f59e59f5d7c313a059ec3adac4326d06cf039ac449deebec30b39fbe9fe1f1f1

Analysis

max time kernel
441s
max time network
501s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

g4123.msi
Size

10.9MB
MD5

f14d4e129dc0ea8d968316df9c18995c
SHA1

d679be9a4b62cc5a560c641a09dc4fe2b668f261
SHA256

f59e59f5d7c313a059ec3adac4326d06cf039ac449deebec30b39fbe9fe1f1f1
SHA512

f6b02bed62191dd59eb52fbf9267c9a848e03dd020072e8e12688ca83cf3efb487f828de4b0e2302f6f8d8fcfc7575eebfa2379e47fa203787911173aeb9e1ce
SSDEEP

196608:68aXjDEAkJVjG2lnKOHCe0BvxJ4uY+QkHyxomkJiEBLS6A4p6625d0XL:+XPEzVjG2oICvBJJ4uckIomIa41XL

Score

7^/10

collection discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ArchiveUninstall_up_dbg.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ArchiveUninstall_up_dbg.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pyexec.exe

description	pid	Process	procid_target
PID 408 set thread context of 4024	408	pyexec.exe	107

Executes dropped EXE 12 IoCs

Processes:

ISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exepyexec.exepyexec.exe

pid	Process
2944	ISBEW64.exe
3524	ISBEW64.exe
4548	ISBEW64.exe
4284	ISBEW64.exe
1516	ISBEW64.exe
3840	ISBEW64.exe
2704	ISBEW64.exe
3308	ISBEW64.exe
3472	ISBEW64.exe
2400	ISBEW64.exe
3932	pyexec.exe
408	pyexec.exe

Loads dropped DLL 8 IoCs

Processes:

MsiExec.exepyexec.exepyexec.exeArchiveUninstall_up_dbg.exe

pid	Process
2236	MsiExec.exe
2236	MsiExec.exe
2236	MsiExec.exe
2236	MsiExec.exe
2236	MsiExec.exe
3932	pyexec.exe
408	pyexec.exe
464	ArchiveUninstall_up_dbg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
3680	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pyexec.execmd.exeMsiExec.exepyexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

pyexec.exepyexec.execmd.exeArchiveUninstall_up_dbg.exe

pid	Process
3932	pyexec.exe
408	pyexec.exe
408	pyexec.exe
4024	cmd.exe
4024	cmd.exe
464	ArchiveUninstall_up_dbg.exe
464	ArchiveUninstall_up_dbg.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pyexec.execmd.exe

