warzonerat | 1a8da2a01c3fdd2d155b6ed685818988bd980f94b7f4eff3011a88bac8baaff7

Resubmissions

03-12-2024 07:26

241203-h9s6favqav 10

03-12-2024 07:19

241203-h5xm3avney 10

Analysis

max time kernel
329s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steamupdater.exe
Size

132KB
MD5

ae272da48f63b0c97b06f92f00f4ff3e
SHA1

a6c26a2de3abaefb120845ae642001948a25b141
SHA256

1a8da2a01c3fdd2d155b6ed685818988bd980f94b7f4eff3011a88bac8baaff7
SHA512

345c2ba95aa64d7dbea7b912ee8005211c4bf259634dca803ccd55b2b2176929e4fc2c2482462c733abbd8c9c9fec2c3ceb8e80559804b49911baca0bcef9032
SSDEEP

3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score

10^/10

warzonerat defense_evasion discovery evasion infostealer persistence privilege_escalation rat upx

Malware Config

Extracted

Family

warzonerat

189.14.53.123:1177

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023caf-5.dat	warzonerat

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1120	netsh.exe
4832	netsh.exe
2056	netsh.exe
2768	netsh.exe
5052	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	steamup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	steamup.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	steamupdater.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	steamupdater.exe

Executes dropped EXE 6 IoCs

pid	Process
2328	steamup.exe
1580	1.exe
3192	2.exe
4140	3.exe
912	4.exe
3584	5.exe

Loads dropped DLL 1 IoCs

pid	Process
3920	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\steamupdaterd = "C:\\Users\\Admin\\Documents\\steamup.exe"	steamupdater.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	mstsc.exe
File opened (read-only)	\??\Y:	mstsc.exe
File opened (read-only)	\??\M:	mstsc.exe
File opened (read-only)	\??\N:	mstsc.exe
File opened (read-only)	\??\Q:	mstsc.exe
File opened (read-only)	\??\X:	mstsc.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\S:	mstsc.exe
File opened (read-only)	\??\T:	mstsc.exe
File opened (read-only)	\??\K:	mstsc.exe
File opened (read-only)	\??\O:	mstsc.exe
File opened (read-only)	\??\W:	mstsc.exe
File opened (read-only)	\??\Z:	mstsc.exe
File opened (read-only)	\??\A:	mstsc.exe
File opened (read-only)	\??\B:	mstsc.exe
File opened (read-only)	\??\H:	mstsc.exe
File opened (read-only)	\??\L:	mstsc.exe
File opened (read-only)	\??\P:	mstsc.exe
File opened (read-only)	\??\U:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\G:	mstsc.exe
File opened (read-only)	\??\I:	mstsc.exe
File opened (read-only)	\??\J:	mstsc.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	steamup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	steamup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Jo.GBIx = "0"	steamup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	steamup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	steamup.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Jo.GBIx = "0"	steamup.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00030000000006dd-27.dat	upx
behavioral1/memory/1580-31-0x00000000006A0000-0x00000000006CD000-memory.dmp	upx
behavioral1/memory/3192-41-0x00000000009B0000-0x00000000009DD000-memory.dmp	upx
behavioral1/memory/1580-43-0x00000000006A0000-0x00000000006CD000-memory.dmp	upx
behavioral1/memory/3192-44-0x00000000009B0000-0x00000000009DD000-memory.dmp	upx
behavioral1/memory/1580-45-0x00000000006A0000-0x00000000006CD000-memory.dmp	upx
behavioral1/memory/4140-55-0x00000000000F0000-0x000000000011D000-memory.dmp	upx
behavioral1/memory/912-64-0x0000000000750000-0x000000000077D000-memory.dmp	upx
behavioral1/memory/4140-66-0x00000000000F0000-0x000000000011D000-memory.dmp	upx
behavioral1/memory/912-68-0x0000000000750000-0x000000000077D000-memory.dmp	upx
behavioral1/memory/4140-69-0x00000000000F0000-0x000000000011D000-memory.dmp	upx
behavioral1/memory/3584-78-0x0000000000FC0000-0x0000000000FED000-memory.dmp	upx
behavioral1/memory/3584-80-0x0000000000FC0000-0x0000000000FED000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	steamup.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	steamup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1164	3192	WerFault.exe	116
804	912	WerFault.exe	126
3988	3584	WerFault.exe	139

