formbook | cf0e116dee54548758f13c3149761d93a51e4d197ebc155bb2e91cb79b136497

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2220944d9985a6843374f41b835a9825.msi
Size

272KB
MD5

2220944d9985a6843374f41b835a9825
SHA1

1929c4c64ea4cc18608eaf6140d1b28fa98d7ed3
SHA256

3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65
SHA512

f1ec6f41d5b9ed14885df6e090a77b06c10f2e61ed36525dfd4e953a61c948da8271c2ea5e29dd5fcdba62e2acc218e74b71312e3ef30c54a87b387534e2c816
SSDEEP

6144:5EtTqjFaFtV9KoA68Atd/Tdle0U0gCKTkn9om07/6s2eD5HG:5E9fN26ZtLlDGCos9ofis2gH

Score

10^/10

formbook thl4 discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

thl4

Decoy

281155oo.com

ykszyx.com

carhiredurban.com

aualiaison.com

papuapod.com

indianapolisheatingair.com

astoriakrd.online

tiffanyandzach.com

thenextstepos.com

greenleaveshotels.com

opatijatourism.com

greenberg.realestate

coastallasercharleston.com

maximgroupbd.com

one1.agency

gzlckz.com

brittanyreevesmusic.com

juliettebrederode.com

stranded.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1400-25-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1400-38-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 1400	3068	MSIC583.tmp	35
PID 1400 set thread context of 1272	1400	MSIC583.tmp	21
PID 2872 set thread context of 1272	2872	systray.exe	21

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC561.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC583.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c49a.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76c497.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c497.msi	msiexec.exe
File created	C:\Windows\Installer\f76c49a.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	MSIC583.tmp
1400	MSIC583.tmp

Loads dropped DLL 3 IoCs

pid	Process
3068	MSIC583.tmp
3068	MSIC583.tmp
3068	MSIC583.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
804	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIC583.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000191fd-10.dat	nsis_installer_1
behavioral1/files/0x00070000000191fd-10.dat	nsis_installer_2

