sectoprat | 5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.exe
Size

23.8MB
MD5

ecc581297b2c637c187c5b8f2455d0a9
SHA1

3f07a6c4f13e193631f21db3950aa9393a5824b1
SHA256

5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1
SHA512

a2271103092085798d4cdc47aec4c6cf685cfd5a4c6ea5d6116c2053649dd4f6c3c9e2c555485c708a0a2aed78b610009e1a0aa0413d1d4b491bfb5abd21da68
SSDEEP

393216:d8jU2t/X9E3JMUNccjPql0NbgVunl22V5v+6m8FavWoB+Ysjuvk:CjU2p9EZvNdjP6Kbaunldv+6mLZ+YAuc

Score

10^/10

sectoprat discovery execution rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1576-395-0x00000000013A0000-0x0000000001466000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp

Executes dropped EXE 2 IoCs

pid	Process
4152	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
4344	Simple.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 4256	4344	Simple.exe	104
PID 4256 set thread context of 1576	4256	more.com	110

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Advanced IP Scanner\is-GE635.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-MMR70.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-B176R.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-LUPO6.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-SCCIL.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-H83UG.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-NJCNV.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-8AUBE.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\unins000.dat	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-I0V0J.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-7ASGI.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-BHC2Q.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-3DM77.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-05MM8.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-3H95S.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-L0055.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-MMH63.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-IKUVJ.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-APDPG.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-VBK2K.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-9NIBH.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-QTOPO.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-VCTLC.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-DF7P0.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-FO8C8.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-5U7LI.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-495MQ.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-URR90.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-PUHCR.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-D3PPR.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-3T3C7.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-8PGIE.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-QLQ15.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-DKIRO.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-7EARE.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-0M1KB.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-LDF73.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-2AHPR.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-FQ8T4.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-GRJDN.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-24I3M.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-OJPIE.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-17KA2.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-DUUQ6.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-5IA9I.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-I5B37.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-EK8GV.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-6B1AU.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-GHIQV.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-C5P6U.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-KKA54.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-04EGV.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-5J73C.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-VD5OP.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-VTHAB.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-GABKO.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-L64VR.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-7HMT3.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-TVIQS.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-BE31M.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-DR6G4.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-F8T42.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-6NA6A.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
File created	C:\Program Files (x86)\Advanced IP Scanner\is-NGA5A.tmp	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Storage Technology Management Service.job	more.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3604	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Simple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3604	powershell.exe
3604	powershell.exe
4344	Simple.exe
4344	Simple.exe
4256	more.com
4256	more.com
1576	MSBuild.exe
1576	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4344	Simple.exe
4256	more.com
4256	more.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	1576	MSBuild.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4152	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1576	MSBuild.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4152	1852	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.exe	83
PID 1852 wrote to memory of 4152	1852	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.exe	83
PID 1852 wrote to memory of 4152	1852	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.exe	83
PID 4152 wrote to memory of 3604	4152	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp	100
PID 4152 wrote to memory of 3604	4152	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp	100
PID 4152 wrote to memory of 3604	4152	5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp	100
PID 3604 wrote to memory of 4344	3604	powershell.exe	103
PID 3604 wrote to memory of 4344	3604	powershell.exe	103
PID 3604 wrote to memory of 4344	3604	powershell.exe	103
PID 4344 wrote to memory of 4256	4344	Simple.exe	104
PID 4344 wrote to memory of 4256	4344	Simple.exe	104
PID 4344 wrote to memory of 4256	4344	Simple.exe	104
PID 4344 wrote to memory of 4256	4344	Simple.exe	104
PID 4256 wrote to memory of 1576	4256	more.com	110
PID 4256 wrote to memory of 1576	4256	more.com	110
PID 4256 wrote to memory of 1576	4256	more.com	110
PID 4256 wrote to memory of 1576	4256	more.com	110
PID 4256 wrote to memory of 1576	4256	more.com	110

C:\Users\Admin\AppData\Local\Temp\5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.exe
"C:\Users\Admin\AppData\Local\Temp\5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\is-P8F67.tmp\5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P8F67.tmp\5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp" /SL5="$7005E,18032967,815616,C:\Users\Admin\AppData\Local\Temp\5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-4OV31.tmp\ExtractedContent.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Roaming\SystemUtil\Simple.exe
      "C:\Users\Admin\AppData\Roaming\SystemUtil\Simple.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4256
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced IP Scanner\details_panel_id_id.tpl