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\TSRedirFlags	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags	mstsc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	steamupdater.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3920	svchost.exe
3920	svchost.exe
3920	svchost.exe
3920	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	cmd.exe
Token: SeDebugPrivilege	2328	steamup.exe
Token: SeAuditPrivilege	3920	svchost.exe
Token: SeDebugPrivilege	2144	cmd.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2328	4720	steamupdater.exe	83
PID 4720 wrote to memory of 2328	4720	steamupdater.exe	83
PID 4720 wrote to memory of 2328	4720	steamupdater.exe	83
PID 2328 wrote to memory of 2188	2328	steamup.exe	105
PID 2328 wrote to memory of 2188	2328	steamup.exe	105
PID 2328 wrote to memory of 2188	2328	steamup.exe	105
PID 2328 wrote to memory of 2188	2328	steamup.exe	105
PID 2328 wrote to memory of 2144	2328	steamup.exe	111
PID 2328 wrote to memory of 2144	2328	steamup.exe	111
PID 2328 wrote to memory of 2144	2328	steamup.exe	111
PID 2328 wrote to memory of 2144	2328	steamup.exe	111
PID 2328 wrote to memory of 1580	2328	steamup.exe	113
PID 2328 wrote to memory of 1580	2328	steamup.exe	113
PID 2328 wrote to memory of 1580	2328	steamup.exe	113
PID 1580 wrote to memory of 1120	1580	1.exe	114
PID 1580 wrote to memory of 1120	1580	1.exe	114
PID 1580 wrote to memory of 1120	1580	1.exe	114
PID 2328 wrote to memory of 3192	2328	steamup.exe	116
PID 2328 wrote to memory of 3192	2328	steamup.exe	116
PID 2328 wrote to memory of 3192	2328	steamup.exe	116
PID 3192 wrote to memory of 4832	3192	2.exe	117
PID 3192 wrote to memory of 4832	3192	2.exe	117
PID 3192 wrote to memory of 4832	3192	2.exe	117
PID 2328 wrote to memory of 4140	2328	steamup.exe	123
PID 2328 wrote to memory of 4140	2328	steamup.exe	123
PID 2328 wrote to memory of 4140	2328	steamup.exe	123
PID 4140 wrote to memory of 2056	4140	3.exe	124
PID 4140 wrote to memory of 2056	4140	3.exe	124
PID 4140 wrote to memory of 2056	4140	3.exe	124
PID 2328 wrote to memory of 912	2328	steamup.exe	126
PID 2328 wrote to memory of 912	2328	steamup.exe	126
PID 2328 wrote to memory of 912	2328	steamup.exe	126
PID 912 wrote to memory of 2768	912	4.exe	127
PID 912 wrote to memory of 2768	912	4.exe	127
PID 912 wrote to memory of 2768	912	4.exe	127
PID 2328 wrote to memory of 3584	2328	steamup.exe	139
PID 2328 wrote to memory of 3584	2328	steamup.exe	139
PID 2328 wrote to memory of 3584	2328	steamup.exe	139
PID 3584 wrote to memory of 5052	3584	5.exe	140
PID 3584 wrote to memory of 5052	3584	5.exe	140
PID 3584 wrote to memory of 5052	3584	5.exe	140

C:\Users\Admin\AppData\Local\Temp\steamupdater.exe
"C:\Users\Admin\AppData\Local\Temp\steamupdater.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\Documents\steamup.exe
  "C:\Users\Admin\Documents\steamup.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in System32 directory
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 396
      4⤵
      Program crash
      PID:1164
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2056
- - C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 396
      4⤵
      Program crash
      PID:804
- - C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 396
      4⤵
      Program crash
      PID:3988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3192 -ip 3192
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 912 -ip 912
1⤵
PID:1372

C:\Windows\system32\mstsc.exe
"C:\Windows\system32\mstsc.exe"
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3584 -ip 3584
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
C:\Users\Admin\Documents\steamup.exe

Filesize
132KB

MD5
ae272da48f63b0c97b06f92f00f4ff3e

SHA1
a6c26a2de3abaefb120845ae642001948a25b141

SHA256
1a8da2a01c3fdd2d155b6ed685818988bd980f94b7f4eff3011a88bac8baaff7

SHA512
345c2ba95aa64d7dbea7b912ee8005211c4bf259634dca803ccd55b2b2176929e4fc2c2482462c733abbd8c9c9fec2c3ceb8e80559804b49911baca0bcef9032

Download Submit
\??\c:\program files\microsoft dn1\rdpwrap.ini

Filesize
275KB

MD5
4d18179c3e64e912a2ecd80a8aed4aa7

SHA1
1330011d2f45017c5991e681fd1dfceaaff268bf

SHA256
2de7c3db2e91021bae6e16d67677ea9ef123809eed237f804d4f7b3c0315ba5c

SHA512
d3c0f83b1d81be32a72335c8bfa7f41d4ca8df19be86470df52633ee32f4d73112a836d04e2b6276bed754b6f2d99d85024d7a327135bd348785ccdbbe8fcc0d

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/912-64-0x0000000000750000-0x000000000077D000-memory.dmp

Filesize
180KB

Download
memory/912-68-0x0000000000750000-0x000000000077D000-memory.dmp

Filesize
180KB

Download
memory/1580-31-0x00000000006A0000-0x00000000006CD000-memory.dmp

Filesize
180KB

Download
memory/1580-43-0x00000000006A0000-0x00000000006CD000-memory.dmp

Filesize
180KB

Download
memory/1580-45-0x00000000006A0000-0x00000000006CD000-memory.dmp

Filesize
180KB

Download
memory/2188-8-0x000001A51D490000-0x000001A51D590000-memory.dmp

Filesize
1024KB

Download
memory/2188-9-0x000001A51D490000-0x000001A51D590000-memory.dmp

Filesize
1024KB

Download
memory/2328-22-0x0000000008F90000-0x0000000008FE5000-memory.dmp

Filesize
340KB

Download
memory/2328-7-0x00000000011A0000-0x00000000011A4000-memory.dmp

Filesize
16KB

Download
memory/2328-21-0x0000000002FA0000-0x0000000002FF1000-memory.dmp

Filesize
324KB

Download
memory/3192-41-0x00000000009B0000-0x00000000009DD000-memory.dmp

Filesize
180KB

Download
memory/3192-44-0x00000000009B0000-0x00000000009DD000-memory.dmp

Filesize
180KB

Download
memory/3584-78-0x0000000000FC0000-0x0000000000FED000-memory.dmp

Filesize
180KB

Download
memory/3584-80-0x0000000000FC0000-0x0000000000FED000-memory.dmp

Filesize
180KB

Download
memory/4140-55-0x00000000000F0000-0x000000000011D000-memory.dmp

Filesize
180KB

Download
memory/4140-69-0x00000000000F0000-0x000000000011D000-memory.dmp

Filesize
180KB

Download
memory/4140-66-0x00000000000F0000-0x000000000011D000-memory.dmp

Filesize
180KB

Download