e6b00ee585b008f110829df68c01a62d3bfac1ffe7d65298c8a4e4109b8a7319

Analysis

max time kernel
103s
max time network
23s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msoffice365update.msi
Size

2.5MB
MD5

f95336c88ee7f8b6275fac1a458dad53
SHA1

79fea0be5521f44c6b3fd621fb4c95167ec7542f
SHA256

e9cd2429628e3955dd1f7c714fbaa3e3b85bfaac0bc31582cf9c5232cb8fc352
SHA512

aa75cdccc14381f7088bc6090029f4b36e484a4f3e3b0a60e90ded013aa258f47631f40670e200fce687c2271f89a7ef8c91926d5698291740b192927249b896
SSDEEP

49152:nQgIfhlTYEO+w2/64hnPRMB0WkuqES58NtvU:3IZlEN+wK6qRMB0WkufF

Score

10^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Dicks.pif

description pid process target process

PID 2304 created 1188 2304 Dicks.pif Explorer.EXE

description	pid	process	target process
PID 2304 created 1188	2304	Dicks.pif	Explorer.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1252 tasklist.exe
2016 tasklist.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Dicks.pif

description pid process target process

PID 2304 set thread context of 2556 2304 Dicks.pif Dicks.pif
Executes dropped EXE 4 IoCs

Processes:

MSIFBF0.tmpSymposiumTaiwan.exeDicks.pifDicks.pif

pid process

2896 MSIFBF0.tmp
2284 SymposiumTaiwan.exe
2304 Dicks.pif
2556 Dicks.pif

pid	process
1252	tasklist.exe
2016	tasklist.exe

description	pid	process	target process
PID 2304 set thread context of 2556	2304	Dicks.pif	Dicks.pif

pid	process
2896	MSIFBF0.tmp
2284	SymposiumTaiwan.exe
2304	Dicks.pif
2556	Dicks.pif

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exeMSIFBF0.tmpcmd.exeDicks.pif

pid	process
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2896	MSIFBF0.tmp
2896	MSIFBF0.tmp
2896	MSIFBF0.tmp
2728	MsiExec.exe
1324	cmd.exe
2304	Dicks.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2296 msiexec.exe

pid	process
2296	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMSIFBF0.tmpSymposiumTaiwan.exetasklist.execmd.exefindstr.exefindstr.exetasklist.exetimeout.execmd.execmd.exefindstr.exeDicks.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIFBF0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SymposiumTaiwan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dicks.pif

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2084 timeout.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Dicks.pif

pid process

2304 Dicks.pif
2304 Dicks.pif
2304 Dicks.pif
2304 Dicks.pif
2304 Dicks.pif
2304 Dicks.pif
2304 Dicks.pif
2304 Dicks.pif
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

2296 msiexec.exe

pid	process
2084	timeout.exe

pid	process
2304	Dicks.pif
2304	Dicks.pif
2304	Dicks.pif
2304	Dicks.pif
2304	Dicks.pif
2304	Dicks.pif
2304	Dicks.pif
2304	Dicks.pif