Filesize
1KB

MD5
88b009ccacf0eb1b4a141470d3f160c4

SHA1
ee0d1a44562ccdedbcde92d232fa541f53826b4b

SHA256
d2254ed99166a12ce00f93379142acfcbf9a49af3fb8789e8215b0c1cccb4587

SHA512
d07c7b90a12e7e48a90bf450a57e4479ae5bb130efe9950a316d9a7ab9063d94af0f35942925aca41a7c2c149a0f31a075c38dd0b34821f88bd81588660d0be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_creqkgvr.gi4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c877f4d8

Filesize
1.6MB

MD5
503141a46b747128cd364f4ec7d30585

SHA1
44f3c3869dead2d6e2ce13e7e134175f66424658

SHA256
f69ee4ec3c9c36d8b32904dd769568c875176e1f8c0583efd0173da706b5d3c7

SHA512
57b5d8d1a54c3943a27e5445a05f5fdf5a0d4ae32ee0c77e9ce1a4724bc3b3bed028a52daa83d6afd35f29ee6c72efc22d20e419aad4e6008fbce49ad5920bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d00bc1fd

Filesize
1.4MB

MD5
b5f758134e11ae91b58db6e95e659470

SHA1
f99e49363c71b29d37e4ef21de0d9d217b1b576a

SHA256
db120168ea10d2bc7b3ecdef812402a1cc8db6837b48e825dc197230ce5b94dd

SHA512
81bb26c1b94edc7f834280568ec68f2dfd91cdf270c34f2fb4c98a57060c2eccf906b1cd1ff860a3089a78a659d72d3ad1020a7983aa423e061db84dfa3ed566

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4OV31.tmp\ExtractedContent.ps1

Filesize
7.1MB

MD5
1e7e0d839739d361a490f6816de30dd7

SHA1
982f175e8585b0ffef8203095cbb7cf4a4fc708f

SHA256
a0a3a16453e9c8b9b529f8e5a1631ce7a0c67b60295033efdf06a76092d70d2d

SHA512
7c85f8248920e3d3d94e907fcc48b06621b5b3e0cca3b9d88b18d3eb948a834897fe64f949d5af4208c15fd56048e8bb03317718db39f7487fc614e66361dd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P8F67.tmp\5cbe2ec3c59b2cffd0ff87d7931f3f406985cbeb5648f9afcd36475552e96cc1.tmp

Filesize
3.2MB

MD5
77264dbcb409de0c426bd5088b0fbe09

SHA1
11c02946ea15eea615ede3ed5597ed223d3879cf

SHA256
85c71bb847f0b29db1d790c631d586167942ffceae96605f5673438fe3c8dd1a

SHA512
5604a2fee723cea3238aca10dd44e1b1a4d5316a1e2c860619e34b9076fee501e9a9fc22c7e3e3dad1fdc7690f1992a57778b74b40fe6f3307085549ccfc6a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E56.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Roaming\SystemUtil\Simple.exe

Filesize
10.5MB

MD5
4e4b37708a5780e19101a3c081b0992a

SHA1
df5a5e50017c759906cb3dd31e564c54bdf7d844

SHA256
1201aaef87fbd2be3b27b325e7fb99ef4edf5d38150846f94622c385b473e6f6

SHA512
baf71393027412d62ec070b01f85e141e29ee6f31399e5021c66809bfc505840ec1c1ce706dce99164331f93711a86349ecec23fa344b151dc1b2b941021d413

Download Submit
memory/1576-400-0x0000000006BA0000-0x00000000070CC000-memory.dmp

Filesize
5.2MB

Download
memory/1576-395-0x00000000013A0000-0x0000000001466000-memory.dmp

Filesize
792KB

Download
memory/1576-416-0x0000000005C00000-0x0000000005C3C000-memory.dmp

Filesize
240KB

Download
memory/1576-399-0x0000000005AD0000-0x0000000005B20000-memory.dmp

Filesize
320KB

Download
memory/1576-398-0x0000000005A50000-0x0000000005AC6000-memory.dmp

Filesize
472KB

Download
memory/1576-397-0x0000000005D00000-0x0000000005EC2000-memory.dmp

Filesize
1.8MB

Download
memory/1576-396-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/1576-401-0x00000000066C0000-0x00000000066DE000-memory.dmp

