e4ac69b4b38578f9753
SHA256fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2
SHA51238aadedee5bd57c7f475e96d74abbb0e671bca462c2c700b7a034e2d1513bd8aebc30b7b75bf1e8cd7b7e3a831e69d5dd0ceaee3d18ed296a2cb3d1b051164cc
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exeFilesize
1.2MB
MD5252043d1805587b0e65a07f885d6719e
SHA12210de44be60ba496ea5d4068e715c1308066989
SHA25666839bc22b9c9f717198cf8faa64146fe95dff51dfbb8c0f61982f2e50e89557
SHA512dbcdb0b6fe37cf2c733b6683c2e245008400c84b59450f34a794e513955aaf392982e20f2eb2fce696eec2574fe15f699841748a21fce6a1e20a4381fd52f950
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exeFilesize
1.6MB
MD57d377f5e1ba6597ff2cfe4f92639367d
SHA1188ab803c9926ff3448c458030f418099ea03407
SHA256c705efd2888dfbede96714b58aede50a28b3da45aba83a909cb104ce34dc735e
SHA5122adad69f3a358ad955b00c8d7826c396feef9d583407d4c7d53ce3e16ed760f148f553f49df5bbcd6c5c68b87bcf7e1472d3c789946b23dab7ae94b4036540e6
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exeFilesize
725KB
MD5403a939a04b4384204d35dbc659bf772
SHA1a5424bc4b18c00fd261d71861fad75502a963397
SHA25675d5ae4d95b66cb33ccb1b8c39adda5b287ab6c44b11aa42b8f3351024fce1fc
SHA512860d17990d95694bd7e799b22e6af6fd93a20276439829e945f9aff079b6c708851e8b3e55200b8ef97d41d91608911a414b4a69c26e5593b9b4ca8a134ddbe8
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exeFilesize
1.8MB
MD5ca7a5693b5b0e8b54d6dad6a5b1b86b5
SHA149da08ec9be5e002b0d22dd630182c3a905c76c7
SHA2562d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12
SHA51268ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exeFilesize
1.7MB
MD5144dc3c0a5275a93ff86f00b5c61b9ec
SHA1784168ab3c4711737656ca13dc4cb59ca267fa45
SHA256179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787
SHA5129af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783
-
\??\pipe\LOCAL\crashpad_4764_HSQTKQDWPPJNAYWJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1324-69-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1324-67-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1324-66-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3088-48-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-62-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-28-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3088-29-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3088-31-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3088-32-0x0000000003000000-0x000000000301E000-memory.dmpFilesize
120KB
-
memory/3088-33-0x0000000005BF0000-0x0000000006194000-memory.dmpFilesize
5.6MB
-
memory/3088-34-0x0000000005570000-0x000000000558C000-memory.dmpFilesize
112KB
-
memory/3088-52-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-60-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-35-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-38-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-40-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-42-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-44-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-46-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-36-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-50-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-54-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-56-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/3088-58-0x0000000005570000-0x0000000005586000-memory.dmpFilesize
88KB
-
memory/4176-73-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4872-87-0x0000000007DD0000-0x0000000007DE2000-memory.dmpFilesize
72KB
-
memory/4872-77-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4872-78-0x0000000007BA0000-0x0000000007C32000-memory.dmpFilesize
584KB
-
memory/4872-79-0x0000000004FC0000-0x0000000004FCA000-memory.dmpFilesize
40KB
-
memory/4872-85-0x0000000008C40000-0x0000000009258000-memory.dmpFilesize
6.1MB
-
memory/4872-86-0x0000000008620000-0x000000000872A000-memory.dmpFilesize
1.0MB
-
memory/4872-89-0x0000000007DF0000-0x0000000007E3C000-memory.dmpFilesize
304KB
-
memory/4872-88-0x0000000007E60000-0x0000000007E9C000-memory.dmpFilesize
240KB