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2432	msiexec.exe
2432	msiexec.exe
1400	MSIC583.tmp
1400	MSIC583.tmp
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe
2872	systray.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3068	MSIC583.tmp
1400	MSIC583.tmp
1400	MSIC583.tmp
1400	MSIC583.tmp
2872	systray.exe
2872	systray.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	804	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeSecurityPrivilege	2432	msiexec.exe
Token: SeCreateTokenPrivilege	804	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	804	msiexec.exe
Token: SeLockMemoryPrivilege	804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	804	msiexec.exe
Token: SeMachineAccountPrivilege	804	msiexec.exe
Token: SeTcbPrivilege	804	msiexec.exe
Token: SeSecurityPrivilege	804	msiexec.exe
Token: SeTakeOwnershipPrivilege	804	msiexec.exe
Token: SeLoadDriverPrivilege	804	msiexec.exe
Token: SeSystemProfilePrivilege	804	msiexec.exe
Token: SeSystemtimePrivilege	804	msiexec.exe
Token: SeProfSingleProcessPrivilege	804	msiexec.exe
Token: SeIncBasePriorityPrivilege	804	msiexec.exe
Token: SeCreatePagefilePrivilege	804	msiexec.exe
Token: SeCreatePermanentPrivilege	804	msiexec.exe
Token: SeBackupPrivilege	804	msiexec.exe
Token: SeRestorePrivilege	804	msiexec.exe
Token: SeShutdownPrivilege	804	msiexec.exe
Token: SeDebugPrivilege	804	msiexec.exe
Token: SeAuditPrivilege	804	msiexec.exe
Token: SeSystemEnvironmentPrivilege	804	msiexec.exe
Token: SeChangeNotifyPrivilege	804	msiexec.exe
Token: SeRemoteShutdownPrivilege	804	msiexec.exe
Token: SeUndockPrivilege	804	msiexec.exe
Token: SeSyncAgentPrivilege	804	msiexec.exe
Token: SeEnableDelegationPrivilege	804	msiexec.exe
Token: SeManageVolumePrivilege	804	msiexec.exe
Token: SeImpersonatePrivilege	804	msiexec.exe
Token: SeCreateGlobalPrivilege	804	msiexec.exe
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe
Token: SeBackupPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2816	DrvInst.exe
Token: SeRestorePrivilege	2816	DrvInst.exe
Token: SeRestorePrivilege	2816	DrvInst.exe
Token: SeRestorePrivilege	2816	DrvInst.exe
Token: SeRestorePrivilege	2816	DrvInst.exe
Token: SeRestorePrivilege	2816	DrvInst.exe
Token: SeRestorePrivilege	2816	DrvInst.exe
Token: SeLoadDriverPrivilege	2816	DrvInst.exe
Token: SeLoadDriverPrivilege	2816	DrvInst.exe
Token: SeLoadDriverPrivilege	2816	DrvInst.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeDebugPrivilege	1400	MSIC583.tmp
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
804	msiexec.exe
804	msiexec.exe
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 3068	2432	msiexec.exe	34
PID 2432 wrote to memory of 3068	2432	msiexec.exe	34
PID 2432 wrote to memory of 3068	2432	msiexec.exe	34
PID 2432 wrote to memory of 3068	2432	msiexec.exe	34
PID 3068 wrote to memory of 1400	3068	MSIC583.tmp	35
PID 3068 wrote to memory of 1400	3068	MSIC583.tmp	35
PID 3068 wrote to memory of 1400	3068	MSIC583.tmp	35
PID 3068 wrote to memory of 1400	3068	MSIC583.tmp	35
PID 3068 wrote to memory of 1400	3068	MSIC583.tmp	35
PID 1272 wrote to memory of 2872	1272	Explorer.EXE	36
PID 1272 wrote to memory of 2872	1272	Explorer.EXE	36
PID 1272 wrote to memory of 2872	1272	Explorer.EXE	36
PID 1272 wrote to memory of 2872	1272	Explorer.EXE	36
PID 2872 wrote to memory of 1532	2872	systray.exe	38
PID 2872 wrote to memory of 1532	2872	systray.exe	38
PID 2872 wrote to memory of 1532	2872	systray.exe	38
PID 2872 wrote to memory of 1532	2872	systray.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2220944d9985a6843374f41b835a9825.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:804
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Installer\MSIC583.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\Installer\MSIC583.tmp
  "C:\Windows\Installer\MSIC583.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\Installer\MSIC583.tmp
    "C:\Windows\Installer\MSIC583.tmp"
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004BC" "00000000000003EC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c49b.rbs

Filesize
649B

MD5
f73b223b194c8968b5b57813afc9ad39

SHA1
55d95454e06ba965ce2ddfbf9295931ce660f641

SHA256
2d27d5cf4f3643bf7d6891608cf366c33deb5b761ccea9f3a7d7b2db0cfda30d

SHA512
dcdadbe0ad2eadeffd0f4dbe4004ede69ec6df7eb4ca21e1481a8c6d28183a3ee777348d55310e3b4c550fc855c91899cccb213907054d0bad59ac65c645cecf

Download Submit
C:\Windows\Installer\MSIC583.tmp

Filesize
245KB

MD5
4613cbcf3184897a7dcfbe0569303863

SHA1
9b2f4c444cfbb5914299c7f44d867c1dcdf8c7cc

SHA256
b6845befbaf2db54214bf388d650636f2ea251289131751f1735779007ea2334

SHA512
906f4f5fb0af20d5471d4f01ed6ecff952153ee355bc252d4d206b9f5e6f97db8b5df83d5e0a5fb56fd38bf117f44bb60a419873a370f3392fe3ae2ba5a40dcd

Download Submit
\Users\Admin\AppData\Local\Temp\nstC5C1.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
memory/1272-41-0x0000000003F30000-0x0000000004130000-memory.dmp

Filesize
2.0MB

Download
memory/1272-45-0x0000000007500000-0x0000000007675000-memory.dmp

Filesize
1.5MB

Download
memory/1400-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1400-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2872-40-0x00000000006A0000-0x00000000006A5000-memory.dmp

Filesize
20KB

Download