pid	process
2296	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeSecurityPrivilege	2408	msiexec.exe
Token: SeCreateTokenPrivilege	2296	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2296	msiexec.exe
Token: SeLockMemoryPrivilege	2296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2296	msiexec.exe
Token: SeMachineAccountPrivilege	2296	msiexec.exe
Token: SeTcbPrivilege	2296	msiexec.exe
Token: SeSecurityPrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeLoadDriverPrivilege	2296	msiexec.exe
Token: SeSystemProfilePrivilege	2296	msiexec.exe
Token: SeSystemtimePrivilege	2296	msiexec.exe
Token: SeProfSingleProcessPrivilege	2296	msiexec.exe
Token: SeIncBasePriorityPrivilege	2296	msiexec.exe
Token: SeCreatePagefilePrivilege	2296	msiexec.exe
Token: SeCreatePermanentPrivilege	2296	msiexec.exe
Token: SeBackupPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeShutdownPrivilege	2296	msiexec.exe
Token: SeDebugPrivilege	2296	msiexec.exe
Token: SeAuditPrivilege	2296	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2296	msiexec.exe
Token: SeChangeNotifyPrivilege	2296	msiexec.exe
Token: SeRemoteShutdownPrivilege	2296	msiexec.exe
Token: SeUndockPrivilege	2296	msiexec.exe
Token: SeSyncAgentPrivilege	2296	msiexec.exe
Token: SeEnableDelegationPrivilege	2296	msiexec.exe
Token: SeManageVolumePrivilege	2296	msiexec.exe
Token: SeImpersonatePrivilege	2296	msiexec.exe
Token: SeCreateGlobalPrivilege	2296	msiexec.exe
Token: SeCreateTokenPrivilege	2296	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2296	msiexec.exe
Token: SeLockMemoryPrivilege	2296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2296	msiexec.exe
Token: SeMachineAccountPrivilege	2296	msiexec.exe
Token: SeTcbPrivilege	2296	msiexec.exe
Token: SeSecurityPrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeLoadDriverPrivilege	2296	msiexec.exe
Token: SeSystemProfilePrivilege	2296	msiexec.exe
Token: SeSystemtimePrivilege	2296	msiexec.exe
Token: SeProfSingleProcessPrivilege	2296	msiexec.exe
Token: SeIncBasePriorityPrivilege	2296	msiexec.exe
Token: SeCreatePagefilePrivilege	2296	msiexec.exe
Token: SeCreatePermanentPrivilege	2296	msiexec.exe
Token: SeBackupPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeShutdownPrivilege	2296	msiexec.exe
Token: SeDebugPrivilege	2296	msiexec.exe
Token: SeAuditPrivilege	2296	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2296	msiexec.exe
Token: SeChangeNotifyPrivilege	2296	msiexec.exe
Token: SeRemoteShutdownPrivilege	2296	msiexec.exe
Token: SeUndockPrivilege	2296	msiexec.exe
Token: SeSyncAgentPrivilege	2296	msiexec.exe
Token: SeEnableDelegationPrivilege	2296	msiexec.exe
Token: SeManageVolumePrivilege	2296	msiexec.exe
Token: SeImpersonatePrivilege	2296	msiexec.exe
Token: SeCreateGlobalPrivilege	2296	msiexec.exe
Token: SeCreateTokenPrivilege	2296	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exeDicks.pif

pid process

2296 msiexec.exe
2304 Dicks.pif
2304 Dicks.pif
2304 Dicks.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Dicks.pif