Filesize
120KB

Download
memory/1576-391-0x00000000752E0000-0x00000000752F4000-memory.dmp

Filesize
80KB

Download
memory/1576-414-0x0000000008290000-0x000000000829A000-memory.dmp

Filesize
40KB

Download
memory/1576-415-0x0000000005BA0000-0x0000000005BB2000-memory.dmp

Filesize
72KB

Download
memory/1852-377-0x0000000000820000-0x00000000008F5000-memory.dmp

Filesize
852KB

Download
memory/1852-8-0x0000000000820000-0x00000000008F5000-memory.dmp

Filesize
852KB

Download
memory/1852-0-0x0000000000820000-0x00000000008F5000-memory.dmp

Filesize
852KB

Download
memory/1852-2-0x0000000000821000-0x00000000008C9000-memory.dmp

Filesize
672KB

Download
memory/3604-338-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/3604-306-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3604-322-0x00000000069C0000-0x00000000069E2000-memory.dmp

Filesize
136KB

Download
memory/3604-323-0x000000000BB40000-0x000000000C0E4000-memory.dmp

Filesize
5.6MB

Download
memory/3604-326-0x000000006FCF0000-0x000000006FD3C000-memory.dmp

Filesize
304KB

Download
memory/3604-325-0x000000000B7F0000-0x000000000B822000-memory.dmp

Filesize
200KB

Download
memory/3604-327-0x000000006FE60000-0x00000000701B4000-memory.dmp

Filesize
3.3MB

Download
memory/3604-337-0x000000000B830000-0x000000000B84E000-memory.dmp

Filesize
120KB

Download
memory/3604-340-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/3604-339-0x000000000B860000-0x000000000B903000-memory.dmp

Filesize
652KB

Download
memory/3604-341-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/3604-320-0x000000000B4F0000-0x000000000B586000-memory.dmp

Filesize
600KB

Download
memory/3604-342-0x000000000D770000-0x000000000DDEA000-memory.dmp

Filesize
6.5MB

Download
memory/3604-343-0x000000000B9E0000-0x000000000B9EA000-memory.dmp

Filesize
40KB

Download
memory/3604-344-0x000000000D0F0000-0x000000000D101000-memory.dmp

Filesize
68KB

Download
memory/3604-345-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/3604-346-0x000000000D140000-0x000000000D152000-memory.dmp

Filesize
72KB

Download
memory/3604-347-0x000000000D130000-0x000000000D13A000-memory.dmp

Filesize
40KB

Download
memory/3604-318-0x0000000006440000-0x000000000648C000-memory.dmp

Filesize
304KB

Download
memory/3604-303-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/3604-304-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/3604-371-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/3604-317-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/3604-321-0x0000000006950000-0x000000000696A000-memory.dmp

Filesize
104KB

Download
memory/3604-305-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/3604-301-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/3604-316-0x0000000005E00000-0x0000000006154000-memory.dmp

Filesize
3.3MB

Download
memory/3604-300-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download
memory/3604-302-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/3604-299-0x000000007346E000-0x000000007346F000-memory.dmp

Filesize
4KB

Download
memory/4152-14-0x0000000000970000-0x0000000000CA4000-memory.dmp

Filesize
3.2MB

Download
memory/4152-12-0x0000000000970000-0x0000000000CA4000-memory.dmp

Filesize
3.2MB

Download
memory/4152-376-0x0000000000970000-0x0000000000CA4000-memory.dmp

Filesize
3.2MB

Download
memory/4152-9-0x0000000000970000-0x0000000000CA4000-memory.dmp

Filesize
3.2MB

Download
memory/4152-10-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/4152-6-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/4152-363-0x0000000000970000-0x0000000000CA4000-memory.dmp

Filesize
3.2MB

Download
memory/4256-394-0x0000000003140000-0x00000000036F3000-memory.dmp

Filesize
5.7MB

Download
memory/4256-389-0x0000000076770000-0x0000000076D23000-memory.dmp

Filesize
5.7MB

Download
memory/4256-386-0x0000000076770000-0x0000000076D23000-memory.dmp

Filesize
5.7MB

Download
memory/4256-385-0x0000000003140000-0x00000000036F3000-memory.dmp

Filesize
5.7MB

Download
memory/4256-383-0x00007FFB9F2B0000-0x00007FFB9F4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4344-379-0x0000000076770000-0x0000000076D23000-memory.dmp

Filesize
5.7MB

Download
memory/4344-374-0x00007FFB9F2B0000-0x00007FFB9F4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4344-373-0x0000000076770000-0x0000000076D23000-memory.dmp

Filesize
5.7MB

Download
memory/4344-364-0x0000000000400000-0x0000000000E93000-memory.dmp

Filesize
10.6MB

Download