pid	Process
408	pyexec.exe
4024	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	3680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3680	msiexec.exe
Token: SeSecurityPrivilege	3768	msiexec.exe
Token: SeCreateTokenPrivilege	3680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3680	msiexec.exe
Token: SeLockMemoryPrivilege	3680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3680	msiexec.exe
Token: SeMachineAccountPrivilege	3680	msiexec.exe
Token: SeTcbPrivilege	3680	msiexec.exe
Token: SeSecurityPrivilege	3680	msiexec.exe
Token: SeTakeOwnershipPrivilege	3680	msiexec.exe
Token: SeLoadDriverPrivilege	3680	msiexec.exe
Token: SeSystemProfilePrivilege	3680	msiexec.exe
Token: SeSystemtimePrivilege	3680	msiexec.exe
Token: SeProfSingleProcessPrivilege	3680	msiexec.exe
Token: SeIncBasePriorityPrivilege	3680	msiexec.exe
Token: SeCreatePagefilePrivilege	3680	msiexec.exe
Token: SeCreatePermanentPrivilege	3680	msiexec.exe
Token: SeBackupPrivilege	3680	msiexec.exe
Token: SeRestorePrivilege	3680	msiexec.exe
Token: SeShutdownPrivilege	3680	msiexec.exe
Token: SeDebugPrivilege	3680	msiexec.exe
Token: SeAuditPrivilege	3680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3680	msiexec.exe
Token: SeChangeNotifyPrivilege	3680	msiexec.exe
Token: SeRemoteShutdownPrivilege	3680	msiexec.exe
Token: SeUndockPrivilege	3680	msiexec.exe
Token: SeSyncAgentPrivilege	3680	msiexec.exe
Token: SeEnableDelegationPrivilege	3680	msiexec.exe
Token: SeManageVolumePrivilege	3680	msiexec.exe
Token: SeImpersonatePrivilege	3680	msiexec.exe
Token: SeCreateGlobalPrivilege	3680	msiexec.exe
Token: SeCreateTokenPrivilege	3680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3680	msiexec.exe
Token: SeLockMemoryPrivilege	3680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3680	msiexec.exe
Token: SeMachineAccountPrivilege	3680	msiexec.exe
Token: SeTcbPrivilege	3680	msiexec.exe
Token: SeSecurityPrivilege	3680	msiexec.exe
Token: SeTakeOwnershipPrivilege	3680	msiexec.exe
Token: SeLoadDriverPrivilege	3680	msiexec.exe
Token: SeSystemProfilePrivilege	3680	msiexec.exe
Token: SeSystemtimePrivilege	3680	msiexec.exe
Token: SeProfSingleProcessPrivilege	3680	msiexec.exe
Token: SeIncBasePriorityPrivilege	3680	msiexec.exe
Token: SeCreatePagefilePrivilege	3680	msiexec.exe
Token: SeCreatePermanentPrivilege	3680	msiexec.exe
Token: SeBackupPrivilege	3680	msiexec.exe
Token: SeRestorePrivilege	3680	msiexec.exe
Token: SeShutdownPrivilege	3680	msiexec.exe
Token: SeDebugPrivilege	3680	msiexec.exe
Token: SeAuditPrivilege	3680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3680	msiexec.exe
Token: SeChangeNotifyPrivilege	3680	msiexec.exe
Token: SeRemoteShutdownPrivilege	3680	msiexec.exe
Token: SeUndockPrivilege	3680	msiexec.exe
Token: SeSyncAgentPrivilege	3680	msiexec.exe
Token: SeEnableDelegationPrivilege	3680	msiexec.exe
Token: SeManageVolumePrivilege	3680	msiexec.exe
Token: SeImpersonatePrivilege	3680	msiexec.exe
Token: SeCreateGlobalPrivilege	3680	msiexec.exe
Token: SeCreateTokenPrivilege	3680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3680	msiexec.exe
Token: SeLockMemoryPrivilege	3680	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
3680	msiexec.exe
3680	msiexec.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

msiexec.exeMsiExec.exepyexec.exepyexec.execmd.exe

description	pid	Process	procid_target
PID 3768 wrote to memory of 2236	3768	msiexec.exe	85
PID 3768 wrote to memory of 2236	3768	msiexec.exe	85
PID 3768 wrote to memory of 2236	3768	msiexec.exe	85
PID 2236 wrote to memory of 2944	2236	MsiExec.exe	86
PID 2236 wrote to memory of 2944	2236	MsiExec.exe	86
PID 2236 wrote to memory of 3524	2236	MsiExec.exe	87
PID 2236 wrote to memory of 3524	2236	MsiExec.exe	87
PID 2236 wrote to memory of 4548	2236	MsiExec.exe	88
PID 2236 wrote to memory of 4548	2236	MsiExec.exe	88
PID 2236 wrote to memory of 4284	2236	MsiExec.exe	89
PID 2236 wrote to memory of 4284	2236	MsiExec.exe	89
PID 2236 wrote to memory of 1516	2236	MsiExec.exe	90
PID 2236 wrote to memory of 1516	2236	MsiExec.exe	90
PID 2236 wrote to memory of 3840	2236	MsiExec.exe	91
PID 2236 wrote to memory of 3840	2236	MsiExec.exe	91
PID 2236 wrote to memory of 2704	2236	MsiExec.exe	92
PID 2236 wrote to memory of 2704	2236	MsiExec.exe	92
PID 2236 wrote to memory of 3308	2236	MsiExec.exe	93
PID 2236 wrote to memory of 3308	2236	MsiExec.exe	93
PID 2236 wrote to memory of 3472	2236	MsiExec.exe	94
PID 2236 wrote to memory of 3472	2236	MsiExec.exe	94
PID 2236 wrote to memory of 2400	2236	MsiExec.exe	95
PID 2236 wrote to memory of 2400	2236	MsiExec.exe	95
PID 2236 wrote to memory of 3932	2236	MsiExec.exe	96
PID 2236 wrote to memory of 3932	2236	MsiExec.exe	96
PID 2236 wrote to memory of 3932	2236	MsiExec.exe	96
PID 3932 wrote to memory of 408	3932	pyexec.exe	106
PID 3932 wrote to memory of 408	3932	pyexec.exe	106
PID 3932 wrote to memory of 408	3932	pyexec.exe	106
PID 408 wrote to memory of 4024	408	pyexec.exe	107
PID 408 wrote to memory of 4024	408	pyexec.exe	107
PID 408 wrote to memory of 4024	408	pyexec.exe	107
PID 408 wrote to memory of 4024	408	pyexec.exe	107
PID 4024 wrote to memory of 464	4024	cmd.exe	118
PID 4024 wrote to memory of 464	4024	cmd.exe	118
PID 4024 wrote to memory of 464	4024	cmd.exe	118
PID 4024 wrote to memory of 464	4024	cmd.exe	118

outlook_office_path 1 IoCs

Processes:

ArchiveUninstall_up_dbg.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ArchiveUninstall_up_dbg.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\g4123.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BCD572D49F2F340F390F3746D0F38B42 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DBA74948-84BF-4C71-B6A7-2285B7D528F6}
    3⤵
    - Executes dropped EXE
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{76504C84-0FE5-4B06-9802-F2991F3AE0AB}
    3⤵
    - Executes dropped EXE
    PID:3524
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB827DCA-6874-4AEE-B249-353EFC97E87C}
    3⤵
    - Executes dropped EXE
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06E34561-67EF-402D-A482-819C418115F0}
    3⤵
    - Executes dropped EXE
    PID:4284
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9179FEF2-5363-4EF4-9E9C-EBCF93BFAB03}
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F21D92B3-FF32-4F56-9B3C-CFD23EE8D5FF}
    3⤵
    - Executes dropped EXE
    PID:3840
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5DB286AA-5558-4EBF-9742-D44EFD243712}
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FBF8DC1E-99A8-480D-8E76-EDAA8AC6DFF1}
    3⤵
    - Executes dropped EXE
    PID:3308
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0A335AF6-CE68-47B1-A760-B185050D8E43}
    3⤵
    - Executes dropped EXE
    PID:3472
- - C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BFBF1308-E001-45DB-A779-40978790395F}
    3⤵
    - Executes dropped EXE
    PID:2400
- - C:\Users\Admin\AppData\Local\Temp\{3E0FCA78-AF85-4F0A-B9E7-D3DED7532620}\pyexec.exe
    C:\Users\Admin\AppData\Local\Temp\{3E0FCA78-AF85-4F0A-B9E7-D3DED7532620}\pyexec.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Users\Admin\AppData\Roaming\BackupMakeLu_debug\pyexec.exe
      C:\Users\Admin\AppData\Roaming\BackupMakeLu_debug\pyexec.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Users\Admin\AppData\Local\Temp\ArchiveUninstall_up_dbg.exe
        
        C:\Users\Admin\AppData\Local\Temp\ArchiveUninstall_up_dbg.exe
        6⤵
        Accesses Microsoft Outlook profiles
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        
        PID:464

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3fb449a7

Filesize
5.6MB

MD5
b5f1bbc9051a0761b89719da883b44b0

SHA1
2035b0b384e545f2d7aea7b2c8043149bb3a9124

SHA256
19f777373360f06b9ebec32ec64af17847d8a94b767094814017719f366ce6a1

SHA512
58a8d738ded5dbe0cbfe0d854f79e18aa72acfa919922790a4dd241ff70bb9cb0f53ed6967044a79caee6bd74d9b41279a4abfa1d0f872745ef7b813774c8141

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArchiveUninstall_up_dbg.exe

Filesize
2.3MB

MD5
967f4470627f823f4d7981e511c9824f

SHA1
416501b096df80ddc49f4144c3832cf2cadb9cb2

SHA256
b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

SHA512
8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6C66.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6F84.tmp

Filesize
2.5MB

MD5
614b21ec901d523e58aec4f6d95f12f8

SHA1
31ee88bb3b18ad109e06eede5b787798f78b3c6c

SHA256
0f7044a12746a2a0b5d2f5e6ef6eda631b37a8c5d6e16715cfd932fbe2479f22

SHA512
7fe6059afa1379c878200d4e3becc7287289bb6f90be304e12d5a7c45aa680516c3d65427b4be3998bea12254557c6297617d58d4538a992925711cedcd80c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{079C2717-B6D9-4F22-9574-6DCAAFA3DD7F}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E0FCA78-AF85-4F0A-B9E7-D3DED7532620}\PYTHON27.DLL

