babadeda | e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
Size

6.5MB
MD5

9e2b456c62b027c89b36dc9109e50f01
SHA1

617fddb80de29bc455c0ecfd4b64d194fe911541
SHA256

e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909
SHA512

18ee2debeac010286291d3af38b46cb29d2503e8056b5ab74120e6934e4b16396d894e323dc11eb5cd1902ea0c30fbac75f03dbda74ea670d3828d7b6318bf59
SSDEEP

98304:5p4wd88KSX2ylsm84rfq/03ZUVaxNv3DiPF1D/lAd3YR77vhBLAbRGH1oVda3WHx:Iwe8B21mNfq/0+IxgP5sE77vfLe04rs

Score

10^/10

babadeda outsteel crypter discovery loader spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe	family_babadeda
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Guide.pdf	family_babadeda

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

2508 ICACLS.EXE
2896 ICACLS.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2508	ICACLS.EXE
2896	ICACLS.EXE

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.execsvhelper.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\k:	csvhelper.exe
File opened (read-only)	\??\l:	csvhelper.exe
File opened (read-only)	\??\o:	csvhelper.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\h:	csvhelper.exe
File opened (read-only)	\??\x:	csvhelper.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\e:	csvhelper.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\q:	csvhelper.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\n:	csvhelper.exe
File opened (read-only)	\??\v:	csvhelper.exe
File opened (read-only)	\??\y:	csvhelper.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\b:	csvhelper.exe
File opened (read-only)	\??\w:	csvhelper.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\i:	csvhelper.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\g:	csvhelper.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\a:	csvhelper.exe
File opened (read-only)	\??\s:	csvhelper.exe
File opened (read-only)	\??\u:	csvhelper.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\m:	csvhelper.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\p:	csvhelper.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\j:	csvhelper.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\r:	csvhelper.exe
File opened (read-only)	\??\z:	csvhelper.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\t:	csvhelper.exe
File opened (read-only)	\??\T:	msiexec.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/60-981-0x0000000000280000-0x00000000009BF000-memory.dmp	autoit_exe
behavioral2/memory/60-983-0x0000000000280000-0x00000000009BF000-memory.dmp	autoit_exe
behavioral2/memory/60-985-0x0000000000280000-0x00000000009BF000-memory.dmp	autoit_exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

se1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation se1.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	se1.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File created	C:\Windows\Installer\SourceHash{6EDAE2A7-3AD8-49A4-8751-7FB5826F46B9}	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI6E4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E4C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61B7.tmp	msiexec.exe
File created	C:\Windows\Installer\e5760ec.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5760ec.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

se1.execsvhelper.exe

pid process

4724 se1.exe
60 csvhelper.exe
Loads dropped DLL 3 IoCs

Processes:

MsiExec.execsvhelper.exe

pid process

3988 MsiExec.exe
60 csvhelper.exe
3988 MsiExec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4724	se1.exe
60	csvhelper.exe

pid	process
3988	MsiExec.exe
60	csvhelper.exe
3988	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009b9629f4dfdec3790000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009b9629f40000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009b9629f4000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9b9629f4000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009b9629f400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1776 msiexec.exe
1776 msiexec.exe

pid	process
1776	msiexec.exe
1776	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	5040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5040	msiexec.exe
Token: SeSecurityPrivilege	1776	msiexec.exe
Token: SeCreateTokenPrivilege	5040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5040	msiexec.exe
Token: SeLockMemoryPrivilege	5040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5040	msiexec.exe
Token: SeMachineAccountPrivilege	5040	msiexec.exe
Token: SeTcbPrivilege	5040	msiexec.exe
Token: SeSecurityPrivilege	5040	msiexec.exe
Token: SeTakeOwnershipPrivilege	5040	msiexec.exe
Token: SeLoadDriverPrivilege	5040	msiexec.exe
Token: SeSystemProfilePrivilege	5040	msiexec.exe
Token: SeSystemtimePrivilege	5040	msiexec.exe
Token: SeProfSingleProcessPrivilege	5040	msiexec.exe
Token: SeIncBasePriorityPrivilege	5040	msiexec.exe
Token: SeCreatePagefilePrivilege	5040	msiexec.exe
Token: SeCreatePermanentPrivilege	5040	msiexec.exe
Token: SeBackupPrivilege	5040	msiexec.exe
Token: SeRestorePrivilege	5040	msiexec.exe
Token: SeShutdownPrivilege	5040	msiexec.exe
Token: SeDebugPrivilege	5040	msiexec.exe
Token: SeAuditPrivilege	5040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5040	msiexec.exe
Token: SeChangeNotifyPrivilege	5040	msiexec.exe
Token: SeRemoteShutdownPrivilege	5040	msiexec.exe
Token: SeUndockPrivilege	5040	msiexec.exe
Token: SeSyncAgentPrivilege	5040	msiexec.exe
Token: SeEnableDelegationPrivilege	5040	msiexec.exe
Token: SeManageVolumePrivilege	5040	msiexec.exe
Token: SeImpersonatePrivilege	5040	msiexec.exe
Token: SeCreateGlobalPrivilege	5040	msiexec.exe
Token: SeBackupPrivilege	1124	vssvc.exe
Token: SeRestorePrivilege	1124	vssvc.exe
Token: SeAuditPrivilege	1124	vssvc.exe
Token: SeBackupPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeBackupPrivilege	4048	srtasks.exe
Token: SeRestorePrivilege	4048	srtasks.exe
Token: SeSecurityPrivilege	4048	srtasks.exe
Token: SeTakeOwnershipPrivilege	4048	srtasks.exe
Token: SeBackupPrivilege	4048	srtasks.exe
Token: SeRestorePrivilege	4048	srtasks.exe
Token: SeSecurityPrivilege	4048	srtasks.exe
Token: SeTakeOwnershipPrivilege	4048	srtasks.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

