djvu | ea73f95c11dc2dee2df70f6cdf91f2283ed93f02e7d374e1ced51adb1e8aa2c2

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7425a083398b17d64cfb52a00d48db50.exe
Size

223KB
MD5

7425a083398b17d64cfb52a00d48db50
SHA1

ef24f4394fe0ccfe21c5e0c025c2b04884c3d295
SHA256

ea73f95c11dc2dee2df70f6cdf91f2283ed93f02e7d374e1ced51adb1e8aa2c2
SHA512

3e38161eb5c845b287374c095246b96ae885140b9696d39a59ddbccd761f7f4e1e460e8a4a2931e070bacfa93aa8117a70334d5f237a51b94ebabf0f616c684b
SSDEEP

3072:mIZ8zlfJWGW3dRyjg0CIWEYjmdIQUaIB/MnRiIWDWAUo2th4gjaaSpGq/B:mplfJadAj1CxEYjmWQ/wMnsF0389p7

Score

10^/10

djvu risepro smokeloader socks5systemz pub1 backdoor botnet discovery evasion persistence ransomware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

risepro

193.233.132.62:50500

Signatures

Detect Socks5Systemz Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3124-210-0x0000000000B20000-0x0000000000BC2000-memory.dmp	family_socks5systemz
behavioral2/memory/3124-214-0x0000000000B20000-0x0000000000BC2000-memory.dmp	family_socks5systemz

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3836-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3836-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3836-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3836-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4156-28-0x00000000048C0000-0x00000000049DB000-memory.dmp	family_djvu
behavioral2/memory/3836-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3112-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3112-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3112-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

44E7.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 44E7.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	44E7.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44E7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44E7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44E7.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

D070.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation D070.exe
Deletes itself 1 IoCs

Processes:

pid process

3396

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	D070.exe

pid	process
3396

Executes dropped EXE 12 IoCs

Processes:

A374.exeD070.exeD070.exeD070.exeD070.exeE977.exerhcbbvw44E7.exe4D54.exe4D54.tmpksverify.exeksverify.exe

pid	process
4496	A374.exe
4156	D070.exe
3836	D070.exe
3480	D070.exe
3112	D070.exe
3304	E977.exe
4516	rhcbbvw
3604	44E7.exe
4060	4D54.exe
2268	4D54.tmp
388	ksverify.exe
3124	ksverify.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

44E7.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine 44E7.exe
Loads dropped DLL 3 IoCs

Processes:

4D54.tmp

pid process

2268 4D54.tmp
2268 4D54.tmp
2268 4D54.tmp
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4256 icacls.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine	44E7.exe

pid	process
2268	4D54.tmp
2268	4D54.tmp
2268	4D54.tmp

pid	process
4256	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

D070.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\da0ed18f-8317-4017-b871-4cde2556a2f9\\D070.exe\" --AutoStart"	D070.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 api.2ip.ua
51 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

44E7.exe

pid process

3604 44E7.exe

flow	ioc
50	api.2ip.ua
51	api.2ip.ua

pid	process
3604	44E7.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

D070.exeD070.exeE977.exe

description	pid	process	target process
PID 4156 set thread context of 3836	4156	D070.exe	D070.exe
PID 3480 set thread context of 3112	3480	D070.exe	D070.exe
PID 3304 set thread context of 4868	3304	E977.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process

2124 3112 WerFault.exe
1468 4868 WerFault.exe RegAsm.exe
3212 4868 WerFault.exe RegAsm.exe

pid	pid_target	process
2124	3112	WerFault.exe
1468	4868	WerFault.exe	RegAsm.exe
3212	4868	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7425a083398b17d64cfb52a00d48db50.exeA374.exerhcbbvw

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7425a083398b17d64cfb52a00d48db50.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7425a083398b17d64cfb52a00d48db50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A374.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7425a083398b17d64cfb52a00d48db50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rhcbbvw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rhcbbvw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rhcbbvw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A374.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7425a083398b17d64cfb52a00d48db50.exe

pid	process
1828	7425a083398b17d64cfb52a00d48db50.exe
1828	7425a083398b17d64cfb52a00d48db50.exe
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

