chaos | b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8392650851d29f54e051d8a6499889a5.exe
Size

2.3MB
MD5

8392650851d29f54e051d8a6499889a5
SHA1

d5814cff46164e3011bfce0d3bd7f6692ec63c64
SHA256

b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08
SHA512

f518039b485bc675383c11b435f2b6eab2dd8d1ffac3e0aed29d972effedeb69aa039191b0986a05c275a9ccb2d65d0efc98a21db96c9cde2c54a8fa3f0f1cd8
SSDEEP

49152:4EWDvY84YWarHKnuQDuZu/RJJlB8xsDDckz8YKBg1i1IIMoq:OxkDumRJJlQuDcXMDJ

Score

10^/10

chaos hermeticwiper xworm zgrat persistence ransomware rat trojan wiper

Malware Config

Extracted

Family

xworm

Version

3.1

gamemodz.duckdns.org:4678

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\lwnkgr.exe	family_chaos

Detect HermeticWiper 1 IoCs

Detect HermeticWiper Payload.

wiper

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\vcecju.exe	family_hermeticwiper

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-4899-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2888-4901-0x0000000004BB0000-0x0000000004BF0000-memory.dmp	family_xworm

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2268-2-0x0000000005CE0000-0x0000000005F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-3-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-4-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-6-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-8-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-10-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-12-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-14-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-16-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-18-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-20-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-22-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-24-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-26-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-28-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-30-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-32-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-34-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-36-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-38-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-40-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-42-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-44-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-46-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-48-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-50-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-52-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-54-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-56-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-58-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-60-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-62-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-64-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2268-66-0x0000000005CE0000-0x0000000005EFF000-memory.dmp	family_zgrat_v1

HermeticWiper
HermeticWiper is a partition-corrupting malware used in cyberattacks against Ukrainian organizations.
wiper hermeticwiper
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops file in Drivers directory 3 IoCs

Processes:

vcecju.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\vfdr	vcecju.exe
File opened for modification	C:\Windows\system32\Drivers\vfdr	vcecju.exe
File created	C:\Windows\system32\Drivers\vfdr.sys	vcecju.exe

Drops startup file 2 IoCs

Processes:

cvtres.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	cvtres.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	cvtres.exe

Executes dropped EXE 4 IoCs

Processes:

cvtres.execvtres.exelwnkgr.exevcecju.exe

pid process

772 cvtres.exe
1756 cvtres.exe
1648 lwnkgr.exe
2848 vcecju.exe
Loads dropped DLL 3 IoCs

Processes:

cvtres.exe

pid process

2888 cvtres.exe
2888 cvtres.exe
2888 cvtres.exe

pid	process
772	cvtres.exe
1756	cvtres.exe
1648	lwnkgr.exe
2848	vcecju.exe

pid	process
2888	cvtres.exe
2888	cvtres.exe
2888	cvtres.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\cvtres.exe"	cvtres.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

8392650851d29f54e051d8a6499889a5.exe

description pid process target process

PID 2268 set thread context of 2888 2268 8392650851d29f54e051d8a6499889a5.exe cvtres.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2868 schtasks.exe

flow	ioc
4	ip-api.com

description	pid	process	target process
PID 2268 set thread context of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe

pid	process
2868	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{47878701-F3F7-11EE-AC1E-72D103486AAB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

480
480
480
480
480

pid	process
480
480
480
480
480

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

8392650851d29f54e051d8a6499889a5.execvtres.exevcecju.exe

description	pid	process
Token: SeDebugPrivilege	2268	8392650851d29f54e051d8a6499889a5.exe
Token: SeDebugPrivilege	2268	8392650851d29f54e051d8a6499889a5.exe
Token: SeDebugPrivilege	2888	cvtres.exe
Token: SeDebugPrivilege	2888	cvtres.exe
Token: 0	2848	vcecju.exe
Token: SeBackupPrivilege	2848	vcecju.exe
Token: SeLoadDriverPrivilege	2848	vcecju.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2216 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2216 iexplore.exe
2216 iexplore.exe
1804 IEXPLORE.EXE
1804 IEXPLORE.EXE
1804 IEXPLORE.EXE
1804 IEXPLORE.EXE

pid	process
2216	iexplore.exe

pid	process
2216	iexplore.exe
2216	iexplore.exe
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