pid process

2304 Dicks.pif
2304 Dicks.pif
2304 Dicks.pif

pid	process
2296	msiexec.exe
2304	Dicks.pif
2304	Dicks.pif
2304	Dicks.pif

pid	process
2304	Dicks.pif
2304	Dicks.pif
2304	Dicks.pif

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

msiexec.exemsiexec.exeMSIFBF0.tmpSymposiumTaiwan.execmd.exeDicks.pif

description	pid	process	target process
PID 2408 wrote to memory of 2728	2408	msiexec.exe	MsiExec.exe
PID 2408 wrote to memory of 2728	2408	msiexec.exe	MsiExec.exe
PID 2408 wrote to memory of 2728	2408	msiexec.exe	MsiExec.exe
PID 2408 wrote to memory of 2728	2408	msiexec.exe	MsiExec.exe
PID 2408 wrote to memory of 2728	2408	msiexec.exe	MsiExec.exe
PID 2408 wrote to memory of 2728	2408	msiexec.exe	MsiExec.exe
PID 2408 wrote to memory of 2728	2408	msiexec.exe	MsiExec.exe
PID 2296 wrote to memory of 2896	2296	msiexec.exe	MSIFBF0.tmp
PID 2296 wrote to memory of 2896	2296	msiexec.exe	MSIFBF0.tmp
PID 2296 wrote to memory of 2896	2296	msiexec.exe	MSIFBF0.tmp
PID 2296 wrote to memory of 2896	2296	msiexec.exe	MSIFBF0.tmp
PID 2896 wrote to memory of 2284	2896	MSIFBF0.tmp	SymposiumTaiwan.exe
PID 2896 wrote to memory of 2284	2896	MSIFBF0.tmp	SymposiumTaiwan.exe
PID 2896 wrote to memory of 2284	2896	MSIFBF0.tmp	SymposiumTaiwan.exe
PID 2896 wrote to memory of 2284	2896	MSIFBF0.tmp	SymposiumTaiwan.exe
PID 2284 wrote to memory of 1324	2284	SymposiumTaiwan.exe	cmd.exe
PID 2284 wrote to memory of 1324	2284	SymposiumTaiwan.exe	cmd.exe
PID 2284 wrote to memory of 1324	2284	SymposiumTaiwan.exe	cmd.exe
PID 2284 wrote to memory of 1324	2284	SymposiumTaiwan.exe	cmd.exe
PID 1324 wrote to memory of 1252	1324	cmd.exe	tasklist.exe
PID 1324 wrote to memory of 1252	1324	cmd.exe	tasklist.exe
PID 1324 wrote to memory of 1252	1324	cmd.exe	tasklist.exe
PID 1324 wrote to memory of 1252	1324	cmd.exe	tasklist.exe
PID 1324 wrote to memory of 2720	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2720	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2720	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2720	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2016	1324	cmd.exe	tasklist.exe
PID 1324 wrote to memory of 2016	1324	cmd.exe	tasklist.exe
PID 1324 wrote to memory of 2016	1324	cmd.exe	tasklist.exe
PID 1324 wrote to memory of 2016	1324	cmd.exe	tasklist.exe
PID 1324 wrote to memory of 1304	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 1304	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 1304	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 1304	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2984	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2984	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2984	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2984	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2252	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2252	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2252	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2252	1324	cmd.exe	findstr.exe
PID 1324 wrote to memory of 2064	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2064	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2064	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2064	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2304	1324	cmd.exe	Dicks.pif
PID 1324 wrote to memory of 2304	1324	cmd.exe	Dicks.pif
PID 1324 wrote to memory of 2304	1324	cmd.exe	Dicks.pif
PID 1324 wrote to memory of 2304	1324	cmd.exe	Dicks.pif
PID 1324 wrote to memory of 2084	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 2084	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 2084	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 2084	1324	cmd.exe	timeout.exe
PID 2304 wrote to memory of 2556	2304	Dicks.pif	Dicks.pif
PID 2304 wrote to memory of 2556	2304	Dicks.pif	Dicks.pif
PID 2304 wrote to memory of 2556	2304	Dicks.pif	Dicks.pif
PID 2304 wrote to memory of 2556	2304	Dicks.pif	Dicks.pif
PID 2304 wrote to memory of 2556	2304	Dicks.pif	Dicks.pif
PID 2304 wrote to memory of 2556	2304	Dicks.pif	Dicks.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\msoffice365update.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\MSIFBF0.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIFBF0.tmp" -pqwerty2023 -s1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\SymposiumTaiwan.exe
      "C:\Users\Admin\AppData\Local\Temp\SymposiumTaiwan.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1252
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2016
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 558563
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "cbsinchhavefcc" Basketball
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Upc + Beverages + Hero + Displaying + Version + Fm + Emotions 558563\k
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\558563\Dicks.pif
        
        558563\Dicks.pif 558563\k
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2084
- C:\Users\Admin\AppData\Local\Temp\558563\Dicks.pif
  C:\Users\Admin\AppData\Local\Temp\558563\Dicks.pif
  2⤵
  - Executes dropped EXE
  PID:2556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8C4540E18174EA5B68985D7A3962E5E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\558563\k

Filesize
514KB

MD5
d15a13fe445a1ca38371c5c7c10d3b4b

SHA1
7f7c9e1b1bfe9b5893202aa8a80559faf3c9858f

SHA256
66ad1c04ebb970f2494f2f30b45d6a83c2f3a2bb663565899f57bb5422851518

SHA512
6368e75f4f1a32db5d802aec4015a658ecb81a0e0f4a660d1dc569b481bf4c64d1f761453dd6747e27ee44b8c183ddb41c0f5b15af18b460abfc4c882c463aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Analysts

Filesize
42KB

MD5
0c14cfb8c7613a8ef93e4d2d3ffb5d98

SHA1
eff8f317df1efab123090285e0827df759c259cb

SHA256
c1f8a6a30088526d8af3e250cd795401550ec8d86538310aa9c97dc5b721cfa9

SHA512
990c0947247f23b4fa693191bac66ec2b823fc90542dce0f92285f2d934a3a89e662a67b95f42e6dd3d398a3099e625d527d323474643f43a9f5e103eb2e6552

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assumed

Filesize
9KB

MD5
c152fc29fdc5d9fd55c4a8f28d9ef774

SHA1
1d210000c98bf58f6a0ad29561c7ceb3c421f99b

SHA256
5dbe81f978922cb690e0eac34284d20f76b0eae329afe44986959688c7e7e44d

SHA512
8730c7baf9b15991988655305951db85f227317e3dca67b4a84948ce15fede2505b79cda12b15dccbcf8960198957ed37971251c6b71691047bede90dfca09fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basketball

