djvu | 944e3da5cf2cebf1ae8c127a66def8d245911b3ae51b78120fafecac59499a9c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aed10ad37747d1d3c3078b2a24a73ccf.exe
Size

216KB
MD5

aed10ad37747d1d3c3078b2a24a73ccf
SHA1

c6647496404dbb0a381fbaef83e2126c363153a5
SHA256

944e3da5cf2cebf1ae8c127a66def8d245911b3ae51b78120fafecac59499a9c
SHA512

e5a7181dbf4315e73516cab06c16c39e0d02ef4ea74d0688198d1b1eccfe4166e20f902f08b56660fea7579c0086330004349c4f81f1aecee501bbfeadcbb3e6
SSDEEP

3072:qhAVkKKz6bqDSWrItkJj75qwv7Zt6gIZi26GDaMQxgMXEfpF:qh12m+kZlqw9t6AGOMQxgMXI

Score

10^/10

djvu risepro smokeloader socks5systemz pub1 backdoor botnet discovery evasion persistence ransomware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

risepro

193.233.132.62:50500

Signatures

Detect Socks5Systemz Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5424-201-0x0000000000990000-0x0000000000A32000-memory.dmp	family_socks5systemz
behavioral2/memory/5424-204-0x0000000000990000-0x0000000000A32000-memory.dmp	family_socks5systemz

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3204-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3204-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3204-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5688-28-0x0000000004920000-0x0000000004A3B000-memory.dmp	family_djvu
behavioral2/memory/3204-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3204-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1372-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1372-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1372-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5245.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5245.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5245.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5245.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5245.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5245.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

D12C.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation D12C.exe
Deletes itself 1 IoCs

Processes:

pid process

3428

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	D12C.exe

pid	process
3428

Executes dropped EXE 11 IoCs

Processes:

B1CB.exeD12C.exeD12C.exeD12C.exeD12C.exeF455.exe5245.exe5A64.exe5A64.tmpksverify.exeksverify.exe

pid	process
1880	B1CB.exe
5688	D12C.exe
3204	D12C.exe
1384	D12C.exe
1372	D12C.exe
2632	F455.exe
2152	5245.exe
2372	5A64.exe
2564	5A64.tmp
4256	ksverify.exe
5424	ksverify.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5245.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine 5245.exe
Loads dropped DLL 3 IoCs

Processes:

5A64.tmp

pid process

2564 5A64.tmp
2564 5A64.tmp
2564 5A64.tmp
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5196 icacls.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine	5245.exe

pid	process
2564	5A64.tmp
2564	5A64.tmp
2564	5A64.tmp

pid	process
5196	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

D12C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6de77ddf-122a-49ec-ab09-046c1810c4da\\D12C.exe\" --AutoStart"	D12C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 api.2ip.ua
39 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5245.exe

pid process

2152 5245.exe

flow	ioc
38	api.2ip.ua
39	api.2ip.ua

pid	process
2152	5245.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

D12C.exeD12C.exeF455.exe

description	pid	process	target process
PID 5688 set thread context of 3204	5688	D12C.exe	D12C.exe
PID 1384 set thread context of 1372	1384	D12C.exe	D12C.exe
PID 2632 set thread context of 4496	2632	F455.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2256 1372 WerFault.exe D12C.exe
412 4496 WerFault.exe RegAsm.exe
2428 4496 WerFault.exe RegAsm.exe

pid	pid_target	process	target process
2256	1372	WerFault.exe	D12C.exe
412	4496	WerFault.exe	RegAsm.exe
2428	4496	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aed10ad37747d1d3c3078b2a24a73ccf.exeB1CB.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aed10ad37747d1d3c3078b2a24a73ccf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aed10ad37747d1d3c3078b2a24a73ccf.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aed10ad37747d1d3c3078b2a24a73ccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B1CB.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B1CB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B1CB.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aed10ad37747d1d3c3078b2a24a73ccf.exe

