fabookie | 7d50e22081955b574b989561277ce0e835117e716817736373ac8799774b6f03

Analysis

max time kernel
46s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

2.8MB
MD5

bd10a8815c03c185a31df284f162579b
SHA1

3f7e70b658fd71c2ed392ea08aff0914e697a298
SHA256

032d4ef55aba5f427555a6aff06d215ce9498dd4fafe2e0b60367c64c5b0725e
SHA512

e533179fb509a397206eafcfbfb3c4e9dfa6a21f3ad2b57d2b5662e0f9a4ed5e25fca21b542482b7979213c7c644fa483c1f0b99009a5860e8c497822e9e8e4c
SSDEEP

49152:xcBlEwJ84vLRaBtIl9mVcIuSkzZvChaiHxicKfV8aUDqvauoJp9hCwHjbz35FX:xPCvLUBsgkS6ZqhRiWqiuoPHZjf

Score

10^/10

fabookie nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor dropper loader spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://sornx.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000600000002323a-60.dat	family_fabookie
behavioral4/files/0x000600000002323a-68.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral4/memory/3944-92-0x0000000000400000-0x0000000001DCC000-memory.dmp	family_vidar
behavioral4/memory/3944-120-0x0000000003A20000-0x0000000003ABD000-memory.dmp	family_vidar
behavioral4/memory/3944-169-0x0000000000400000-0x0000000001DCC000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x0006000000023230-35.dat	aspack_v212_v242
behavioral4/files/0x0006000000023233-41.dat	aspack_v212_v242
behavioral4/files/0x0006000000023231-37.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	setup_installer.exe

Executes dropped EXE 9 IoCs

pid	Process
1592	setup_install.exe
3944	Sat1439757f36bcd2d5.exe
3928	Sat14ea52090698.exe
5108	Sat14cd569dce36.exe
4676	Sat14af44d511d3.exe
1100	Sat14546eea434751d.exe
4712	Sat144adc22f2e612dc.exe
4584	Sat1400e35015ff26dd.exe
3108	Sat14ea52090698.tmp

Loads dropped DLL 7 IoCs

pid	Process
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
1592	setup_install.exe
3108	Sat14ea52090698.tmp

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
2024	1592	WerFault.exe	83
3420	3944	WerFault.exe	88
2580	3944	WerFault.exe	88
3972	3944	WerFault.exe	88
1572	3944	WerFault.exe	88
116	3944	WerFault.exe	88
3284	3944	WerFault.exe	88
3384	3944	WerFault.exe	88
1060	3944	WerFault.exe	88
5080	3944	WerFault.exe	88
3472	3944	WerFault.exe	88
716	3944	WerFault.exe	88
2328	3944	WerFault.exe	88
4764	3944	WerFault.exe	88
912	3944	WerFault.exe	88
3760	3944	WerFault.exe	88
2212	3944	WerFault.exe	88