Filesize
203B

MD5
3750abafe105de58d3cc431fb39159a8

SHA1
a3e1cce867900da49347d2c8d3615c7806acd966

SHA256
e8641d676c6ddf1dcabaf2a6706a849ef66d3c6ac23bea142b0753531de986b4

SHA512
5c36eeceb1e69a8d74aeab2a2ddb0477b3b2264c4dff729dbcdebfd93ff9b668c0522b950e1fd4a96b5a8b9438a46fc11de67ed2e998b3f753cf8fcc34095ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beverages

Filesize
168KB

MD5
ef6d6256127644e3458355aafe4c6b23

SHA1
45003deb6c119040b14d9267a70074735017f231

SHA256
6acd995779df71d95f2304cf5674f5111543d32a99adf2b226add956ba02d0ee

SHA512
afe5341ccb0613f36c5d23628976a788bca4c40fe0ad94a240155c0a6bb89f35b48e7a42ddd8f0dd2bad4113871ac4f05af8018081f623403719c142ea20fb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheque

Filesize
12KB

MD5
e6bdce0d05a909096b386816f3cfa1d5

SHA1
cfaa808e69a83141355c53b64a9e24ab411d4145

SHA256
0b6d88675181405a96a08385458dfad98ccbb1b09673171c2ce8c5152bc6dbf7

SHA512
9b4ffe33a33e64f9e7a74b710479a6e17c45c2ea22cc071b7d2e1741e29947dbc0250a315a9a64a76b9e7798f229c17313cf31f59429053ddc65cb24f2d5736c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Displaying

Filesize
42KB

MD5
680d98e0bd235c7540f04e312054b618

SHA1
54a5683c47499198628e5ce8f7846d2bd9a35003

SHA256
953516f9eb6dd9bec518b19d10fd6f0032e25375cf42b33e55d31efb7b2510b4

SHA512
fae2f8fb89f01888d74fd4f5a165cdc438a14fcacb7976976f25bc10f27e80c3e8e7cad561afb5fc017245b9a9378059714a6732ab83a0c113d46481d196c0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions

Filesize
14KB

MD5
91669d2811ec08c6666f7b1706df64e8

SHA1
fbf5ef83df24f56c6b7c1860a86f0438ae80ff21

SHA256
ef93bdd79b869699569321c1d9bc35e3b3a460a8403c8bd071b3274f964e00ca

SHA512
8b909eb7c28b3adcdff603a3e693785a7692b14c8214c3bf17ea86548e8442508c7b50749181b0277398bbd91ba2a06f34a21ca9bd8e8497cfb1d925691051fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explaining

Filesize
35KB

MD5
5a3d16fd1534fe809ae023b2c2b4a6b5

SHA1
cac3fb5788d47c619e4b338791f50ea16841ba2f

SHA256
217ccae25b5995b64c31371c24936e42480b53430d173a5a2b4d7e462e446cbe

SHA512
6f9388c4413bae05411e0b5fed3bf4544fffc9dc6cd4b6f0c3a5f481c363e11a73e37a4397459999544334fef7e8c5dd49176a1f6cc9e1ec258d770216d8f5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feeling

Filesize
38KB

MD5
8713bf8c2e1926d8b6033b58cbe61387

SHA1
ee33f1cbd6534373fe5e74d8be7a37cb0173b3af

SHA256
25c1ad9ffa7963c095c230bb14ebede0216c9229bd88b8889ea8855d1d7a4f6f

SHA512
8abbc0299d541a15c671b142ac844cdbd74f3cbd533a0338c7d2b75b3fdf3b67c32f02d605a4c7150a3a8e314129dc51de95646c1b087b7763d697fcd38fc308

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fm

Filesize
29KB

MD5
af934a1eaab0dc191e39cf07ae8b275f

SHA1
8ddda338140f740809eb25c8d24f81f1ec7cef81

SHA256
f956e234ed66a2af4a2111a9c33428fa4de75e898edd11a242dd9e6709d9e5eb

SHA512
8d174dd6164549829fbc254f8f6d4a1eed1935aebbacfc5394b972b39caddb794c4bbda4606ec37b2da6572774ce2479f0b581fe04eeb9ea8a45402501722f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grain

