chaos | b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08

Analysis

max time kernel
146s
max time network
166s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
Size

2.3MB
MD5

8392650851d29f54e051d8a6499889a5
SHA1

d5814cff46164e3011bfce0d3bd7f6692ec63c64
SHA256

b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08
SHA512

f518039b485bc675383c11b435f2b6eab2dd8d1ffac3e0aed29d972effedeb69aa039191b0986a05c275a9ccb2d65d0efc98a21db96c9cde2c54a8fa3f0f1cd8
SSDEEP

49152:4EWDvY84YWarHKnuQDuZu/RJJlB8xsDDckz8YKBg1i1IIMoq:OxkDumRJJlQuDcXMDJ

Score

10^/10

chaos xworm zgrat bootkit persistence pyinstaller ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

gamemodz.duckdns.org:4678

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000014a78-4917.dat	family_chaos
behavioral1/memory/2676-4920-0x0000000000090000-0x00000000000AC000-memory.dmp	family_chaos

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1864-4900-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1800-2-0x0000000005CC0000-0x0000000005EE6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-3-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-4-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-6-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-8-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-10-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-12-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-14-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-16-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-18-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-20-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-22-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-24-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-26-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-28-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-30-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-32-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-34-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-36-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-38-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-40-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-42-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-44-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-46-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-48-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-50-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-52-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-54-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-56-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-58-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-60-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-62-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-64-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1
behavioral1/memory/1800-66-0x0000000005CC0000-0x0000000005EDF000-memory.dmp	family_zgrat_v1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
behavioral1/memory/1864-4900-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects command variations typically used by ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000014a78-4917.dat	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/2676-4920-0x0000000000090000-0x00000000000AC000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	cvtres.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	cvtres.exe

Executes dropped EXE 6 IoCs

pid	Process
2676	gqskyq.exe
2988	mrtvez.exe
2112	iqfuoe.exe
2844	xjfebo.exe
2508	cvtres.exe
3036	xjfebo.exe

Loads dropped DLL 9 IoCs

pid	Process
1864	cvtres.exe
1864	cvtres.exe
1864	cvtres.exe
1864	cvtres.exe
2844	xjfebo.exe
2844	xjfebo.exe
2844	xjfebo.exe
2844	xjfebo.exe
3036	xjfebo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\cvtres.exe"	cvtres.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	iqfuoe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000014bd8-4935.dat	pyinstaller