5040 msiexec.exe
5040 msiexec.exe

pid	process
5040	msiexec.exe
5040	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exese1.execsvhelper.exe

description	pid	process	target process
PID 1776 wrote to memory of 4048	1776	msiexec.exe	srtasks.exe
PID 1776 wrote to memory of 4048	1776	msiexec.exe	srtasks.exe
PID 1776 wrote to memory of 3988	1776	msiexec.exe	MsiExec.exe
PID 1776 wrote to memory of 3988	1776	msiexec.exe	MsiExec.exe
PID 1776 wrote to memory of 3988	1776	msiexec.exe	MsiExec.exe
PID 3988 wrote to memory of 2508	3988	MsiExec.exe	ICACLS.EXE
PID 3988 wrote to memory of 2508	3988	MsiExec.exe	ICACLS.EXE
PID 3988 wrote to memory of 2508	3988	MsiExec.exe	ICACLS.EXE
PID 3988 wrote to memory of 2824	3988	MsiExec.exe	EXPAND.EXE
PID 3988 wrote to memory of 2824	3988	MsiExec.exe	EXPAND.EXE
PID 3988 wrote to memory of 2824	3988	MsiExec.exe	EXPAND.EXE
PID 3988 wrote to memory of 4724	3988	MsiExec.exe	se1.exe
PID 3988 wrote to memory of 4724	3988	MsiExec.exe	se1.exe
PID 3988 wrote to memory of 4724	3988	MsiExec.exe	se1.exe
PID 4724 wrote to memory of 60	4724	se1.exe	csvhelper.exe
PID 4724 wrote to memory of 60	4724	se1.exe	csvhelper.exe
PID 4724 wrote to memory of 60	4724	se1.exe	csvhelper.exe
PID 3988 wrote to memory of 2896	3988	MsiExec.exe	ICACLS.EXE
PID 3988 wrote to memory of 2896	3988	MsiExec.exe	ICACLS.EXE
PID 3988 wrote to memory of 2896	3988	MsiExec.exe	ICACLS.EXE
PID 60 wrote to memory of 2388	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2388	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2388	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 8	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 8	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 8	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4980	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4980	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4980	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 1048	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 1048	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 1048	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2780	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2780	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2780	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2504	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2504	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2504	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4424	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4424	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4424	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 864	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 864	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 864	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 3052	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 3052	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 3052	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2496	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2496	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2496	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2288	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2288	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2288	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4732	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4732	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4732	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4704	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4704	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 4704	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2216	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2216	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 2216	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 580	60	csvhelper.exe	cmd.exe
PID 60 wrote to memory of 580	60	csvhelper.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4973ED0FAB5ADF7011FA1732CEFC26CE
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2508
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
      "C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
        5⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
        5⤵
        
        PID:8
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
        5⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
        5⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
        5⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
        5⤵
        
        PID:4424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
        5⤵
        
        PID:864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
        5⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
        5⤵
        
        PID:4732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
        5⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
        5⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
        5⤵
        
        PID:580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
        5⤵
        
        PID:3896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
        5⤵
        
        PID:4276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
        5⤵
        
        PID:3296
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files.cab

Filesize
6.2MB

MD5
6f7c8bbe4e94980ca7c1b878c048be94

SHA1
2ee86ce71bd986ff8e92f5a2b876098ccbab42dc

SHA256
f7d0e68a4513d8de00698dda1aecfb5ca4efa1871c9141764ce641a0d1d034ae

SHA512
4c811c848621873d871246ac654257954d569747653dbfaad40b434be155435590573699cd4b89eac5de1cab446571b8ac1ea1ec0d068b04bb769f983913983b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe

Filesize
16.5MB

MD5
e3ffe9b1db336ca7f34e0f26215d4ee4

SHA1
3ec434df80529311342401ac7a7acd066e19c90f

SHA256
700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901

SHA512
71168c55f1c159d48b11f951fae2c8686fc66e4e1ba57f5bc2904cc06af71d096ebc60220745133c83c5a06682621736c6f73261658af5ab086b5831f91c9a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\msiwrapper.ini

Filesize
1KB

MD5
eb7c810bfc79c6ee2e5a5e7727fcb24a

SHA1
0ff13cf99d3b62550c9110047d600a6f98005156

SHA256
3c50c5b1e15a5433f88d92c0e42c4e87b1b32a18a936e12f430a8257e594f397

SHA512
b89998d425a37a03925a0d5b13c3076fae173738ddc3a087f9df4ff1c7b010e65fa088562e558d5dbf3a0be416553ef7b4aa643aad9ed64186c2796dbad63df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\msiwrapper.ini

Filesize
1KB

MD5
00936651b95fe2b496c40a99a67359da

SHA1
8f66e37cb485cc116f116722f655f6f77ed8adb7

SHA256
b89e87c2f80401df2d79748575a9d63f1c7aa99c29bca3eb41ed9155dcfe8dfe

SHA512
e5c84f6ac1b5d3e29f503d7aa3db71864a22efa2bbb00e7d332fefa6f92593e73344d1acce19e7a7c95a75e118396b9a1de59d359a01942919f6e1ea97c7a994

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Guide.pdf

Filesize
2.0MB

MD5
349a1d8bb00ae11bbf535cd909838c65

SHA1
c7b9d73580d6c733fbd5875bbccfbf3b792018e2

SHA256
93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4

SHA512
f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
2KB

MD5
44018e1779270b083ad90da3dffe9b15

SHA1
e09c06b564abe26bcf91ecb7632d761c3234b30d

SHA256
71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c

SHA512
ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
4KB

MD5
b3c74bb5250effad46ce11a96c9468c2

SHA1
3a339e244a29fe41d13fa4cc951a7e0a2862e299

SHA256
5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825

SHA512
a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
4KB

MD5
3272be2da53b6d5271111431f7d90d28

SHA1
7ec382eee6282454d5b0b03751f3d14c568bbfa5

SHA256
4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982

SHA512
45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
2KB

MD5
228d4bd899577ed16ad3ac74b592a0e6

SHA1
baf99e34e126d6c41b7aa39caabc2376358bab70

SHA256
fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5

SHA512
285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
2KB

MD5
2719683b8dba819f2e6bd9e9b7307f1c

SHA1
6cbac17ebf8b56489ad8b8c458dd618b2788512a

SHA256
316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a

SHA512
96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe

Filesize
6.9MB

MD5
f5de326683df44d71ed1b986fd836e0b

SHA1
33bc899da6afd2b82b27d59acd0844b521e57079

SHA256
17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f

SHA512
12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\libfreetype-4.dll

Filesize
3.9MB

MD5
1bf457ea201a3374f7c37f43d5c3ffdb

SHA1
bf693ad6b3070cfb60902eeeb3a290bad531bbd0

SHA256
9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08

SHA512
c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074

Download Submit
C:\Windows\Installer\MSI61B7.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
f91a761adffa6a40ce5a428fea48a473

SHA1
129a30f5c9ee7696f0544599249d5632ed9979ae

SHA256
de2b00309cf72aff0cad62658e5c9f1b816f234bb78a73b2b45dac164e8455b6

SHA512
d0d1bb1eae5aa64d4b382f9f5707e0b4bef780a824bd560712c41ad850f34f9bbc5326b74dc5e5b21e6933fb0d8ffe95c8b09629c8003f40f05f473a42fda5c8

Download Submit
\??\Volume{f429969b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{82cdeeaa-b942-4d49-9bf5-346f7eeffd6d}_OnDiskSnapshotProp

Filesize
6KB

MD5
f7ae3c295729162ecfa9f298bc98d013

SHA1
d96194a2a17bbd7ab0b87b137508c48cef8f87a5

SHA256
f926af16511fa895d39335e5cd567e4e3a90f47bc050df1b534be6dfc6211f5e

SHA512
a84b1a3595517069fa35310f1420004ad626aa639ac2e8619b2cbee52f495983d8dbd01a8f15d5578421fe4cc3939f1d8e6e9a571b88283c3501b7cd72c7990a

Download Submit
memory/60-966-0x0000000000280000-0x00000000009BF000-memory.dmp

Filesize
7.2MB

Download
memory/60-981-0x0000000000280000-0x00000000009BF000-memory.dmp

Filesize
7.2MB

Download
memory/60-983-0x0000000000280000-0x00000000009BF000-memory.dmp

Filesize
7.2MB

Download
memory/60-985-0x0000000000280000-0x00000000009BF000-memory.dmp

Filesize
7.2MB

Download
memory/4724-964-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download