Filesize
64KB

MD5
a11fca307bb7c930c87c6cab295340bd

SHA1
f4e7b212d8b8a0b1c8fb518b1afe91ae35f96786

SHA256
3d6207058f9ab3c3226c12fd37002064729bd043575325ce343ca1d225f2033d

SHA512
ccdcf1bea0bac86de0d2c5fd2c1482f7b50105dedaebdceb3f2e4a91c9d36161d9da35085bb4315a596873aad55459194756a008800e7a585e23ee520e3a5937

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hero

Filesize
52KB

MD5
82f500a3e4543c57731f4c469f7ea564

SHA1
f453f57b850539b619e354492dac78a6c6db37c2

SHA256
62563c7ece10e9c7c7c2f653fca6f3b1ac5d1964231d7c36180986a61063821c

SHA512
5ff7161f530082d371974016ab8cabe31155be1cea341d509dd30a8686c1cd568a901b33b7010bb84d0c878586159c61c39fe45df43c33b4586447e3df33ca66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Immigrants

Filesize
47KB

MD5
aa8484d81ef1b3776a3deec13f67bf50

SHA1
14dc05fafaaed35729365c0eb55afcbe9b8cd61d

SHA256
b26f2264e5d55a9de7992f9120f8b6046d62ae1276bec4321b4b6034824c0594

SHA512
b54669bea8729116259baf26bdf5f5f2da9ea7ee45ea68a18ba2430da1701b6463edf7d572d151b180bc31d9b323828404bd565f9577fe30471e067a660457a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kelly

Filesize
40KB

MD5
0d65f03f34051bb360314ec14ec3622d

SHA1
f19b01e3216cd681cbc163a86f0ecd09b6616124

SHA256
1ed99fa136dc8f167ac6475067dccd9155420c1600c28b5e1af6f9791a9008cd

SHA512
0b4d85b81dec70cda9af9e5d122fb4e140cb15e18f0aba9e993802f2e1d43f23632501ad01bd3e51c05329c0886a093332a8c7a2307de3999df545affef2d7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Louisiana

Filesize
51KB

MD5
0c32080bc0ad79d95c7a56acedff6f11

SHA1
f5a682d86718c50f0c876f8b377f7b750469e5d9

SHA256
2ebc9b817367488c904f1ca4a291f295d45ea25d83e51aa8e7c30bb5a27001df

SHA512
5ef6d94d756d26f6f68ea9d0a4ab5f34c5a43148c780ea7006db3ab8c099ad65d906dc67c6c365c422bc3118f712caa1b32c773c129a3028870e231b61038282

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF586.tmp

Filesize
816KB

MD5
aa88d8f40a286b6d40de0f3abc836cfa

SHA1
c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

SHA256
8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

SHA512
6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFBF0.tmp

Filesize
1.4MB

MD5
689e01a34a731c6f051e39cd55fb71ad

SHA1
bbad0dbc3d72c5e24eeafb6e0019acda5e1b2577

SHA256
c3e50ca693f88678d1a6e05c870f605d18ad2ce5cfec6064b7b2fe81716d40b0

SHA512
ec11d977112f11bb5d33b20fdca47cda3fb0ea7703e73956386d6c4c355ea2aafeb9ccabaa62b40fb70832ba75fa4eb63849bff1c0ee4d3e6d8a41ad8df77720

Download Submit
C:\Users\Admin\AppData\Local\Temp\Manage

Filesize
36KB

MD5
92ebd7790025d165c1d671532ba99f3d

SHA1
01ad90519df1e6b770962497b81ae0ad5afd83f8

SHA256
2a258c9e0302e3388990bd86fc8b85fe58d8be94a372484dcbe22ac370027002

SHA512
6541efb935c66edf9cca521d1e40ea71ad66eb6c93850955428116c352df9cca38bd2757c6a70c7ed4e41e942e1184b32b3483ab0dfaa56c1dbce3ebdbc5a06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Notify

Filesize
38KB

MD5
c30477d5ad1fa92e93d0513c28cdd1ad

SHA1
fe308e75ed78ed09c7760fc03a852c105ba528ee

SHA256
f85c284acc9463d75a6358573fd9b57e9a1d43bcac6e855a5795bfaef8d37d6a

SHA512
e337445a7199b3cc65608048f7f100a1ad6caf4945259599bd80ccb92cfa8623ab37281ebee8b8f5da06a39cb57e9ec3346f4c88d2c66a4d4c18ed8e5e5bbefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oak