pid	process
4132	aed10ad37747d1d3c3078b2a24a73ccf.exe
4132	aed10ad37747d1d3c3078b2a24a73ccf.exe
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

aed10ad37747d1d3c3078b2a24a73ccf.exeB1CB.exe

pid process

4132 aed10ad37747d1d3c3078b2a24a73ccf.exe
1880 B1CB.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5A64.tmp

pid process

2564 5A64.tmp
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3428

pid	process
2564	5A64.tmp

pid	process
3428

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

D12C.exeD12C.exeD12C.exeF455.exe5A64.exe5A64.tmp

description	pid	process	target process
PID 3428 wrote to memory of 1880	3428		B1CB.exe
PID 3428 wrote to memory of 1880	3428		B1CB.exe
PID 3428 wrote to memory of 1880	3428		B1CB.exe
PID 3428 wrote to memory of 5688	3428		D12C.exe
PID 3428 wrote to memory of 5688	3428		D12C.exe
PID 3428 wrote to memory of 5688	3428		D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 5688 wrote to memory of 3204	5688	D12C.exe	D12C.exe
PID 3204 wrote to memory of 5196	3204	D12C.exe	icacls.exe
PID 3204 wrote to memory of 5196	3204	D12C.exe	icacls.exe
PID 3204 wrote to memory of 5196	3204	D12C.exe	icacls.exe
PID 3204 wrote to memory of 1384	3204	D12C.exe	D12C.exe
PID 3204 wrote to memory of 1384	3204	D12C.exe	D12C.exe
PID 3204 wrote to memory of 1384	3204	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 1384 wrote to memory of 1372	1384	D12C.exe	D12C.exe
PID 3428 wrote to memory of 2632	3428		F455.exe
PID 3428 wrote to memory of 2632	3428		F455.exe
PID 3428 wrote to memory of 2632	3428		F455.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 2632 wrote to memory of 4496	2632	F455.exe	RegAsm.exe
PID 3428 wrote to memory of 2152	3428		5245.exe
PID 3428 wrote to memory of 2152	3428		5245.exe
PID 3428 wrote to memory of 2152	3428		5245.exe
PID 3428 wrote to memory of 2372	3428		5A64.exe
PID 3428 wrote to memory of 2372	3428		5A64.exe
PID 3428 wrote to memory of 2372	3428		5A64.exe
PID 2372 wrote to memory of 2564	2372	5A64.exe	5A64.tmp
PID 2372 wrote to memory of 2564	2372	5A64.exe	5A64.tmp
PID 2372 wrote to memory of 2564	2372	5A64.exe	5A64.tmp
PID 2564 wrote to memory of 4256	2564	5A64.tmp	ksverify.exe
PID 2564 wrote to memory of 4256	2564	5A64.tmp	ksverify.exe
PID 2564 wrote to memory of 4256	2564	5A64.tmp	ksverify.exe
PID 2564 wrote to memory of 5424	2564	5A64.tmp	ksverify.exe
PID 2564 wrote to memory of 5424	2564	5A64.tmp	ksverify.exe
PID 2564 wrote to memory of 5424	2564	5A64.tmp	ksverify.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aed10ad37747d1d3c3078b2a24a73ccf.exe
"C:\Users\Admin\AppData\Local\Temp\aed10ad37747d1d3c3078b2a24a73ccf.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4132

C:\Users\Admin\AppData\Local\Temp\B1CB.exe
C:\Users\Admin\AppData\Local\Temp\B1CB.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1880

C:\Users\Admin\AppData\Local\Temp\D12C.exe
C:\Users\Admin\AppData\Local\Temp\D12C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5688

C:\Users\Admin\AppData\Local\Temp\D12C.exe
C:\Users\Admin\AppData\Local\Temp\D12C.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6de77ddf-122a-49ec-ab09-046c1810c4da" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:5196