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2540	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F74BCE0-F47D-11EE-ADC2-DE62917EBCA6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2676	gqskyq.exe
2676	gqskyq.exe
2676	gqskyq.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
Token: SeDebugPrivilege	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
Token: SeDebugPrivilege	1864	cvtres.exe
Token: SeDebugPrivilege	1864	cvtres.exe
Token: SeDebugPrivilege	2676	gqskyq.exe
Token: 33	2776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2776	AUDIODG.EXE
Token: 33	2776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2776	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
888	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
888	iexplore.exe
888	iexplore.exe
564	IEXPLORE.EXE
564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1800 wrote to memory of 1864	1800	b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe	30
PID 1864 wrote to memory of 2540	1864	cvtres.exe	32
PID 1864 wrote to memory of 2540	1864	cvtres.exe	32
PID 1864 wrote to memory of 2540	1864	cvtres.exe	32
PID 1864 wrote to memory of 2540	1864	cvtres.exe	32
PID 1864 wrote to memory of 2676	1864	cvtres.exe	34
PID 1864 wrote to memory of 2676	1864	cvtres.exe	34
PID 1864 wrote to memory of 2676	1864	cvtres.exe	34
PID 1864 wrote to memory of 2676	1864	cvtres.exe	34
PID 1864 wrote to memory of 2988	1864	cvtres.exe	35
PID 1864 wrote to memory of 2988	1864	cvtres.exe	35
PID 1864 wrote to memory of 2988	1864	cvtres.exe	35
PID 1864 wrote to memory of 2988	1864	cvtres.exe	35
PID 1864 wrote to memory of 2112	1864	cvtres.exe	36
PID 1864 wrote to memory of 2112	1864	cvtres.exe	36
PID 1864 wrote to memory of 2112	1864	cvtres.exe	36
PID 1864 wrote to memory of 2112	1864	cvtres.exe	36
PID 2676 wrote to memory of 528	2676	gqskyq.exe	37
PID 2676 wrote to memory of 528	2676	gqskyq.exe	37
PID 2676 wrote to memory of 528	2676	gqskyq.exe	37
PID 1864 wrote to memory of 2844	1864	cvtres.exe	38
PID 1864 wrote to memory of 2844	1864	cvtres.exe	38
PID 1864 wrote to memory of 2844	1864	cvtres.exe	38
PID 1864 wrote to memory of 2844	1864	cvtres.exe	38
PID 548 wrote to memory of 2508	548	taskeng.exe	41
PID 548 wrote to memory of 2508	548	taskeng.exe	41
PID 548 wrote to memory of 2508	548	taskeng.exe	41
PID 548 wrote to memory of 2508	548	taskeng.exe	41
PID 2844 wrote to memory of 3036	2844	xjfebo.exe	43
PID 2844 wrote to memory of 3036	2844	xjfebo.exe	43
PID 2844 wrote to memory of 3036	2844	xjfebo.exe	43
PID 1864 wrote to memory of 888	1864	cvtres.exe	44
PID 1864 wrote to memory of 888	1864	cvtres.exe	44
PID 1864 wrote to memory of 888	1864	cvtres.exe	44
PID 1864 wrote to memory of 888	1864	cvtres.exe	44
PID 888 wrote to memory of 564	888	iexplore.exe	46
PID 888 wrote to memory of 564	888	iexplore.exe	46
PID 888 wrote to memory of 564	888	iexplore.exe	46
PID 888 wrote to memory of 564	888	iexplore.exe	46

C:\Users\Admin\AppData\Local\Temp\b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
"C:\Users\Admin\AppData\Local\Temp\b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cvtres" /tr "C:\Users\Admin\AppData\Roaming\cvtres.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\gqskyq.exe
    "C:\Users\Admin\AppData\Local\Temp\gqskyq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2676 -s 564
      4⤵
      PID:528
- - C:\Users\Admin\AppData\Local\Temp\mrtvez.exe
    "C:\Users\Admin\AppData\Local\Temp\mrtvez.exe"
    3⤵
    - Executes dropped EXE
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\iqfuoe.exe
    "C:\Users\Admin\AppData\Local\Temp\iqfuoe.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\xjfebo.exe
    "C:\Users\Admin\AppData\Local\Temp\xjfebo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\xjfebo.exe
      "C:\Users\Admin\AppData\Local\Temp\xjfebo.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3036
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://i.imgflip.com/1p7cdj.jpg
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\system32\taskeng.exe
taskeng.exe {508C77EE-A879-4DE0-A5B1-FEACB787743B} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Roaming\cvtres.exe
  C:\Users\Admin\AppData\Roaming\cvtres.exe
  2⤵
  - Executes dropped EXE
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e448bd9659272b386428e0c506d4cc0

SHA1
7ed5abf2afe5e78add7150946c575398c298b023

SHA256
9524bc43984a6284483d49af2533e88206730e2e5acae1b54579dd97b9cc9b87

SHA512
83266cb59675da904e152b99195e28c0a2199bffa0493224c336c13f943863b18009106dade7b8ae3fbe1072341ac59fcb31e90cd4c58464197e1927515317bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7aab695c88f0ba1205535a31c4f89b67