Filesize
49KB

MD5
fbd4dea3840790463e178b18960d6e9e

SHA1
8e6b23049ea6a07c940ddca49d7fc0124a78a3a6

SHA256
3a525209b8eb20faefd25c485984906ddb74ae394c4bfb5aad875d6d45c8a468

SHA512
48c738564033e78024f0267a6caa9ddb11eac34736cce1ad3c8d4460df4de1cfafa4fefdfaa2704541788b50f2544c05423b02f3353a829ecf7dc79cf800e8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Open

Filesize
19KB

MD5
c42e7842a08143f56d20dd918e84e85d

SHA1
4bf5b1654cc920c0f31756075c3b500a0ade3c26

SHA256
6217436a326d1abcd78a838d60ab5de1fee8a62cda9f0d49116f9c36dc29d6fa

SHA512
1b50d780911ff012111f69e4e0b20471c848f860294edc1d42c034040b1f826f39bcbab0fc2f93baf6ae754f9543bfd5fe60ccfcf640a6d430bd03cc8642c178

Download Submit
C:\Users\Admin\AppData\Local\Temp\Paintball

Filesize
60KB

MD5
2bf3f284e4d2a5bc55a376c71c1198cc

SHA1
d7480b2d78612a1b46975a6d8a27461940d4310b

SHA256
9044dbe881f19c2550f99213b1889a08449473ce636c560211d4e72359fa5ee8

SHA512
cd6223c8700fc7cd06281f77809fe5e1289fb2843a54f9771442f25d3cb851813d326eae446c675f5b89b7415c419afc0620a76f4b52e271f351a2cee416d877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Productivity

Filesize
60KB

MD5
a29b73c8cb0376d54e778449f753c8b0

SHA1
51ed4c9b6b9bf0d8244a11fec32195bddcf2f5e2

SHA256
e86015ea39997c8dffb8e66a7e00c32c51c1ee54b1c442d07140cc35e1c75bda

SHA512
81ef364ded793c4e90990f294a157e385eef6f03f0eb206c1919d4235d2e9252ccf6dd0548a5dab26188c3dc4d8a3dc887dc1f8e7f08ec87541ad1a5cbabfbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qualifications

Filesize
22KB

MD5
d36668eae72cdc7d8bfa304d077ae963

SHA1
32d37b24878075bf79f485ae4338e4b1dd40fd73

SHA256
15e0c68ccb37f85cd27792dfc609b812ec4fb801a13cd58ad845eea36e496227

SHA512
5eaf0325b34af912e320bad0ab727502075dc3e5b7e20ad57e8c7121059cb83683e158475ab5f937552bdeff4893beb6987f3cf8257421a8dd55fc5f3c0ba741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ring

Filesize
58KB

MD5
7674ccda1027e86f68ec444239962d73

SHA1
ec8927e8b45b3a43f161b9557b4928253deb23a0

SHA256
93ce23d08acc6f82a539da4fe443fea7f964dd3bb27a5f2688c6cd6138228e35

SHA512
30b6180352dddeb029d1dbff52bac19ee82d84d9af1207a4865415e7c262885e2e25a835272743ffe76b21251743b20f90f6e7e77c759e18dbe07cc5de7cf3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spa

Filesize
28KB

MD5
c4851242e548e6ad05e9b2ffe5e2580b

SHA1
96a225698409f2ca62ccbf2d713fe09dd35bd3fc

SHA256
da88ae00864c34a27bb185b5142849ea648f63ffa24457fec6b9ee1c5ba749fc

SHA512
c4419f4bf0f708974a1162e43b560ab3726a81de25b8d8834b284dd5cfe0a32889d51c3c7a3b35836cdf8c0e173bd463922ef275e4f051af734aba242f184532

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transexual

Filesize
40KB

MD5
4c37159f85553def2883f4453218d072

SHA1
fe1a4e4aee90f3b76f72067b10d9dece9060c75d

SHA256
ef4a7d7ed216d18cb47b27fe8ef5d435254c5c3b26b67010bb6d3d6cfd19ed0e

SHA512
06644d58bd3492e61436d16239ab30a033172917ccc3e608ab78a41cd293f2931c8b1787ef8e379b048bd904f26e619160b4899c5a0bf545221cfdd7de5be5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twin