C:\Users\Admin\AppData\Local\Temp\D12C.exe
"C:\Users\Admin\AppData\Local\Temp\D12C.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\D12C.exe
"C:\Users\Admin\AppData\Local\Temp\D12C.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 568
5⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1372 -ip 1372
1⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\F455.exe
C:\Users\Admin\AppData\Local\Temp\F455.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1232
3⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 808
3⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4496 -ip 4496
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4496 -ip 4496
1⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4496 -ip 4496
1⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\5245.exe
C:\Users\Admin\AppData\Local\Temp\5245.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2152

C:\Users\Admin\AppData\Local\Temp\5A64.exe
C:\Users\Admin\AppData\Local\Temp\5A64.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\is-4KDI9.tmp\5A64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4KDI9.tmp\5A64.tmp" /SL5="$6016E,7390120,54272,C:\Users\Admin\AppData\Local\Temp\5A64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
"C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe" -s
3⤵
- Executes dropped EXE
PID:5424

C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
"C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe" -i
3⤵
- Executes dropped EXE
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6de77ddf-122a-49ec-ab09-046c1810c4da\D12C.exe
Filesize
323KB

MD5
040362fd3b2c9c501285d2dca87c32eb

SHA1
67cc60b025c10b91be46da8b1df4fb4323eb91db

SHA256
08cc9707ed34b9380c4b49aaf2cc8ef6be972bf65ff6d2e574b13b403aa369ad

SHA512
398ffc3c4c8bdf03bbe9743d369eb0fc26ebf82ad9817b08415f52da590e93c0fa800638a6d4d9159fc5d09238279d3be4dde816b2e4c0e99a126be4e2f4be7b

Download Submit
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
Filesize
211KB

MD5
1c138182739b65f19f38692f20cc3a81

SHA1
e59cf1733bafc9fa24c548f55f25062d3510f4db

SHA256
908414fd61f3160a473bb27ceaddd2c1df0edfd5b22105386d7f9bacffc40bf8

SHA512
31dca581b70a152432db8eab2fa840501c2b4dc09882337470b49c6f441c9485d69daa0d652974aa1e0a734d71b3a3d00f140b4ec382d83ddfab4d10b71de6cb

Download Submit
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
Filesize
270KB

MD5
c320b7b8edaa5101f95506c4b185a3c0

SHA1
5751babab1285d9cee6488baa6b9ecdc103666c3

SHA256
fb138171233ffe0ff8e75c8242dba415f91e891382e8d0eb7a1a8659cc14e002

SHA512
cc142a832a54e8050b043b59feac05201d7f052e65fefcdfa3b17f10d2d97bce0a25cc7c27dcf08b932de6affe2d606e6548383417bde4a111e90404ff649831

Download Submit
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
Filesize
144KB

MD5
4bc98b4acde19b59fa0352099bc26230

SHA1
23861594a0d593b26523b01bee37efbaafab8c28

SHA256
51c9466942ca5c47bfe064c1ca8219b988c305491c3231c97fa0d8dfcb8b13d8

SHA512
7db0c46d82e1c9b0eebdc74c7907610b75334cc31b50474c2758968504ffdd0ba538ff915325d42f69a85abda15ba013b35bf4dd6573322857ece616e54c1d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5245.exe
Filesize
637KB

MD5
ef9436c56a30e0fc12e924eb14af81d2

SHA1
80a172b1511726e70ea4d6d588412118a7e343e2

SHA256
b178abc2df3f47dcf98b6be48e9cb4cbc399564340f4a45f411e60649b056bb3

SHA512
cbdf51fa9dfb99f134ca630cbe3db7f2e47a6dcd4ab28102292d45bfdae0780270c81377e66c0657aa4a92c58c9ecd4d9b8dc7f64d995a6632718bf41d5b8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5245.exe
Filesize
578KB

MD5
b90471b09bec5f13fd1b7ecea471f1ed

SHA1
90b81aaf06414f70b8c3192c15efd43894c47def

SHA256
d828c3bb26e4ecc1b0316447dca80c6b9c34ec5a43e8dcc5820753f8704ff3d1

SHA512
a77ab487234ab3139116511249f32202fb62102109907b01420acab8c5449a7402a0a1a20895b9fd3c3e07cdef520fc13972c73ed317cb2ae22d668928cf952f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A64.exe
Filesize
462KB

