chaos | f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unconfirmed 307690.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
SSDEEP

3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score

10^/10

chaos ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/920-1-0x0000000000E50000-0x0000000000EDE000-memory.dmp	family_chaos
behavioral1/files/0x0008000000023494-17.dat	family_chaos
behavioral1/files/0x00070000000234b1-42.dat	family_chaos

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\MRUListEx = ffffffff	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1092616257"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a00000002e37a3569cced2119f0e006097c686f60700000028000000e0859ff2f94f6810ab9108002b27b3d902000000a00000002e37a3569cced2119f0e006097c686f602000000780000002e37a3569cced2119f0e006097c686f60400000088000000	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000040000000300000002000000ffffffff	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\MRUListEx = ffffffff	Unconfirmed 307690.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1092616257"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1"	Unconfirmed 307690.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Pictures"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\NodeSlot = "5"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:PID = "0"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0400000003000000020000000100000000000000ffffffff	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Unconfirmed 307690.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
920	Unconfirmed 307690.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	Unconfirmed 307690.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe
920	Unconfirmed 307690.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1584	920	Unconfirmed 307690.exe	99
PID 920 wrote to memory of 1584	920	Unconfirmed 307690.exe	99
PID 1584 wrote to memory of 4108	1584	csc.exe	101
PID 1584 wrote to memory of 4108	1584	csc.exe	101
PID 920 wrote to memory of 376	920	Unconfirmed 307690.exe	109
PID 920 wrote to memory of 376	920	Unconfirmed 307690.exe	109
PID 376 wrote to memory of 1600	376	csc.exe	111
PID 376 wrote to memory of 1600	376	csc.exe	111

C:\Users\Admin\AppData\Local\Temp\Unconfirmed 307690.exe
"C:\Users\Admin\AppData\Local\Temp\Unconfirmed 307690.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkmjlfy1\pkmjlfy1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF894.tmp" "c:\Users\Admin\Documents\CSC5DF6C20F9FCD483ABD635A8C1B4BDEBD.TMP"
    3⤵
    PID:4108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3oluqzg\q3oluqzg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD70D.tmp" "c:\Users\Admin\Desktop\CSCE9C6EE271AEA4C29A753D3C75DD9D8F.TMP"
    3⤵
    PID:1600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD70D.tmp

Filesize
1KB

MD5
6794231af57a6911bb72f56347e2ef17

SHA1
8ad4955e68efb02f62606c04cd4ab7e34d7f01f0

SHA256
6539eb83038917be04d35303d2fef1f5d0c283be14cfc5b8787b7578c17a6a0f

SHA512
4ff54fb42fcfa71ca72200c2229cb6ce44305ecf0287121e0178195c885f5314a692b5b34c7bfcf0ce25998e4c5129ce2b265455e6a2ed3183dd31dc84cb50c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF894.tmp

Filesize
1KB

MD5
c96cb114caa2a91418ede2ba3380e3cc

SHA1
ea1cb4552425ef2c1520beac03d437c5d7834e8a

SHA256
7309d1a54df41e62442ade7befa5c017de5500e21c3e792ebb6ecae7fd06ee28

SHA512
a937013114077459a418f18de8f9073b57257755520f8cd0ff86cb22b61029c6efe26ae44d8be623e046c468284696c7814435c4e4bbe98bf28b5bf857d6dc35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkmjlfy1\pkmjlfy1.0.cs

Filesize
30KB

MD5
305452c0b2f1cc607a575d99cf5ae0cc

SHA1
3bde783f6edc2d0b8463e260cb34b7aeeb6a8658

SHA256
1feb98c34e4ea623c4f356b0abc2c200008cffe29539525f3231f00e59bb47e3

SHA512
7b2922d974a18628709d7aa72bf1812cef72791583d7f932fcacea31f1dd9523b1ef8f09d5df7897c8c86521bc45c48e00dd9126cf39d104e4e873a7647c3ba8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkmjlfy1\pkmjlfy1.cmdline