7425a083398b17d64cfb52a00d48db50.exeA374.exerhcbbvw

pid process

1828 7425a083398b17d64cfb52a00d48db50.exe
4496 A374.exe
4516 rhcbbvw

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4D54.tmp

pid process

2268 4D54.tmp

pid	process
2268	4D54.tmp

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

D070.exeD070.exeD070.exeE977.exe4D54.exe4D54.tmp

description	pid	process	target process
PID 3396 wrote to memory of 4496	3396		A374.exe
PID 3396 wrote to memory of 4496	3396		A374.exe
PID 3396 wrote to memory of 4496	3396		A374.exe
PID 3396 wrote to memory of 4156	3396		D070.exe
PID 3396 wrote to memory of 4156	3396		D070.exe
PID 3396 wrote to memory of 4156	3396		D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 4156 wrote to memory of 3836	4156	D070.exe	D070.exe
PID 3836 wrote to memory of 4256	3836	D070.exe	icacls.exe
PID 3836 wrote to memory of 4256	3836	D070.exe	icacls.exe
PID 3836 wrote to memory of 4256	3836	D070.exe	icacls.exe
PID 3836 wrote to memory of 3480	3836	D070.exe	D070.exe
PID 3836 wrote to memory of 3480	3836	D070.exe	D070.exe
PID 3836 wrote to memory of 3480	3836	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3480 wrote to memory of 3112	3480	D070.exe	D070.exe
PID 3396 wrote to memory of 3304	3396		E977.exe
PID 3396 wrote to memory of 3304	3396		E977.exe
PID 3396 wrote to memory of 3304	3396		E977.exe
PID 3304 wrote to memory of 4680	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4680	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4680	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3304 wrote to memory of 4868	3304	E977.exe	RegAsm.exe
PID 3396 wrote to memory of 3604	3396		44E7.exe
PID 3396 wrote to memory of 3604	3396		44E7.exe
PID 3396 wrote to memory of 3604	3396		44E7.exe
PID 3396 wrote to memory of 4060	3396		4D54.exe
PID 3396 wrote to memory of 4060	3396		4D54.exe
PID 3396 wrote to memory of 4060	3396		4D54.exe
PID 4060 wrote to memory of 2268	4060	4D54.exe	4D54.tmp
PID 4060 wrote to memory of 2268	4060	4D54.exe	4D54.tmp
PID 4060 wrote to memory of 2268	4060	4D54.exe	4D54.tmp
PID 2268 wrote to memory of 388	2268	4D54.tmp	ksverify.exe
PID 2268 wrote to memory of 388	2268	4D54.tmp	ksverify.exe
PID 2268 wrote to memory of 388	2268	4D54.tmp	ksverify.exe
PID 2268 wrote to memory of 3124	2268	4D54.tmp	ksverify.exe
PID 2268 wrote to memory of 3124	2268	4D54.tmp	ksverify.exe
PID 2268 wrote to memory of 3124	2268	4D54.tmp	ksverify.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7425a083398b17d64cfb52a00d48db50.exe
"C:\Users\Admin\AppData\Local\Temp\7425a083398b17d64cfb52a00d48db50.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1828

C:\Users\Admin\AppData\Local\Temp\A374.exe
C:\Users\Admin\AppData\Local\Temp\A374.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4496

C:\Users\Admin\AppData\Local\Temp\D070.exe
C:\Users\Admin\AppData\Local\Temp\D070.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\D070.exe
  C:\Users\Admin\AppData\Local\Temp\D070.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\da0ed18f-8317-4017-b871-4cde2556a2f9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4256
- - C:\Users\Admin\AppData\Local\Temp\D070.exe
    "C:\Users\Admin\AppData\Local\Temp\D070.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\D070.exe
      "C:\Users\Admin\AppData\Local\Temp\D070.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3112 -ip 3112
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 568
1⤵
- Program crash
PID:2124

C:\Users\Admin\AppData\Local\Temp\E977.exe
C:\Users\Admin\AppData\Local\Temp\E977.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 824
    3⤵
    - Program crash
    PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1228
    3⤵
    - Program crash
    PID:3212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4868 -ip 4868
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4868 -ip 4868
1⤵
PID:4984

C:\Users\Admin\AppData\Roaming\rhcbbvw
C:\Users\Admin\AppData\Roaming\rhcbbvw
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4516

C:\Users\Admin\AppData\Local\Temp\44E7.exe
C:\Users\Admin\AppData\Local\Temp\44E7.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3604

C:\Users\Admin\AppData\Local\Temp\4D54.exe
C:\Users\Admin\AppData\Local\Temp\4D54.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\is-CHEFH.tmp\4D54.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CHEFH.tmp\4D54.tmp" /SL5="$A0182,7390120,54272,C:\Users\Admin\AppData\Local\Temp\4D54.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
    "C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe" -i
    3⤵
    - Executes dropped EXE
    PID:388
- - C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
    "C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe

Filesize
95KB

MD5
4c7b32b01f3b39dcec20e6203da56263

SHA1
d3ee056d4d3d1ad4c3e84a894e6a6839aff47df9

SHA256
fe29955ef1ef007a0278f74bca1e2811487e0315fb41782fb3841a29df67a7d7

SHA512
4d5a03483cfea70aab4b282f8d09ed0d21e6a1d6c9c3d0407baabc4ea02a4fd5a78f69c01800779c5ea42ffa9d44a1f635080544c2bc913194efbac05d8afe4f

Download Submit
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe

Filesize
158KB

MD5
668d745879a8fe0eee2fcd121b25a4fa

SHA1
8b04772b84b4229977ec602a6190803081822d11

SHA256
9c4975283fcbc7d6f75aa9f34d26a670d6aaf7af0412513bfe7b0178aec4a626

SHA512
8dc467cf276bcf8859c8b5c365d9df36628cf7509a5c7204a7cdaec473ce4eea5484a3566d42e20a64461a76f4141fe174e5b6af84f95a7d59e85148fa0c9037

Download Submit
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe

Filesize
90KB

MD5
f91e54364775e8d4d54f4005fc7b1cf4

SHA1
32360ba3d19cdfb33590a6be61068a5fe7fdac26

SHA256
116b6b29b04b140a18147f326f20a4ad332989bdffa6afc780650630c67f8fe1

SHA512
e483149cc3a5bea4b002f670308369654e7bb76b66830b0354de86dc11eb6d954a1fa1a6e9220c1d7a050c4f16e2f403971e310088e638af547f7af778445d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\44E7.exe

Filesize
197KB

MD5
afbec3a8586ff03106f350e9f012c6e5

SHA1
a25e26c92fcc81add3d6a1ba89790bf931384a91

SHA256
3ecd0bf1635d5a1258bea0a7190e865476d5121d2a0c764343672598acf91afd

SHA512
41673d64a99d04d6a6b679894cccf862fb2286b31f3abf5bbc3860e5796c5605dfbd3b16184937505ef4cb2e089ef928d9a289b99472c440c1f14977996b3259

Download Submit
C:\Users\Admin\AppData\Local\Temp\44E7.exe

Filesize
283KB

MD5
b52b39733520cc54993805a3c82d805c

SHA1
14cee398847fdc827d0e213c70835374852e0e8f

SHA256
22f1c833943e278f8d1dd52a88f23476e6ca3b38d689dbce4e8651b0d6f66b2e

SHA512
b21f7c04b85792c6d0f3923294e28325c77e10a9b3b3f94164ff064bb2bc9c3ca67b9b24ba0c1fd93db63453681d043fc53b0637710ad488d8525a86e8b6e767

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D54.exe

Filesize
156KB

MD5
919788adc34dd05caa27ff93cb080a3e

SHA1
fcc93f62592bd1d4a755e8c43be0bda58aac7e8e

SHA256
0352779c38b6efe378a37103a19540574192e6c73a09eebcea1c0978410eb076

SHA512
f1d206f578a7951a35c22a1f359f67dbe1894a0eccf69e7357eaeaba3b9b03905ef1bbb21d86a72a6d471a48ee44017e43e6a75fc0d4952676ccfefeb1c6d045

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D54.exe

Filesize
128KB

MD5
39c12da93930ecc634d0dfc6205359e2

SHA1
d95394172843ff79617c69a7c51f8fcae6e01865

SHA256
31fa1e1e01d395ec82f5e4ccc87d75e9c07f34f44820531d044efd6908eeb553

SHA512
dab9b2ab597e6120eed196d789a6cedcfe8b4040f2cc2c9462f9634aa624ddd708d1f868c2efe6579f32a61c3f291dce4698db789e3fde134181e55712fe92ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\A374.exe

Filesize
208KB

MD5
3459e4e3b8c2023cb721b547fda205f6

SHA1
c4cc7eb4d2e016b762e685a87b16144fda258f9c

SHA256
9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd

SHA512
eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D070.exe

Filesize
48KB

MD5
4ce4b9841f2320094e1c01e7af7e916b

SHA1
c0e7a9f89e4b455f4d2c84d73f2824ebdceab562

SHA256
fc61a9986baa5fd63d8ebb2db082ca5d22063c31a24d622899b16a5390ab8ddd

SHA512
442f75467cb3c839bf38a3ceb6ac5bd3a92b0398e43f17e08420d23332d8685bb929a1954020e6a1d33db20a48e104ae3c2c319709fcf217a789020fa69332bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D070.exe