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat1400e35015ff26dd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat1400e35015ff26dd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat1400e35015ff26dd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4584	Sat1400e35015ff26dd.exe
4584	Sat1400e35015ff26dd.exe
3900	powershell.exe
3900	powershell.exe
3900	powershell.exe
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4584	Sat1400e35015ff26dd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	Sat14546eea434751d.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1592	1984	setup_installer.exe	83
PID 1984 wrote to memory of 1592	1984	setup_installer.exe	83
PID 1984 wrote to memory of 1592	1984	setup_installer.exe	83
PID 1592 wrote to memory of 4724	1592	setup_install.exe	86
PID 1592 wrote to memory of 4724	1592	setup_install.exe	86
PID 1592 wrote to memory of 4724	1592	setup_install.exe	86
PID 1592 wrote to memory of 2120	1592	setup_install.exe	105
PID 1592 wrote to memory of 2120	1592	setup_install.exe	105
PID 1592 wrote to memory of 2120	1592	setup_install.exe	105
PID 1592 wrote to memory of 4384	1592	setup_install.exe	104
PID 1592 wrote to memory of 4384	1592	setup_install.exe	104
PID 1592 wrote to memory of 4384	1592	setup_install.exe	104
PID 1592 wrote to memory of 2404	1592	setup_install.exe	102
PID 1592 wrote to memory of 2404	1592	setup_install.exe	102
PID 1592 wrote to memory of 2404	1592	setup_install.exe	102
PID 1592 wrote to memory of 1860	1592	setup_install.exe	101
PID 1592 wrote to memory of 1860	1592	setup_install.exe	101
PID 1592 wrote to memory of 1860	1592	setup_install.exe	101
PID 1592 wrote to memory of 316	1592	setup_install.exe	100
PID 1592 wrote to memory of 316	1592	setup_install.exe	100
PID 1592 wrote to memory of 316	1592	setup_install.exe	100
PID 1592 wrote to memory of 4948	1592	setup_install.exe	99
PID 1592 wrote to memory of 4948	1592	setup_install.exe	99
PID 1592 wrote to memory of 4948	1592	setup_install.exe	99
PID 1592 wrote to memory of 1848	1592	setup_install.exe	87
PID 1592 wrote to memory of 1848	1592	setup_install.exe	87
PID 1592 wrote to memory of 1848	1592	setup_install.exe	87
PID 1860 wrote to memory of 3944	1860	cmd.exe	88
PID 1860 wrote to memory of 3944	1860	cmd.exe	88
PID 1860 wrote to memory of 3944	1860	cmd.exe	88
PID 316 wrote to memory of 3928	316	cmd.exe	93
PID 316 wrote to memory of 3928	316	cmd.exe	93
PID 316 wrote to memory of 3928	316	cmd.exe	93
PID 2404 wrote to memory of 5108	2404	cmd.exe	98
PID 2404 wrote to memory of 5108	2404	cmd.exe	98
PID 2120 wrote to memory of 4676	2120	cmd.exe	90
PID 2120 wrote to memory of 4676	2120	cmd.exe	90
PID 2120 wrote to memory of 4676	2120	cmd.exe	90
PID 1848 wrote to memory of 1100	1848	cmd.exe	92
PID 1848 wrote to memory of 1100	1848	cmd.exe	92
PID 4724 wrote to memory of 3900	4724	cmd.exe	91
PID 4724 wrote to memory of 3900	4724	cmd.exe	91
PID 4724 wrote to memory of 3900	4724	cmd.exe	91
PID 4948 wrote to memory of 4712	4948	cmd.exe	95
PID 4948 wrote to memory of 4712	4948	cmd.exe	95
PID 4948 wrote to memory of 4712	4948	cmd.exe	95
PID 4384 wrote to memory of 4584	4384	cmd.exe	97
PID 4384 wrote to memory of 4584	4384	cmd.exe	97
PID 4384 wrote to memory of 4584	4384	cmd.exe	97
PID 3928 wrote to memory of 3108	3928	Sat14ea52090698.exe	96
PID 3928 wrote to memory of 3108	3928	Sat14ea52090698.exe	96
PID 3928 wrote to memory of 3108	3928	Sat14ea52090698.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14546eea434751d.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14546eea434751d.exe
      Sat14546eea434751d.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat144adc22f2e612dc.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14ea52090698.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat1439757f36bcd2d5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14cd569dce36.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 552
    3⤵
    - Program crash
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat1400e35015ff26dd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14af44d511d3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120

C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat1439757f36bcd2d5.exe
Sat1439757f36bcd2d5.exe
1⤵
- Executes dropped EXE
PID:3944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 824
  2⤵
  - Program crash
  PID:3420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 832
  2⤵
  - Program crash
  PID:2580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 884
  2⤵
  - Program crash
  PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 892
  2⤵
  - Program crash
  PID:1572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1036
  2⤵
  - Program crash
  PID:116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1096
  2⤵
  - Program crash
  PID:3284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1516
  2⤵
  - Program crash
  PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1544
  2⤵
  - Program crash
  PID:1060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1780
  2⤵
  - Program crash
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1564
  2⤵
  - Program crash
  PID:3472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1552
  2⤵
  - Program crash
  PID:716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1804
  2⤵
  - Program crash
  PID:2328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1788
  2⤵
  - Program crash
  PID:4764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1556
  2⤵
  - Program crash
  PID:912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1592
  2⤵
  - Program crash
  PID:3760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1028
  2⤵
  - Program crash
  PID:2212