8392650851d29f54e051d8a6499889a5.execvtres.exetaskeng.exeiexplore.exe

description	pid	process	target process
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2268 wrote to memory of 2888	2268	8392650851d29f54e051d8a6499889a5.exe	cvtres.exe
PID 2888 wrote to memory of 2868	2888	cvtres.exe	schtasks.exe
PID 2888 wrote to memory of 2868	2888	cvtres.exe	schtasks.exe
PID 2888 wrote to memory of 2868	2888	cvtres.exe	schtasks.exe
PID 2888 wrote to memory of 2868	2888	cvtres.exe	schtasks.exe
PID 620 wrote to memory of 772	620	taskeng.exe	cvtres.exe
PID 620 wrote to memory of 772	620	taskeng.exe	cvtres.exe
PID 620 wrote to memory of 772	620	taskeng.exe	cvtres.exe
PID 620 wrote to memory of 772	620	taskeng.exe	cvtres.exe
PID 620 wrote to memory of 1756	620	taskeng.exe	cvtres.exe
PID 620 wrote to memory of 1756	620	taskeng.exe	cvtres.exe
PID 620 wrote to memory of 1756	620	taskeng.exe	cvtres.exe
PID 620 wrote to memory of 1756	620	taskeng.exe	cvtres.exe
PID 2888 wrote to memory of 1648	2888	cvtres.exe	lwnkgr.exe
PID 2888 wrote to memory of 1648	2888	cvtres.exe	lwnkgr.exe
PID 2888 wrote to memory of 1648	2888	cvtres.exe	lwnkgr.exe
PID 2888 wrote to memory of 1648	2888	cvtres.exe	lwnkgr.exe
PID 2888 wrote to memory of 2216	2888	cvtres.exe	iexplore.exe
PID 2888 wrote to memory of 2216	2888	cvtres.exe	iexplore.exe
PID 2888 wrote to memory of 2216	2888	cvtres.exe	iexplore.exe
PID 2888 wrote to memory of 2216	2888	cvtres.exe	iexplore.exe
PID 2216 wrote to memory of 1804	2216	iexplore.exe	IEXPLORE.EXE
PID 2216 wrote to memory of 1804	2216	iexplore.exe	IEXPLORE.EXE
PID 2216 wrote to memory of 1804	2216	iexplore.exe	IEXPLORE.EXE
PID 2216 wrote to memory of 1804	2216	iexplore.exe	IEXPLORE.EXE
PID 2888 wrote to memory of 2848	2888	cvtres.exe	vcecju.exe
PID 2888 wrote to memory of 2848	2888	cvtres.exe	vcecju.exe
PID 2888 wrote to memory of 2848	2888	cvtres.exe	vcecju.exe
PID 2888 wrote to memory of 2848	2888	cvtres.exe	vcecju.exe

C:\Users\Admin\AppData\Local\Temp\8392650851d29f54e051d8a6499889a5.exe
"C:\Users\Admin\AppData\Local\Temp\8392650851d29f54e051d8a6499889a5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cvtres" /tr "C:\Users\Admin\AppData\Roaming\cvtres.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\lwnkgr.exe
    "C:\Users\Admin\AppData\Local\Temp\lwnkgr.exe"
    3⤵
    - Executes dropped EXE
    PID:1648
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://i.imgflip.com/1p7cdj.jpg
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\vcecju.exe
    "C:\Users\Admin\AppData\Local\Temp\vcecju.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2848

C:\Windows\system32\taskeng.exe
taskeng.exe {8D51D6CB-9241-442F-8BAE-B25033B54877} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Roaming\cvtres.exe
  C:\Users\Admin\AppData\Roaming\cvtres.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Users\Admin\AppData\Roaming\cvtres.exe
  C:\Users\Admin\AppData\Roaming\cvtres.exe
  2⤵
  - Executes dropped EXE
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
708e7616e14b4f0b29066d538f86cd71

SHA1
1820c4866fdc29da08feef4a26905979c714cfeb

SHA256
d03729eb3c58ad6785ed5cceb2411ac56884bb8bbc3fbeee425425d50eb00fa9

SHA512
8f785a412fc836649bae205258e310729bda057c117b942b370f8aef6ba0da32c7234c9e038824510494ef2bdea09a7b629c86188730f051394823fc571024aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e91761a405b5a283c4c976b7955c9c9