Filesize
70KB

MD5
8f7918350d9895708071fb568683dea1

SHA1
a1fefe7529972414cae33f056180eb25d235b872

SHA256
c1751320101f31f30d792285f387cb19bcae15e9fc60683ec285247a438d58e8

SHA512
42e7470451e92fb56c3c6b4829a8551f4138d6e0bac9df6863e13a219c31a679a584dcb3b67cfd079aed6ff58e29947247189156feaec3abcfe430f330f2c9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\D070.exe

Filesize
254KB

MD5
c4b9aa61ecdc17788ea9b1220c7f76e9

SHA1
f2d9ee8a616dc153cfd94160d0c4ecf955faf5c1

SHA256
fc9307f27e9568d6ba2c5067afe1d66ebde29358d504814dbba193a9d92fa23b

SHA512
67e4161e676526b27b3e95b546e9059ed087565729a1b3bfccf483e1b518f594a5806a8b2e9da480725371b2a295f11845f53d32460abeb234e99fc3d6b50943

Download Submit
C:\Users\Admin\AppData\Local\Temp\D070.exe

Filesize
111KB

MD5
e0c3322817094ccad72afc3460e5c181

SHA1
cda37daf4b919c74492957ee9840aa27011996c8

SHA256
8e2a1a734383c6b1b42951581694069c50a886395ba46ba9a40d2d7c5fadc5f5

SHA512
cbe8326b2cb67d91e876e38de5e6370ef04675bafe78c5658d3e52fc053e6fca0077efe4668ef46d43a22945716a341c8b3f4a0a38a726bd4569f4b059e34dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D070.exe

Filesize
16KB

MD5
a2df5a9711b695030e6cc8be9348115b

SHA1
1b85861623f552020ce341180a9e684f473f3ea0

SHA256
8fbd1412c16cf79b27940a4ce2a9797d36d717a1352794ae50f39292bb848255

SHA512
c9319934b388519cc591aefc71dac8b696680a5fd224a0cb1595c5f83a5827ebf43c3c45239e7bdad69da48e0f8a1ab4ac3e4db68354f4130d0358b0eb3a3f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\E977.exe

Filesize
142KB

MD5
c85829a611d4f123ee703c2985889843

SHA1
593359cd5fd0b4ba5f53d9f8eab27662400c201c

SHA256
dcf309d221f5c9ca265fcdf0f0b85eab3929841e58ca7ddc5d7ecf090b7d22b0

SHA512
3fa4a3b976a1509593ce05ed9a4c3bb902612a1ec3c626316563027dc86b2d85afa6ef445ea4e5c20faabae45f7eb478aeb2e7e5fb7c1b5a92e5819cecdf3662

Download Submit
C:\Users\Admin\AppData\Local\Temp\E977.exe

Filesize
143KB

MD5
ca3bc965f472ebad1d58d5f89a643d28

SHA1
5e950267609bb9a6d5cf56d11dbf81db98f7618f

SHA256
d1ca7aec17aa47add4f8e236941adeb52a413a7e18971fa03380439fb3c2e9ab

SHA512
5949cd480eabfef004a4c7ac691ce248da5302d0f1d7b03fe10caf17497e79029e83ab3517d04c0c0e53143af89fdac701078060a16e7aa0e41d89f08aff8866

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPQNC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPQNC.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CHEFH.tmp\4D54.tmp

Filesize
137KB

MD5
cacc68d83b400461a8b4ad10467f9aa4

SHA1
a8c27dab507cef32da9a14329011df7e4ef78fce

SHA256
7c4e4583b3b9b177709d9ebce54dd881aa5b6afc948d8854cb3d99fa3ac3828b

SHA512
df08e1cd4ab2dcf73995d6c70370566027d69a4c0c79447ba034d29edaf581f19ca1f1243ca4ea774f36a18214ba58bd660285e776e597c59511f186879278c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CHEFH.tmp\4D54.tmp

Filesize
115KB

MD5
e07cd4cc8f8f48b67686533436f93c85

SHA1
db848de522a1e9bd420a2a448f95831d9fcb73a4

SHA256
e14f3c4aa7206868186bb9fab9375185291faece757514241618a22f719b1f63

SHA512
255844a8bd8e1977cc2148471a398c0e604cbf9a3e7372b70f3c97a1ef3e52ff449adb7a0bccadfc2740610f9b11eecfb420b5910a0666ceeb162f3b2aba9364

Download Submit
C:\Users\Admin\AppData\Local\da0ed18f-8317-4017-b871-4cde2556a2f9\D070.exe