C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14af44d511d3.exe
Sat14af44d511d3.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14ea52090698.exe
Sat14ea52090698.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\is-42BCO.tmp\Sat14ea52090698.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-42BCO.tmp\Sat14ea52090698.tmp" /SL5="$C0028,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14ea52090698.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1592 -ip 1592
1⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat144adc22f2e612dc.exe
Sat144adc22f2e612dc.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat1400e35015ff26dd.exe
Sat1400e35015ff26dd.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4584

C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14cd569dce36.exe
Sat14cd569dce36.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3944 -ip 3944
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3944 -ip 3944
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3944 -ip 3944
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3944 -ip 3944
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3944 -ip 3944
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3944 -ip 3944
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3944 -ip 3944
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3944 -ip 3944
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3944 -ip 3944
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3944 -ip 3944
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3944 -ip 3944
1⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3944 -ip 3944
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3944 -ip 3944
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3944 -ip 3944
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3944 -ip 3944
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3944 -ip 3944
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat1400e35015ff26dd.exe

Filesize
138KB

MD5
d43c9f60c9c54a4cb7d75f3f465671b8

SHA1
2c70cf24dc0d90e363633f4f125d3a8f4d8a7c94

SHA256
371a75b3d5e3325add69c4cbf6b4183a4f317de194b40b7e7f941d356b0a5ef1

SHA512
03c830aef525722ddab51c47dc4721b3acf356a08b41367d6f78daffcd78f27e9a8745d3fb1e3e28bce9a6efb08ee741d40bbf45b2a3c98aa397a9b8dfd92dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat1439757f36bcd2d5.exe

Filesize
505KB

MD5
156091ee046a517b3cc8269cdc229e85

SHA1
d93ab7b74a7d5cd61ff08223c6d12653d280bf49

SHA256
86cb3cfdec6e94d23c7dfb3e23b3a295fe469ba5e6548ce6fa6001bcc168c718

SHA512
1ae674745630faf3c11ef278af064ffefaa48af60c17d6366eba2ae4a8cda39e5310f91442647d828833ab997f103b85026fcaaefeed391212b34fd7f8f81754

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat144adc22f2e612dc.exe

Filesize
832KB

MD5
cb8b31e07ace74fd2cc2bc1f3a70f31b

SHA1
de405d9bb2e5a9b8d2492da0f6d9ae8c220e23db

SHA256
298d960d9afd93e0fb1d2a1a911a3a40ebdacbe84414b160477157a2aa53fb06

SHA512
5cb0996865bfc4f02ee80628744d348b32b1f7a584453b1881fa4907797d496717f185c640a20abea176ab40dd628e178990d3261183281d6344c5798c3301e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat144adc22f2e612dc.exe

Filesize
1004KB

MD5
20f8196b6f36e4551d1254d3f8bcd829

SHA1
8932669b409dbd2abe2039d0c1a07f71d3e61ecd

SHA256
1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031

SHA512
75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14546eea434751d.exe

Filesize
145KB

MD5
ce38ad6931c0a063866aee6710987109

SHA1
e13b663e89fd95aa48908499c294f3e19feed8ac

SHA256
471bc015fe2eeb2be798bb875a2ca1820bd44108551137b4626f5436bd93261e

SHA512
fad20753313d20c6bce1223958790adf4d4bbb39a201ac04aa1977b30ee4d3bf0b89154876acb67123e1581413e82d602e165053d676af3e4ea84459b4e9b902

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14546eea434751d.exe

Filesize
128KB

MD5
28d1a299ad82322979792ad9f6f97c25

SHA1
c3b36726d8c7745a0c9448a55e328ed20672d6ea

SHA256
ffcb4bc73d88a264b59c4144f5773afa28666544a033aca8a44f71377a0f8b31

SHA512
0ac7037cdceedb44d2c40f22dcb10303e3fe801907a43b51423815975303b17d2f7433ff8e03f3c54882bc27a1a93b63db60b0db7386d971cfa9dcd7c1a2193d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14af44d511d3.exe

