72e02e3c8775ae09c15358db08f4603521b7b0920f35ed78d7acb8c789bee230

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.3MB
MD5

d6ba87ce4be40d56b1689f2b7b154f5a
SHA1

9231d0829bd050cef0e1b21fa1ef7cd885913027
SHA256

72e02e3c8775ae09c15358db08f4603521b7b0920f35ed78d7acb8c789bee230
SHA512

277a7ff558d9fb975fa4dac751db371f3d31ed3b47f0fb16e40f5c162be49f25cf5774040d5e9065b67062acb39171626d469b869c22357a4d50f5b04d609061
SSDEEP

24576:wjbWQMbhx9GCcM96XcEyOJnc0+8IYgGaLnN3R3UUXweNiWAZQc8:AJGTv96XbJnI8hgFLnvbiWxL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2396	setup.tmp
2676	unins000.exe
2320	_iu14D2N.tmp

Loads dropped DLL 10 IoCs

pid	Process
1964	setup.exe
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2676	unins000.exe
2320	_iu14D2N.tmp
2320	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_iu14D2N.tmp

Modifies registry class 61 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c00310000000000e858b96910204c6f63616c00380008000400efbee8584b68e858b9692a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 4600310000000000e8584b6810204c6f7700340008000400efbee8584b68e8584b682a000000593d00000000040000000000000000000000000000004c006f007700000012000000	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c00434653461600310000000000e8584b68122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbee8584b68e8584b682a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a00310000000000105981a6102054656d700000360008000400efbee8584b68105981a62a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "2"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2396	setup.tmp
2320	_iu14D2N.tmp

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp
2396	setup.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2396	1964	setup.exe	30
PID 1964 wrote to memory of 2396	1964	setup.exe	30
PID 1964 wrote to memory of 2396	1964	setup.exe	30
PID 1964 wrote to memory of 2396	1964	setup.exe	30
PID 1964 wrote to memory of 2396	1964	setup.exe	30
PID 1964 wrote to memory of 2396	1964	setup.exe	30
PID 1964 wrote to memory of 2396	1964	setup.exe	30
PID 2396 wrote to memory of 2676	2396	setup.tmp	32
PID 2396 wrote to memory of 2676	2396	setup.tmp	32
PID 2396 wrote to memory of 2676	2396	setup.tmp	32
PID 2396 wrote to memory of 2676	2396	setup.tmp	32
PID 2396 wrote to memory of 2676	2396	setup.tmp	32
PID 2396 wrote to memory of 2676	2396	setup.tmp	32
PID 2396 wrote to memory of 2676	2396	setup.tmp	32
PID 2676 wrote to memory of 2320	2676	unins000.exe	33
PID 2676 wrote to memory of 2320	2676	unins000.exe	33
PID 2676 wrote to memory of 2320	2676	unins000.exe	33
PID 2676 wrote to memory of 2320	2676	unins000.exe	33
PID 2676 wrote to memory of 2320	2676	unins000.exe	33
PID 2676 wrote to memory of 2320	2676	unins000.exe	33
PID 2676 wrote to memory of 2320	2676	unins000.exe	33

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\is-S6H27.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S6H27.tmp\setup.tmp" /SL5="$3011E,1032096,51712,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Roaming\Need for Speed - Carbon\Uninstall\unins000.exe
    "C:\Users\Admin\AppData\Roaming\Need for Speed - Carbon\Uninstall\unins000.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Users\Admin\AppData\Roaming\Need for Speed - Carbon\Uninstall\unins000.exe" /FIRSTPHASEWND=$E01B6 /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Need for Speed - Carbon\Uninstall\unins000.dat

Filesize
76KB

MD5
54bf3871f54b323f0d4b6407c7335b05

SHA1
5a003c5f2dc41e0d89bdc1f016701120f34cb9b0

SHA256
28e9d110d38be63377711dcb9baa7538f269a7f28ca9c6fbba154b919a513685

SHA512
3b147d640749da619ef1161edcc14ac449368bd55ddf7124cc9df18bf96c3a69a755e5328840cbbef0dbb957959bb3e06942658c5c08185674aceb2a286d021f

Download Submit
C:\Users\Admin\AppData\Roaming\Need for Speed - Carbon\Uninstall\unins000.exe

Filesize
901KB

MD5
85b962bc40fa4049fff8a54e3e9c94cd

SHA1
1aaed8c8580ee7580ba4aba974856a61fec30a5f

SHA256
3cd207c7d7d1cea81325f6938a23c863ff3f91ad8294543a017d9eb2e2526c4d

SHA512
43c3132bc17a7faad7adda20cd7fe22175f479af2703945201cc78572d815d64cebc30e4465ec7c00f3553f0be5994ab10f7490accd307c4fb858b20627b26ae

Download Submit
\Users\Admin\AppData\Local\Temp\is-4KBSB.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-4KBSB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4KBSB.tmp\b2p.dll

Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
\Users\Admin\AppData\Local\Temp\is-4KBSB.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-S6H27.tmp\setup.tmp

Filesize
891KB

MD5
c271d8ac91523c8e724517edd16bea98

SHA1
b72804bf80902e3934cabd7cdca409d10cde6fec

SHA256
36dbb96a1a6ffccb7a92e592316c32b74d14c771a53ebcfb23275424e0ba4d54

SHA512
be22a951ffbe51896adb8adab50871c99f9aac614f61efe7fe9625d0fe45d0310ffd8f77235af8a8a563cf5e62d36e178685ec34b243e34f2fb3a06061318a76

Download Submit
memory/1964-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1964-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1964-126-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1964-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2320-107-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-36-0x0000000002410000-0x0000000002487000-memory.dmp

Filesize
476KB

Download
memory/2396-65-0x0000000002410000-0x0000000002487000-memory.dmp

Filesize
476KB

Download
memory/2396-32-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-35-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-38-0x0000000000740000-0x000000000074F000-memory.dmp

Filesize
60KB

Download
memory/2396-37-0x0000000075120000-0x0000000075131000-memory.dmp

Filesize
68KB

Download
memory/2396-31-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-39-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-41-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-61-0x0000000015740000-0x0000000015742000-memory.dmp

Filesize
8KB

Download
memory/2396-62-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-67-0x0000000000740000-0x000000000074F000-memory.dmp

Filesize
60KB

Download
memory/2396-66-0x0000000075120000-0x0000000075131000-memory.dmp

Filesize
68KB

Download
memory/2396-33-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-64-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-69-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-74-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-29-0x0000000000740000-0x000000000074F000-memory.dmp

Filesize
60KB

Download
memory/2396-27-0x0000000075120000-0x0000000075131000-memory.dmp

Filesize
68KB

Download
memory/2396-15-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-19-0x0000000002410000-0x0000000002487000-memory.dmp

Filesize
476KB

Download
memory/2396-109-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2396-110-0x0000000002410000-0x0000000002487000-memory.dmp

Filesize
476KB

Download
memory/2396-112-0x0000000000740000-0x000000000074F000-memory.dmp

Filesize
60KB

Download
memory/2396-125-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2676-103-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download