Filesize
155KB

MD5
bb86fb35e3d90db90abf940fdb494545

SHA1
4c98fe8a458a270e55d9520debe54fa62418292a

SHA256
18d1c2b438650aa42808b9d7051f3ae67935a3dddeb3506e6ccb0b7f1b38fbad

SHA512
5301c447709d4c8074da6348dc0095a8548a6461d98b45f81fefcc4708dfb5f28061ed9f9529c6a560ec5270a0c63a69bdd1cbb3716a3f37e85dbc77dd83b408

Download Submit
C:\Users\Admin\AppData\Roaming\rhcbbvw

Filesize
49KB

MD5
fab12cb3d3349e094665d1f6b0683a00

SHA1
5e43f581d1a1920b7c0fa99db019fba388aec266

SHA256
a8361f3afb9fca0a6d6a3cd781c77ad224a8deb70a4e2c63e1e3e6f30fdf4260

SHA512
9a8f304a8134be6f5c95e7978466bf39873f089c8a4dc374df47746c23ec613544e2bf3668c794c9cd2c3bdd53c623d96d8c690c757ebb58f5c6f31d2d0762c0

Download Submit
C:\Users\Admin\AppData\Roaming\rhcbbvw

Filesize
103KB

MD5
82cf4a91beaea3b86c9e8a87015c1447

SHA1
906610cc8efc44f1e4e3ae2850f7bc5527eade46

SHA256
f39e4e2b82c1134ccd1935834fc10da1d3b5db5479b8b17d2d696533f1d08b9f

SHA512
04e11c3a33c1eeb318c37c99c3beda1caade23551c7b05aa15a4b743058dd1969258835b36f19c0356dc92173dfd43593b482ce0662bddfc6eabf9366dc9e195

Download Submit
memory/388-180-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/388-177-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/388-181-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/388-178-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1828-2-0x0000000000550000-0x000000000055B000-memory.dmp

Filesize
44KB

Download
memory/1828-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1828-1-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1828-3-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2268-122-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2268-190-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2268-188-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3112-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3112-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3112-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3124-195-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3124-210-0x0000000000B20000-0x0000000000BC2000-memory.dmp

Filesize
648KB

Download
memory/3124-220-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3124-214-0x0000000000B20000-0x0000000000BC2000-memory.dmp

Filesize
648KB

Download
memory/3124-184-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3124-199-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3124-189-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3124-203-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3124-207-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3124-194-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3124-213-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/3304-60-0x0000000000020000-0x00000000000C2000-memory.dmp

Filesize
648KB

Download
memory/3304-69-0x0000000002590000-0x0000000004590000-memory.dmp

Filesize
32.0MB

Download
memory/3304-62-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3304-61-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3304-72-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3396-85-0x0000000006E60000-0x0000000006E76000-memory.dmp

Filesize
88KB

Download
memory/3396-4-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/3396-18-0x00000000026F0000-0x0000000002706000-memory.dmp

Filesize
88KB

Download
memory/3480-46-0x00000000047A0000-0x0000000004833000-memory.dmp

Filesize
588KB

Download
memory/3604-185-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-208-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-101-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/3604-100-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3604-99-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-97-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/3604-96-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3604-95-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3604-94-0x0000000077444000-0x0000000077446000-memory.dmp

Filesize
8KB

Download
memory/3604-196-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-204-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-102-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3604-103-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/3604-191-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-104-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3604-217-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-186-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-105-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3604-106-0x0000000004EC0000-0x0000000004EC2000-memory.dmp

Filesize
8KB

Download
memory/3604-98-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3604-200-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-93-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3604-221-0x0000000000BE0000-0x000000000118C000-memory.dmp

Filesize
5.7MB

Download
memory/3836-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4060-114-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4060-187-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4060-112-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4156-28-0x00000000048C0000-0x00000000049DB000-memory.dmp

Filesize
1.1MB

Download
memory/4156-27-0x00000000046E0000-0x0000000004774000-memory.dmp

Filesize
592KB

Download
memory/4496-16-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/4496-17-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4496-19-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4516-86-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4516-83-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4516-82-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/4868-74-0x0000000000F10000-0x0000000000F42000-memory.dmp

Filesize
200KB

Download
memory/4868-75-0x0000000000F10000-0x0000000000F42000-memory.dmp

Filesize
200KB

Download
memory/4868-73-0x0000000000ED0000-0x0000000000F10000-memory.dmp

Filesize
256KB

Download
memory/4868-76-0x0000000000F10000-0x0000000000F42000-memory.dmp

Filesize
200KB

Download
memory/4868-71-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4868-77-0x0000000000ED0000-0x0000000000F10000-memory.dmp

Filesize
256KB

Download
memory/4868-65-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4868-68-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4868-84-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download