SHA1
4af2cb604fbb0b1f059afec2d62a6e681c3c4b64

SHA256
b5f720edd74fbffc38fce95ec3d5833f80d3f3be132143ba5b821af1f7e74318

SHA512
9cd7e08657f101a9029902bfbc03f020d371f35482fa2dbf5ec7f72fd55ea063e9d01bad3e482a7c7951f1b19480e22283c4b4428747eaed174947be7c178c28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06a4487a94897f71886eeaee8845fef6

SHA1
2d1a9ef31dbbbbf82411dbd51635b775a56d8170

SHA256
99b0d2a330eb4c63c5153ce5bd695792508bdf5e7779ee46aecfa95c32e4169f

SHA512
c7f6ea5ce4b0e4b87772a81a7cce3174ffa39ea7e9725c066b1438ccf14ec1bdbfa9ee19d3773af18bbcb7d35e4e2639ff3e218c016fb67a3ab7fa0d980b9e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a092b1ddfc7c3de93bd928fc9139e56

SHA1
076cde733b681178a801566e24e91e3eb391a5db

SHA256
71b21f028c9bf46fb56ba43fc1a01e807b0f5032969920ebef309c58e4356585

SHA512
5eb77753d5db95c9eaee271f07d7e7bea19a7e13620863456413747e9355baa4f79fc4169fa6203a1b580904219a782cbb9aa49fc6fe791bd5217a81d19b9204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
204682d5ca2354a92430427e4ae84b69

SHA1
7a46fdc64ef3cc8fce9e6b238af85937036824d9

SHA256
194e0d5a335c98f618f9dd07a928ba4577d66ad6931b055dcf2d6330771c7a4e

SHA512
dce408a2861333c2f751a137f553171bbfe6d1cd255f3cfa3f514852531029f147898c02442fab3a4a95d9fcf491b70e67ddbeb9434cb7978b526e745432d7be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
365361dffe3f30c765f81fb210007adb

SHA1
eca19fd628c127f83e1e6f95628f48f5a93feb46

SHA256
804d531d691ac63dfaf65b962c375cffc6194b530ef064b7f8779b8ae5085b6a

SHA512
d3fa5882d5732f9a5e12db44a8405cdfe822cbcb66bbda3e85bc513bdf9e0250d9be2fc007bda512cd484edec25983047e2a1e54907ba92f2a7045a4a8d64d61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
576989b9437745d1f4896389caa871d6

SHA1
f934e9fa36071bb42f0d9ab78c17ed066e19f090

SHA256
da3b35c4dda1b2a5a38ed1bc92ab16802c67873df7c1a22d2a2e22455dcd6472

SHA512
74ccc733813c524494b2187fc3162e37c0d548e68b86cc0f1b4ece46acf5b108c6fc45eb679396e7dca0169bb652e3249ffae296cd69e1ae9382bb79b97b2a6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94ab8518a663910462912c1060ea5308

SHA1
8b8b83ca6da93615bb124215321ce673858dfee8

SHA256
be730a0409911b73a2557d98c269bccbb8b8f91c0efd2031eb78506cd2a7b36a

SHA512
ab902bd35af70a3d859421b0dd83d06f1ea3c85a04c2a81f5f65435c6036c83950ba4970037793beb394b570a5f5535776295b49fa4c0797e1f607917c03a930

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23a36b33fe09a26afd8072a5a46808b5

SHA1
a8bc8232856a159e285e3a5a62be5979d662dc0b

SHA256
1a4448a21b7fdf051690ad1e56740c7fdd1a2979e6b92a451541dbdb29fc4224

SHA512
d69255955f386e3b0be765e9f4737dd630154ece9dd9da34bf283a84e7edbf13169de26863bd6c6923f81f6bd2565c909ad0e2d7bc473676c2f656c9a4240dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d098cf1fe12adf945ea3a94104396578

SHA1
fe7966e1769f348556dc1f6e7e19531aaa49a393

SHA256
8f2fe063d085a5ea4565542483746c7541568e39bbe35ff874de984e48f48e5c

SHA512
f06094cc24c7633d6feb4852d58f1eea28fbc7d2de75fe719f14528fb67f4172f19ba26937e86734786a55df2925ba32e8341e5b1ff198b8fe4578a8fb4f4aed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e52105fc2d635aeb487860c58a50af8