Filesize
11KB

MD5
8a4ac337026d6f73c85981b18fa1e648

SHA1
1385e070b2af4b87b9ea5076b544def879a91d4d

SHA256
57f70ccb47b4a699c3b02671b10c4da55cd3c247114ddc4b09c6c8da5b90acc9

SHA512
9e195a68f47f18787741edd4f4898458f73647fae19abb3bbedf97f52fe21d76f3f0358baa153ff305e21ded9570fbf658ea8bb3089e80b47ebcf6407b00c3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upc

Filesize
186KB

MD5
22691791d3a733dec6493ce2cca63d73

SHA1
6efdb37c4c2513e7548f4cecc195af0bb0a8c881

SHA256
d7a52b0fc747e94ced1a692f40633ce42811ac6142167a193a793a76f452fcfe

SHA512
39b79737f1638c844a7c71e736192a7e39e451c9faad877913534dc3a279dc99b84e2305134fcac089935927ef3ec51bb45a7593d0cd78cb6f7bf8875bed2ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utility

Filesize
21KB

MD5
9882e92db973318f32f3505b791ffc9d

SHA1
b16fefc8d2ab20f6c162be4f17f523a3dc325424

SHA256
4f0fcd6a11f1fc9caf98b25beeccdcec493ac4bae19ec482bf2a0042a7c39c8e

SHA512
c6222cf2d747fb2cffdebc0b375e8db39d87b0fe53208b94d4ae7d77e1fede3bea07408cfd3f90b4a25b77017152a054e2d65bbab934494266f466a4fb871d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Version

Filesize
23KB

MD5
5186f1ac9a41b0e0c69ac5b2a9b7db08

SHA1
5df69596b33803e2b5efe76878a88f05685a4610

SHA256
97ded545189ceb180c5c14ed1296b65cc75454f3404352e990ccb351ffc415ea

SHA512
6901bf59349b570630415fd280f764bb43c7ccc6200f07ddda95b1eca85470bcbd598699c445a1997119c58ec84e5e77e88e0dec003ac583e69c1a3e0399d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Webpage

Filesize
19KB

MD5
00a130481474b4132c982a6d95886eae

SHA1
4dd83cc3eaa4bd944e01abd072bdd31043bb81a2

SHA256
9be525dd455dfb9c1afff50a47bb5b62dd4315526dd49bc3a7b4fc6f1f0439f1

SHA512
85a0a53e89a691eb3a0da93f4d349e860092cceb3e47b1ca2d7072b58c4a5ad31db1a9d01d0082e1d5f071de86a23ec3b1e2a3ebe202fa4e051d8c7bb1eaa76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Width

Filesize
27KB

MD5
e50de998a256e01e6536b4281f3178a0

SHA1
01d9d580f43ce908e4d760d9f77d7cb066f9ab9e

SHA256
e4a862172eab45bae8629b6739209ebe566226fb061e519c4a9fcc8f0f9f93ef

SHA512
428564a3aa55f508bb0feeeb4fce1ad47d831f9a7efab7a6cbc4df7c29442f9e087778061f90ecc85fa6108fa85636e67429000b3e3ab5a551a0c2858c6da42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wt

Filesize
56KB

MD5
8df61919da514a7a227eec18a671b1c6

SHA1
2c6ca656264195f06dfeee6ea0f54c61735f82da

SHA256
88d9a96883dc6d7da890c99ef037012e9d182fdefb534ad585055a3508bf44a5

SHA512
e8f2e0a360de021cd14566e2c9f5fe255c8ac791b5a1bbaeb70c792736a05a966f734492261ad7f81218ad9b1efca0abc3a007f7bf72f1d092ce4a71cddf04c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yearly

Filesize
9KB

MD5
91c5603640ed6185cc1632a4a082b258

SHA1
b09a21215df734742a616690b7a3b064c78a2ed6

SHA256
21ca6466e4ccef48640da37a48505729786c43bafb7c024eec7be34e9c50b367

SHA512
0e91e5c28bd7b744713e803555304236f0c4ba176073edd8bd4dbcdd642165c8976342578786eb9bb4cab561c25eb37c59a4ab977f089353eca3b95daa24b9c6

Download Submit
\Users\Admin\AppData\Local\Temp\558563\Dicks.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/2556-527-0x00000000000D0000-0x0000000000125000-memory.dmp

Filesize
340KB

Download
memory/2556-528-0x00000000000D0000-0x0000000000125000-memory.dmp

Filesize
340KB

Download
memory/2556-530-0x00000000000D0000-0x0000000000125000-memory.dmp

Filesize
340KB

Download