Filesize
100KB

MD5
cf2b379b7679f073235655b22227c9db

SHA1
80283c3f00883f2545f3d2a248b0e3e597a43122

SHA256
332da9b154a954db8047fe4b5ba352bbac3b1e959e7c8a5aba751bdb127cbacd

SHA512
1d1b16314124e342fa98f3799e632253e3fd42e1950c5e656ca66bd6aa6170dfce65b7e33255cf67c45740741e91db73b234dd792e0e6550b751afe58f5e8d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14cd569dce36.exe

Filesize
896KB

MD5
816ea288c666eb3e30b480e14c621bf6

SHA1
42a42d16f41a8fbeecb8b0956f90785eaa87855c

SHA256
36e63c7851a3aecbc045faf78daf8cc0a11798006d4b5f9df8e0f651f870b6a2

SHA512
4d2ff9dc9b4380829cc5f2bacd8850ac1f19a62a4c3c3234f31dbc7fc917cf40197a8f5a542171d100a2060afc9b9218913a613eabde0dfe0eea8e61928196f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14cd569dce36.exe

Filesize
256KB

MD5
5abf4576a07884a05bcd6cd617b6260b

SHA1
b16c8caa05fa905eaa65c8fe27e933106fc39dcf

SHA256
521ebd65250ef491d8e0f992d63a85d978806441eeb7affe9d6a2f68a76160d0

SHA512
f307ebb5a05d0b07b77f84e94eecc34b789b7000864b5d8cca68cb20b8127a3b5a3452e3b27738e677205514f8e8f3b5368c1ef8c38fd7de0b21ba6974c54e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14ea52090698.exe

Filesize
757KB

MD5
8887a710e57cf4b3fe841116e9a0dfdd

SHA1
8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4

SHA256
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4

SHA512
1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\Sat14ea52090698.exe

Filesize
576KB

MD5
071fa244c689447f68bce1f3b4c4d985

SHA1
f9a4c6e026a33af4d5212514220ee373599865d2

SHA256
7fda8dca02678eb41e4c3ae76e99798cfb024ed038774ef371ba089d56afa9c8

SHA512
6a285446df0fb9c44df50fd773dec147c16a45ab14da39c539a3b46f99ed9258050f7bb85af360500f5e9016d4f615c697898bbe15b88782479097c2b870b149

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\setup_install.exe

Filesize
2.1MB

MD5
063e89895d58cc891448ea83d1e184c7

SHA1
ca75fdee0b3822e5a0fce0da1de381a43a49a6a3

SHA256
ae3bc107ecddf09916533e713f2f887a7daadedd621d0960fafba43856d93057

SHA512
bd8e26bea5afb42bae35bcbb6bc518c006d9693e0a75da3460c7f9680d2469fe77df7efb826f0432d3f0f08a3a28908c02844487c8828e2b04365774e5e080be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C7E6057\setup_install.exe

Filesize
246KB

MD5
ed9206d52faafabf1b5db1a651e1cd8e

SHA1
7df6d6c8da575fef0d2d6056f4c612d68ed291ef

SHA256
eb930fec713033cf40cb003be2569685b8348c444a2a70d0b29441cbfa63023c

SHA512
145fc7bfd137c4b29807672f6ef86987a5107be40ca35d8ba6e5154e2b34c8c134eadff4ab52cd4f298c63f178c76057ba2ff95d846ffb06dc45a1ddfb37315c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emxttyjs.v45.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-42BCO.tmp\Sat14ea52090698.tmp

Filesize
1.0MB

MD5
aff941b14c26d38c47eb300882086c86

SHA1
ee8e6f3002e83b7c2b4dc3d2aa8a38192709d859

SHA256
f7205ee8c8a40b133e72ab78fdb2c9fadfdf0ff816cfe3791a3850980c6f7988

SHA512
b4bef33bdabe063fe58a3f055b29b6679bb3137eac8df1f3d119dde979eca62dc38f66d94a3379cfc638186455b8dd2f70541a9be13c430615aa876e4aa7d9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MC29J.tmp\idp.dll