Filesize
2.5MB

MD5
97ba4f023eef94417adcb77b044830c4

SHA1
d071a2c68256a36a1c2504d6c931ced63d676c4f

SHA256
357aedc478d8c1c6e85874c25a6a76b3801413fd71aaa641b31905e19b6cc7bd

SHA512
3a165eecbbee200f67476709e453254fcb131441f4a1737b820826fcb6fead4f3a8bdbf4c6bd8a22e81dee3b7e8b8de548f655c2e30c2e3568ef68625cd05365

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E0FCA78-AF85-4F0A-B9E7-D3DED7532620}\kkfpps

Filesize
4.5MB

MD5
69b0b17f58499aec5d3134e432bf8189

SHA1
f041e671adc878ce1835a4b9511f02e47bb054c5

SHA256
a25519734407988f82ce2989999ba88577a1b861067cf222bee154efd6f83cbf

SHA512
5ad474b985812ed043625697c4c3f61f87556e9986e9caba649de7c099ad32d77e15624a8eb207888f46587fadb24748bd160d6dcce6d8ac3da1052ea79debc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E0FCA78-AF85-4F0A-B9E7-D3DED7532620}\msvcr90.dll

Filesize
638KB

MD5
11d49148a302de4104ded6a92b78b0ed

SHA1
fd58a091b39ed52611ade20a782ef58ac33012af

SHA256
ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0

SHA512
fdc43b3ee38f7beb2375c953a29db8bcf66b73b78ccc04b147e26108f3b650c0a431b276853bb8e08167d34a8cc9c6b7918daef9ebc0a4833b1534c5afac75e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E0FCA78-AF85-4F0A-B9E7-D3DED7532620}\oqie

Filesize
18KB

MD5
1b460253d49274b10fbb004dfb9747fc

SHA1
e7eeb198a3bfd9e5977eca69940754aa6d065ee0

SHA256
ea375e1438be7cbd7841956e11c8b5749bea413fd9d6b8044c2204e8e7c2e209

SHA512
2d3f22b67b702c68491aa8b66081bf02ba6e94dc4cfb352a41810c479807b149f4bd698abbcc1e41287640c0376ad099e932bcfdb6790c7f099f67625a77c390

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E0FCA78-AF85-4F0A-B9E7-D3DED7532620}\pyexec.exe

Filesize
28KB

MD5
b6f6c3c38568ee26f1ac70411a822405

SHA1
5b94d0adac4df2d7179c378750c4e3417231125f

SHA256
a73454c7fad23a80a3f6540afdb64fc334980a11402569f1986aa39995ae496d

SHA512
5c0a5e9a623a942aff9d58d6e7a23b7d2bba6a4155824aa8bb94dbd069a8c15c00df48f12224622efcd5042b6847c8fb476c43390e9e576c42efc22e3c02a122

Download Submit
memory/408-81-0x00007FF9A7FF0000-0x00007FF9A81E5000-memory.dmp

Filesize
2.0MB

Download
memory/408-80-0x00000000746F0000-0x000000007486B000-memory.dmp

Filesize
1.5MB

Download
memory/408-82-0x00000000746F0000-0x000000007486B000-memory.dmp

Filesize
1.5MB

Download
memory/464-109-0x00007FF750210000-0x00007FF750520000-memory.dmp

Filesize
3.1MB

Download
memory/464-98-0x00007FF750210000-0x00007FF750520000-memory.dmp

Filesize
3.1MB

Download
memory/464-104-0x00007FF750210000-0x00007FF750520000-memory.dmp

Filesize
3.1MB

Download
memory/464-103-0x00007FF750210000-0x00007FF750520000-memory.dmp

Filesize
3.1MB

Download
memory/464-95-0x00007FF750210000-0x00007FF750520000-memory.dmp

Filesize
3.1MB

Download
memory/464-96-0x00007FF750210000-0x00007FF750520000-memory.dmp

Filesize
3.1MB

Download
memory/2236-38-0x0000000002D00000-0x0000000002EC7000-memory.dmp

Filesize
1.8MB

Download
memory/2236-33-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/3932-66-0x00007FF9A7FF0000-0x00007FF9A81E5000-memory.dmp

Filesize
2.0MB

Download
memory/3932-65-0x0000000074990000-0x0000000074B0B000-memory.dmp

Filesize
1.5MB

Download
memory/4024-88-0x00000000746F0000-0x000000007486B000-memory.dmp

Filesize
1.5MB

Download
memory/4024-85-0x00007FF9A7FF0000-0x00007FF9A81E5000-memory.dmp

Filesize
2.0MB

Download