SHA1
ed3518f3150732729e8bee68aad7b08ce33f0664

SHA256
7641782feb3c77fb2a4a78bcf313e0a3e354fcfcde6bac0b3088c924a38249eb

SHA512
2bb9d52495a7c1964904d6e1d5ec13eb681ec06b7bed406538907251758cd6d5af7ac3e59246cd74e7056b0b59aee30da569524b8ae04e6f5b6ca53ff1825cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab77A0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7893.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\tk\text.tcl

Filesize
34KB

MD5
7c2ac370de0b941ae13572152419c642

SHA1
7598cc20952fa590e32da063bf5c0f46b0e89b15

SHA256
4a42ad370e0cd93d4133b49788c0b0e1c7cd78383e88bacb51cb751e8bfda15e

SHA512
8325a33bfd99f0fce4f14ed5dc6e03302f6ffabce9d1abfefc24d16a09ab3439a4b753cbf06b28d8c95e4ddabfb9082c9b030619e8955a7e656bd6c61b9256c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\tk\ttk\cursors.tcl

Filesize
4KB

MD5
18ec3e60b8dd199697a41887be6ce8c2

SHA1
13ff8ce95289b802a5247b1fd9dea90d2875cb5d

SHA256
7a2ed9d78fabcafff16694f2f4a2e36ff5aa313f912d6e93484f3bcd0466ad91

SHA512
4848044442efe75bcf1f89d8450c8ecbd441f38a83949a3cd2a56d9000cacaa2ea440ca1b32c856ab79358ace9c7e3f70ddf0ec54aa93866223d8fef76930b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\tk\ttk\fonts.tcl

Filesize
5KB

MD5
80331fcbe4c049ff1a0d0b879cb208de

SHA1
4eb3efdfe3731bd1ae9fd52ce32b1359241f13cf

SHA256
b94c319e5a557a5665b1676d602b6495c0887c5bacf7fa5b776200112978bb7b

SHA512
a4bd2d91801c121a880225f1f3d0c4e30bf127190cf375f6f7a49eb4239a35c49c44f453d6d3610df0d6a7b3cb15f4e79bd9c129025cc496ceb856fcc4b6de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\tk\ttk\ttk.tcl

Filesize
4KB

MD5
af45b2c8b43596d1bdeca5233126bd14

SHA1
a99e75d299c4579e10fcdd59389b98c662281a26

SHA256
2c48343b1a47f472d1a6b9ee8d670ce7fb428db0db7244dc323ff4c7a8b4f64b

SHA512
c8a8d01c61774321778ab149f6ca8dda68db69133cb5ba7c91938e4fd564160ecdcec473222affb241304a9acc73a36b134b3a602fd3587c711f2adbb64afa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\tk\ttk\utils.tcl

Filesize
8KB

MD5
d98edc491da631510f124cd3934f535f

SHA1
33037a966067c9f5c9074ae5532ff3b51b4082d4

SHA256
d58610a34301bb6e61a60bec69a7cecf4c45c6a034a9fc123977174b586278be

SHA512
23faed8298e561f490997fe44ab61cd8ccb9f1f63d48bb4cf51fc9e591e463ff9297973622180d6a599cabb541c82b8fe33bf38a82c5d5905bbfa52ca0341399

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqskyq.exe

Filesize
84KB

MD5
7051dcbe9a0837a312b09a5ae3b42430

SHA1
3553ff8725a57929e438228bf141b695c13cecb4

SHA256
ce750c7054359e9e88556d48f7eea341374b74f494caed48251185b54c9ed644

SHA512
2e82160bff1fbdd6f6a9f0210dfaf831650fdefdf8e3bb70c3c2717122b107ef3610c5c5f55908843df7ba3bd3bbefc40b9d1dda07877083cbd2ab8b090a276c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqfuoe.exe

Filesize
1.3MB

MD5
94259b5ad79024a5b6f5388f18ec061f

SHA1
975251f1d30d9e0c41a88ff58eaa98283d0b2c01

SHA256
100b97224063dbaea25b4d53672b7e3fc81443aeef10151c47096ffb3c849334

SHA512
1b66ddb7fecf930680557ca2e036902b6ac60754fb5fecf5283ad66c45dadfe0a1f1a876ca4a8ced007008c03df0b1720011bf5be692c5cd8db2ce8f3c63ee82