MD5
30cf5db935fb751ba8920e95cfe60f17

SHA1
f081d029a4eb3fad563d6442114b929793f0ba8b

SHA256
b150e138d91a1a7f7c702d7b52c7131bcf337525654273d4bdd95436d9085ce1

SHA512
1520e50d3feb75c309fafe18cdff1fb4ba5aaea15cc7a1dfae73871736bb1dd1842b8622f9f828f4453fcdbb4a7f261acfd9e1ebb0b70da0609d73a5d0f903f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A64.exe
Filesize
273KB

MD5
650436775412559ddf48db9249a18dd1

SHA1
e77c6b02fa318d3f4763f1b817aab62b430dffc7

SHA256
32f67518fd3f31a65cc7e4f31c2212dc307bf17e4291031b90322a743d67d58b

SHA512
a1336fb8d99bc6f4cb89b55d20fa728b9a46ceab882b2d4f6c14e1ced36fbfa08a0b4cc2f004c7bd58ef0d4725e089f919a05168bb42d276801423ff61b43a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1CB.exe
Filesize
208KB

MD5
3459e4e3b8c2023cb721b547fda205f6

SHA1
c4cc7eb4d2e016b762e685a87b16144fda258f9c

SHA256
9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd

SHA512
eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D12C.exe
Filesize
686KB

MD5
77c4f6bb281f77975dcafa34ac349790

SHA1
d7f9091c80970c92769ec6ef76b67609afabe1eb

SHA256
135698647c6708059999b677fcd123b3255cdb3020842db103dbe990f4cc0593

SHA512
ed0b9f4fba640134402a034bc7eabdf2ab6f276c2e145a8a83b54bb592d992f9b6b47e759f4a3ae5dcd3eb6d5c56c09b66f612334d335c03c4c502aaeb16ccb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D12C.exe
Filesize
148KB

MD5
910a4e4d7be0fdc3906230cc88e873f2

SHA1
1839b5523bd897659ac17e6647609da1ade09d0c

SHA256
e901c85fd769dec27e6fb69ad33f7ae748653a8437726fdad4dfb2dc5a54d543

SHA512
ac2358b4946cc2c2c641f9881b25b5e568d5b0ae97b9b8a433f142d59745fe044ab8d66696171388fd66ac2347f742a496410aeef3b207e05e4376a3c7b0e9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D12C.exe
Filesize
238KB

MD5
0a6cb101e41a731d3b594005ef57d66b

SHA1
98a46aa49348de1e7c416716f92759109d02b68b

SHA256
ed7c4829c5e2863b9067ade85918e7b9e09a17f23602cedaa5aa403e8ff61e24

SHA512
b94d151861c88bf0c99215da0ed473e058c140a4d1a0702b4791617a8dce4ee018242095f1c075a252dd11854c7361b14721fd2510fb0393934e7b9c3a103a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F455.exe
Filesize
466KB

MD5
0a5135c77b53558af6ebc6e876ad26b9

SHA1
d8921d0280b4f44b0ed120a2bbcfa370a9e813ae

SHA256
9776029f2d1dcc3397d5901f9f3e072cf27ff204becfba6bfb433acc2b369607

SHA512
6fbf3c28a707ebb4d905fbd7dd0b11f6b4e1c2263c410f823f3e6df3e95f31c2046d215e5b27983f0cadc8415ccf894f139c96b4bde2bbf9f66ab0311b5b852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F455.exe
Filesize
201KB

MD5
212bc63078114daa2e021d4f5fa776ae

SHA1
ded882ff57f0e2ce333bd2f395b7a808d965d650

SHA256
516565a7d9b86c28f1e21e3f2a123e9a96a4a9fa0141b8607075c3f68a079e67

SHA512
fadf4f7432fe03b4c0e1165808d1b99c039d6f7fd2b3cdbd59455ac5352906f8c901881b76b47d6d3b8e5501d62e939569c662c1af36fe4d740c99277792386a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-30TPS.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-30TPS.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4KDI9.tmp\5A64.tmp
Filesize
265KB