Filesize
101KB

MD5
90a2f0440aa3e287e2fdf530be29b38f

SHA1
cbececcbf213cd3285f341a2b8d9720b8a9bc998

SHA256
7fa68476db13b5e4a35788dc2cdcb842fb9fa9c6141c189b41ec2b3601b44015

SHA512
5df0af201b43dadf901deeae96f7b90717866fc298efd465c02883718c79061c9ec462b244f7f9975411ee7900ae4492eb85235b376dd3395cc1f17d415ffe9e

Download Submit
memory/1100-83-0x0000000001460000-0x0000000001480000-memory.dmp

Filesize
128KB

Download
memory/1100-76-0x00007FFBFFE00000-0x00007FFC008C1000-memory.dmp

Filesize
10.8MB

Download
memory/1100-125-0x00007FFBFFE00000-0x00007FFC008C1000-memory.dmp

Filesize
10.8MB

Download
memory/1100-74-0x0000000000C50000-0x0000000000C7C000-memory.dmp

Filesize
176KB

Download
memory/1100-122-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/1592-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1592-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1592-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1592-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1592-123-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1592-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1592-124-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1592-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1592-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1592-49-0x00000000007E0000-0x000000000086F000-memory.dmp

Filesize
572KB

Download
memory/1592-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1592-53-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1592-129-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1592-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1592-128-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1592-126-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1592-45-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1592-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1592-127-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3108-115-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3108-100-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3320-152-0x0000000003300000-0x0000000003315000-memory.dmp

Filesize
84KB

Download
memory/3900-96-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/3900-133-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

Filesize
64KB

Download
memory/3900-111-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/3900-162-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/3900-116-0x00000000058C0000-0x0000000005C14000-memory.dmp

Filesize
3.3MB

Download
memory/3900-159-0x00000000073B0000-0x00000000073B8000-memory.dmp

Filesize
32KB

Download
memory/3900-158-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/3900-97-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/3900-157-0x00000000072D0000-0x00000000072E4000-memory.dmp

Filesize
80KB

Download
memory/3900-156-0x00000000072C0000-0x00000000072CE000-memory.dmp

Filesize
56KB

Download
memory/3900-85-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/3900-151-0x0000000007290000-0x00000000072A1000-memory.dmp

Filesize
68KB

Download
memory/3900-84-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/3900-77-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/3900-79-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/3900-150-0x0000000007300000-0x0000000007396000-memory.dmp

Filesize
600KB

Download
memory/3900-130-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/3900-131-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/3900-132-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/3900-106-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/3900-134-0x0000000006370000-0x00000000063A2000-memory.dmp

Filesize
200KB

Download
memory/3900-135-0x0000000074DB0000-0x0000000074DFC000-memory.dmp

Filesize
304KB

Download
memory/3900-145-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/3900-146-0x0000000006D60000-0x0000000006E03000-memory.dmp

Filesize
652KB

Download
memory/3900-147-0x00000000076D0000-0x0000000007D4A000-memory.dmp

Filesize
6.5MB

Download
memory/3900-148-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/3900-149-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/3928-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3928-118-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3944-120-0x0000000003A20000-0x0000000003ABD000-memory.dmp

Filesize
628KB

Download
memory/3944-86-0x0000000001E20000-0x0000000001F20000-memory.dmp

Filesize
1024KB

Download
memory/3944-92-0x0000000000400000-0x0000000001DCC000-memory.dmp

Filesize
25.8MB

Download
memory/3944-169-0x0000000000400000-0x0000000001DCC000-memory.dmp

Filesize
25.8MB

Download
memory/4584-155-0x0000000000400000-0x0000000001D70000-memory.dmp

Filesize
25.4MB

Download
memory/4584-98-0x0000000001D80000-0x0000000001E80000-memory.dmp

Filesize
1024KB

Download
memory/4584-119-0x0000000000400000-0x0000000001D70000-memory.dmp

Filesize
25.4MB

Download
memory/4584-99-0x0000000001EB0000-0x0000000001EB9000-memory.dmp

Filesize
36KB

Download