Analysis
-
max time kernel
1785s -
max time network
1798s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 18:52
General
-
Target
AncelsPerformanceBatch.bat
-
Size
165KB
-
MD5
95e5072c5582d546e2bd42eee4642376
-
SHA1
e920b5930456311885ed1506d2b6eee76d745bf1
-
SHA256
a1af1cebcb9b024f05690fd07e65a7363e3bc0395cfc788102e9a907e76dda03
-
SHA512
597caafd90f4ac9177bd9de3fe3523b2a8711596b93d9eb1e0a97efc08dad8033772040c35471b6ebd74d992676da485c7542776c2f062a2bdbad234aea2ee7d
-
SSDEEP
1536:dl2cSlFWJQlpTUgIafq+2RSM88xck4YaXv5n1kwM+ZA:7aNJ4cFuL
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Extracted
gurcu
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Signatures
-
Detect Xworm Payload 2 IoCs
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 34 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in System32 directory 11 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AncelsPerformanceBatch.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Set-ExecutionPolicy Unrestricted"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exereg add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb78b2cc40,0x7ffb78b2cc4c,0x7ffb78b2cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5124,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4412,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5300,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5136,i,16573626838828461732,1810534662284876894,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"1⤵
-
C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 18:59 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D44.tmp.cmd""3⤵
-
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CloseInstall.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\Build\README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"1⤵
-
C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"1⤵
-
C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"C:\Users\Admin\Downloads\JASONRAT_2.1.1.0\JASONRAT_2.1.1.0\JASON.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5d090afac81f4dc04cb2fd1d91dd2ded5
SHA12a50653cfa54c762a68f047614f351bbdb07dde9
SHA256d27bbaf80c6282b1bb91d3b7f3343302c7000c38a7a8a7ddd1fad95d7444706b
SHA5128cf88c7c3fb5736100fbec1da2f293feaa8ef0464ad68e1453eb544d136c6a5d508e34313d644c8cac6f80eef108df10f160a2f530cb105e9cddc05916f2a632
-
Filesize
336B
MD5dde4a78462f7ab3a007f75231f1e7deb
SHA178f592389840d27e1b717628536dc7e41039fbc1
SHA256f2e3251f9de28a6a25cb52750baa87fb5f9f940194f314a169528570c9b6d61c
SHA51281c9c92dd08b72a58f8f9613147d82dc9b0d28d67ece8e93bba09b87af1fd82eff2c0089526007ea25642d6d5df512b5f57054eb09c058a4ec2eeb71e60d7bd7
-
Filesize
2KB
MD5dc0b6db893f6740919bff4853c92bf1a
SHA1a100470c86d13fcd910a5dd020084e099e04faed
SHA2568172a90d0169222f16c0d1a39ed95730cbc8b0e480fc1c25125224b694159140
SHA512ddd2d85c6ada433421b69705aefd09e727e61af4139a8308261d3645adc51c589452b7bd44b5dfbc41c60356d24d47533c5df1aab0ad4c3a20bd4f802941993a
-
Filesize
2KB
MD51daaaedfb3da0f3701140052663e000e
SHA11134fb99942b6d8e395feffbd30ae213667a0d53
SHA256c9adb5ed729eac1cd63658cb9cd5d03f6eb63dfa7ded17aba259c39aa362e2c5
SHA512bd2ee7317fa2b92aa54ea01b45024d5901d50c32fed840322138c2e77efbdb40c9b71a29e673dbfe6327e44be7d1eefb9a899fc25c80c18feff8692622177837
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