MD5
b7fad954aad6502d4924e0e9bb2c1d21

SHA1
429ca807656de3f469907e86c01ce25a6fe83790

SHA256
fc38427ea4eb1fdbc3c609573ef9580e4eb34c21a0b0d9174ba14c9fa46714b9

SHA512
a04119c8f41a8a41ea94d1a0fb39f41ebf68461ff922d4190bbd8a8af3490e6fa082cabaaac73c9ed56d49432b6e22fd7004965ede001b6eabe7df1c846c1976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4KDI9.tmp\5A64.tmp
Filesize
214KB

MD5
0bb0d9327c014662f1a1ce47a0b18710

SHA1
40a4451fb19225ff34506dd4267af34def702753

SHA256
3645c2453102623df0bc679edcc746eb2e874625939e5b580aa958cee0e2ce2b

SHA512
6f15964b6d1a46077e744d7f8fdba92c721f8d2cb28d4cf3ff4153d223c245b9adc04145623b7cc4165ea1b5698ed060d645d28b580a7e66816571e9eb315457

Download Submit
memory/1372-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1372-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1372-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1384-48-0x00000000046C0000-0x0000000004762000-memory.dmp

Filesize
648KB

Download
memory/1880-19-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1880-17-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1880-16-0x0000000002C30000-0x0000000002D30000-memory.dmp

Filesize
1024KB

Download
memory/2152-92-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2152-96-0x0000000004C30000-0x0000000004C32000-memory.dmp

Filesize
8KB

Download
memory/2152-211-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-207-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-198-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-194-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-190-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-186-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-181-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-90-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2152-176-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-175-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-91-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2152-88-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2152-85-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/2152-86-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2152-83-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-87-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2152-84-0x0000000077CC4000-0x0000000077CC6000-memory.dmp

Filesize
8KB

Download
memory/2152-89-0x00000000000B0000-0x000000000065C000-memory.dmp

Filesize
5.7MB

Download
memory/2152-95-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2152-94-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/2152-93-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2372-101-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2372-103-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2372-177-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2564-178-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2564-114-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2564-180-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2632-70-0x0000000002570000-0x0000000004570000-memory.dmp

Filesize
32.0MB

Download
memory/2632-61-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/2632-71-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/2632-60-0x00000000000D0000-0x0000000000172000-memory.dmp

Filesize
648KB

Download
memory/2632-62-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/3204-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3428-18-0x00000000034D0000-0x00000000034E6000-memory.dmp

Filesize
88KB

Download
memory/3428-4-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/4132-3-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-5-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-1-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/4132-2-0x0000000000590000-0x000000000059B000-memory.dmp

Filesize
44KB

Download
memory/4256-170-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/4256-169-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/4256-167-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/4256-166-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/4496-72-0x0000000002D60000-0x0000000002DA0000-memory.dmp

Filesize
256KB

Download
memory/4496-68-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4496-74-0x0000000002D20000-0x0000000002D52000-memory.dmp

Filesize
200KB

Download
memory/4496-78-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4496-65-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4496-73-0x0000000002D20000-0x0000000002D52000-memory.dmp

Filesize
200KB

Download
memory/4496-75-0x0000000002D20000-0x0000000002D52000-memory.dmp

Filesize
200KB

Download
memory/4496-76-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5424-197-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-201-0x0000000000990000-0x0000000000A32000-memory.dmp

Filesize
648KB

Download
memory/5424-189-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-173-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-193-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-179-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-184-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-214-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-185-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-204-0x0000000000990000-0x0000000000A32000-memory.dmp

Filesize
648KB

Download
memory/5424-202-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-174-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5424-210-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/5688-28-0x0000000004920000-0x0000000004A3B000-memory.dmp

Filesize
1.1MB

Download
memory/5688-27-0x0000000004790000-0x000000000482E000-memory.dmp

Filesize
632KB

Download