Download Submit
C:\Users\Admin\AppData\Roaming\cvtres.exe

Filesize
42KB

MD5
c09985ae74f0882f208d75de27770dfa

SHA1
31b7a087f3c0325d11f8de298f2d601ab8f94897

SHA256
e24570abd130832732d0dd3ec4efb6e3e1835064513c8b8a2b1ae0d530b04534

SHA512
d624e26d12588b8860f957f7dcfca29a84724dc087e26123136cd5e7e4e81c8233090fbd8455df17a73e452beaa780590d1f99b91ae27e151c39353999b11540

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28442\__splash\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28442\__splash\tcl86t.dll

Filesize
1.8MB

MD5
ac6cd2fb2cd91780db186b8d6e447b7c

SHA1
b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a

SHA256
a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6

SHA512
45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28442\__splash\tk86t.dll

Filesize
1.5MB

MD5
499fa3dea045af56ee5356c0ce7d6ce2

SHA1
0444b7d4ecd25491245824c17b84916ee5b39f74

SHA256
20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94

SHA512
d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1

Download Submit
\Users\Admin\AppData\Local\Temp\mrtvez.exe

Filesize
55KB

MD5
d6e6e2fb2e45c7a2ca6585d86b39d2d0

SHA1
0f64d36122ea98d09b504041b5a511dc4a0b5275

SHA256
942f4aca0316e529d0b7c721b774f37738fb99d27fb4adc034d08cb31fd72924

SHA512
9493b05deed8e0bfdf590c60d7aa7894420b192fdfbd979d321aae9c9cc1d5104fa6125ae8139b12ba1e0c227727375fe046456733c20198f20508321d8adaa1

Download Submit
\Users\Admin\AppData\Local\Temp\xjfebo.exe

Filesize
31.8MB

MD5
1dd78e1d166b8996cebef2335a6a5ff4

SHA1
a5b9d55a7ce0ea5b870c000389f2de11eee10d3c

SHA256
016a3d5b64325ea0d7bb3561cfba8ba43ee937be69c8cd4f26ba8ee1e532d10f

SHA512
9d7bc3a7d493a2b7854caff5739b17faadff1e3330590c9ae089ac4354f31a08d6ed06dc5e2affed0baf3b1a2d04eafe23e67acef03b08be2f7ee7fabe7504f5

Download Submit
memory/1800-64-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-22-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-38-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-40-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-42-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-44-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-46-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-48-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-50-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-52-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-54-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-56-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-58-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-60-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-62-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-0-0x0000000000B90000-0x0000000000DDA000-memory.dmp

Filesize
2.3MB

Download
memory/1800-66-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-4098-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-4884-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/1800-4885-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1800-4886-0x0000000000A60000-0x0000000000AC2000-memory.dmp

Filesize
392KB

Download
memory/1800-4887-0x0000000000B10000-0x0000000000B5C000-memory.dmp

Filesize
304KB

Download
memory/1800-4888-0x00000000044D0000-0x0000000004524000-memory.dmp

Filesize
336KB

Download
memory/1800-4896-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-1-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-2-0x0000000005CC0000-0x0000000005EE6000-memory.dmp

Filesize
2.1MB

Download
memory/1800-3-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-34-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-4-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-6-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-32-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-8-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-10-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-30-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-28-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-26-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-24-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-36-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-20-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-18-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-16-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-14-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1800-12-0x0000000005CC0000-0x0000000005EDF000-memory.dmp

Filesize
2.1MB

Download
memory/1864-4912-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1864-4911-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/1864-4902-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1864-4901-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/1864-4900-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2676-4921-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-4920-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/2676-5995-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download