SHA1
aee1504c7365365323ad9913587c753fbd12520a

SHA256
5d566fd435b2c27e973fff828dbb2e0995482eca2a245be135318d321bff4832

SHA512
b9339d63e34cbd429becca213ef0b923ae16277923a29ca70d5d504fcb44efd4ccafac17f85aa1f1b1ddbeeae11c16781da5e2b027ac48fce6ce0fa7b4f11c62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d99b0e5698f04abee9e61c0a13f907a0

SHA1
895d4b868fbbff2ad0987a7796394012f4464ea8

SHA256
fce7406f95e39359d700971394cb9b05ce616270c385c763e3989f090d5aaa7e

SHA512
ca0f1a96567e87a3d1b6a419e58d8b1e147defdd357d3927a3a7f3e09cbb80354349ed600d0c3b60b5f74223db4ce2f1650333bfe6f98a88f8809b3044f2f6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4669a734e36bba38c868b318dd837a32

SHA1
bf36006f1fddbec908552817cacd2bc1e1bc5d2d

SHA256
e8091de424974189a05d61f8bdfff3f95df6b2809b0797f30db33745a103b606

SHA512
55f3e08d360a190dcb5a0e87113932031fed8bbe07591ecad221ff6914767afa3231b0362a1cfe7c878d51168be787e65561ed9164db4144d615a7cc3b332c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD3B5.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD53F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\cvtres.exe

Filesize
42KB

MD5
c09985ae74f0882f208d75de27770dfa

SHA1
31b7a087f3c0325d11f8de298f2d601ab8f94897

SHA256
e24570abd130832732d0dd3ec4efb6e3e1835064513c8b8a2b1ae0d530b04534

SHA512
d624e26d12588b8860f957f7dcfca29a84724dc087e26123136cd5e7e4e81c8233090fbd8455df17a73e452beaa780590d1f99b91ae27e151c39353999b11540

Download Submit
\Users\Admin\AppData\Local\Temp\lwnkgr.exe

Filesize
84KB

MD5
7051dcbe9a0837a312b09a5ae3b42430

SHA1
3553ff8725a57929e438228bf141b695c13cecb4

SHA256
ce750c7054359e9e88556d48f7eea341374b74f494caed48251185b54c9ed644

SHA512
2e82160bff1fbdd6f6a9f0210dfaf831650fdefdf8e3bb70c3c2717122b107ef3610c5c5f55908843df7ba3bd3bbefc40b9d1dda07877083cbd2ab8b090a276c

Download Submit
\Users\Admin\AppData\Local\Temp\vcecju.exe

Filesize
114KB

MD5
3f4a16b29f2f0532b7ce3e7656799125

SHA1
61b25d11392172e587d8da3045812a66c3385451

SHA256
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

SHA512
32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80

Download Submit
memory/2268-30-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-0-0x0000000000D00000-0x0000000000F4A000-memory.dmp

Filesize
2.3MB

Download
memory/2268-42-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-44-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-46-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-48-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-50-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-52-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-54-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-56-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-58-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-60-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-62-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-64-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-66-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-4883-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/2268-4884-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2268-4885-0x0000000000A90000-0x0000000000AF2000-memory.dmp

Filesize
392KB

Download
memory/2268-4886-0x0000000000C30000-0x0000000000C7C000-memory.dmp

Filesize
304KB

Download
memory/2268-4887-0x0000000004360000-0x00000000043B4000-memory.dmp

Filesize
336KB

Download
memory/2268-4895-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2268-8-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-2-0x0000000005CE0000-0x0000000005F06000-memory.dmp

Filesize
2.1MB

Download
memory/2268-40-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-38-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-3-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-4-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-36-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-34-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-32-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-1-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2268-28-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-26-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-24-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-6-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-22-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-20-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-18-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-16-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-14-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-12-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2268-10-0x0000000005CE0000-0x0000000005EFF000-memory.dmp

Filesize
2.1MB

Download
memory/2888-4901-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/2888-5015-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/2888-4913-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/2888-4912-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-4900-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-4899-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download