Filesize
334B

MD5
d82fc6db4d0424dc89f03d7fa76a9101

SHA1
71ae97f82868696964c4221133f3cf91fce4acac

SHA256
420e6e8a1114a536871dbc1fbfefcc2811118d2482ae83b58b68988b924a02f6

SHA512
7e5dc64ec835dabdac22f58ced2269821d571904a7a324e264784b0d80415fd2f50d1de9c283afa18f504419f2e70912cd0eb26a5ea705792590871b55a94605

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3oluqzg\q3oluqzg.0.cs

Filesize
594KB

MD5
18559fc65e36d345d4b50c84c8575b9c

SHA1
551d6e6e5b03992d0bff5326e5288da6df9e3860

SHA256
ab51a2bd2edee25a074846cf2d266549f37670c01da73bf1a1a12fd824f46c98

SHA512
37ad54a2e45ab655fbc20053391af4fedcfe188723f437dc7e212b8d6d9c8a086285dd55f9d85c0781a021999427042af3c13b187a9f0633554df7c5a17f2361

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3oluqzg\q3oluqzg.cmdline

Filesize
330B

MD5
7764d98b1d79d21499e1bf2977d38172

SHA1
079fb898e4bcdfb999f93673cfe6879bc8f69d1e

SHA256
b8f779246567716bffc12232e47767b86feee6b6c4ebf7420a0ac6182d5531f0

SHA512
d5f99c60b5b6cc1eb9bea39a4eec2d437b21395f85fc311e6233782f578b7a82098c2d61c5d1bea6b21b6ec38d8c2aaed804c7f3bfd90a050e87df5dea87a7dc

Download Submit
\??\c:\Users\Admin\Desktop\CSCE9C6EE271AEA4C29A753D3C75DD9D8F.TMP

Filesize
1KB

MD5
d10342f231920cc04e3d5b695aebd6de

SHA1
33c90b435ba5f78f6cd10f217feac61d77f8d294

SHA256
61105340dc36a23c6da5c75b3b7e15eee3ed676324f08788740a8a24ab5dd42c

SHA512
f04fe2e948129179894d7917989759859409be138f0d11b90a40f1ba6c801e394abe4289df52b9030d420c976bec441945d939fe9820b2b8820c47e7b1b180fb

Download Submit
\??\c:\Users\Admin\Documents\CSC5DF6C20F9FCD483ABD635A8C1B4BDEBD.TMP

Filesize
1KB

MD5
dc5a4d78dd3a6a5748f28c571af08c76

SHA1
507a9e6dab72e120366da0df0d15c6c20b08f299

SHA256
d42e2abf6c4790f5fa5898f3c15e63d1bec514b1e8a9773266d643ada06a569f

SHA512
caf6d503da9db4da81065bec0d546bc54a9bb090978bd6ad37eecd5d3614c54be9388ad861b41a47ee24d42373d63890a0235af7b1d06cbee4b4d95bbb3ae2f3

Download Submit
memory/920-6-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download
memory/920-25-0x0000000020CF0000-0x0000000020E9E000-memory.dmp

Filesize
1.7MB

Download
memory/920-10-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download
memory/920-8-0x0000000020CF0000-0x0000000020E9E000-memory.dmp

Filesize
1.7MB

Download
memory/920-7-0x0000000020CF0000-0x0000000020E9E000-memory.dmp

Filesize
1.7MB

Download
memory/920-0-0x00007FF901A03000-0x00007FF901A05000-memory.dmp

Filesize
8KB

Download
memory/920-5-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download
memory/920-9-0x0000000020CF0000-0x0000000020E9E000-memory.dmp

Filesize
1.7MB

Download
memory/920-28-0x0000000020CF0000-0x0000000020E9E000-memory.dmp

Filesize
1.7MB

Download
memory/920-30-0x0000000020CF0000-0x0000000020E9E000-memory.dmp

Filesize
1.7MB

Download
memory/920-37-0x0000000020CF0000-0x0000000020E9E000-memory.dmp

Filesize
1.7MB

Download
memory/920-4-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download
memory/920-3-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download
memory/920-2-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download
memory/920-1-0x0000000000E50000-0x0000000000EDE000-memory.dmp

Filesize
568KB

Download
memory/920-50-0x0000000020CF0000-0x0000000020E9E000-memory.dmp

Filesize
1.7MB

Download