523B
MD5e8de5e440eddb89352c8cab26c5280e5
SHA1f8f22ea9cc50c677bd7ca81702af2867ec5b9ee7
SHA256ed5f480928485a752c51c5e3df0202cf400b17a4acbc7334f2cedb53e4e3866b
SHA5123e3c334ef069067c18bbd0c42428d4c661893f65dc6736ba0f1972269b4c76dabda33fe080cf6e60d89c950522a6af26f3bf89a00395eaf89168714232dbaff8
-
Filesize
356B
MD5eca55de3f8d39871a1dae5536cd4d5c1
SHA1c17f68250de99b208481a988d692a04202d0ad9f
SHA25644b74d03293f16164d738d390e83294a724938c3194f37063e23ee3062b5abd3
SHA512034c7a2022ea29263a7b5be3150a0ff55bf278d69384e641628496ae2a9a4a10c667981ae4028c2bc5a73a37875d6faf198352193e18f20744250be8080ae449
-
Filesize
690B
MD59fc6e74bfd3ecf3da331583cc16ba6b0
SHA1d8720900452a6c9ecda015be84493d4d77b9a7cd
SHA25686d7d8be4e6032f6755c80e322aedb988cb8c587bc26eec325274aebd1a44070
SHA512492edb3143f9a6fea79e344f5cd4e985dbd380fee6bf5ae4de96db0a73eb637cd6b96c5a89dc4842785983e59ee0238c22f2bdf8e88c8cfad399fb3bcfd342af
-
Filesize
9KB
MD5b1b523453552db8179f2e4c9c8b92876
SHA17a607e0257a30bc4cc32599231d9955f73d1125b
SHA256501bf9106b1013e63df96f9a7fcf56e526a3a61bdce618d57938872d924f2a8a
SHA512b9ebac029684ca7dd482fde25f53aa8f8c63ba72b47a11f344f52f71da4deffe0737434a89221ffa22f36ad197531d675211d149f5dcc21e8b4b4c410939e15f
-
Filesize
9KB
MD573e7218cbe55d93b6201b72e35e1e619
SHA1e8dab9214c4a52b2b32fdd93e12d10b77e9936aa
SHA256846329cf9aa7971fb4f77506b5afcd2e54dbb53fd8683c80decac002be0a57c4
SHA51209c0880b8d9ed41d3683f53c9bbde4053bad1575341f4e8fdd1f704f6885c934faf769a0e52599110d6a73b5501955f5ab4059725cd4e00854ab0658796f8469
-
Filesize
9KB
MD5d1129ea763e2899223820b8612eb0baf
SHA17ac05dbe6ef445c5b13186c21d42f2aae92b4280
SHA256fa43362e95cee0a42e72145d8c01a7f50b6ff06021c35487128711d66e249b81
SHA5129b5bcb908b5b9a1c8ef95aa36e311e0c358c087206a3aa3852c0a74fa8903f1bb109e165c1b0f6cc73e1544c695f2841b050b2499c13176a537dc903d488b0c8
-
Filesize
10KB
MD5c8323efb578ea33d89deb963300a350a
SHA1121a68efb53196634c30090c1c67ba4a0cb3a86c
SHA2569bae40cab1bcb1fccc14dee8488829399ed153aefb32793ad66d35e6daec6a7e
SHA5122fc48b8773f188ee1f4a588f292e30f2cc46d42e1642b9b549d3314a3a45cda935a008c33340f51756ff3962725badb39bfc08a55d8a80a9f698f5630ccad9c0
-
Filesize
9KB
MD5ed7db3a728583e8d16d310107e06842e
SHA1d0475914e919091975ef6193cea40a2da57a5cf6
SHA2561eaa7844828b4a14e74be90f21d4b5b9d9d8283f07928eff045be0782b15c25f
SHA512b12d9543797980a7c733261779e931d17ede699b03fcd2e89f9b3b08251c370a8932101696d1f10e41fa6fd81f434b8374a08ee61036b20ff3e517257a591ea6
-
Filesize
9KB
MD5614fd6494e22be811b3947948b80df4b
SHA12abc2954a0acaedb7f565ea144b390ad9f259e52
SHA25699cbe45054cee9800d291657e8a4de7186d060247edaf24c50ee32a9ec371fe4
SHA5121a814ed6906499bc0d191aa6603350e644d7cbe1e56a252ac851fa919a411100725b8ca318027de3c5beea160174c831b522f1d053276e318d6f093f6e7dedf3
-
Filesize
15KB
MD539a3c4b84c0eb852898490c02cada7c7
SHA1f3922185b0bec3aa880ad48b808edead3db9890f
SHA2569792aefc9e21e11656a810f3b19d4036012c3bf58f5c8846c75f5e9257f8dd7b
SHA51200a7cf53a7cc3f377f62245bf3d84d78dcce3fc97077cc66c0e9dae04f7797c6bd54d42ceb16e7c478ae5f4958881f68814f92996962041ea65201e01cfd0a60
-
Filesize
234KB
MD5fe113fd5b5e1b9a59189ebca2102cec3
SHA1cb005dbf91f3ca1c5dc369c8cf045143901651b5
SHA256c3e1eaae1cbadc464220b98605687de6ae9d693f07ca720348a3253041f451a2
SHA512d27713fa20282ae101974ef028187414807171b05dbfced10e751bf2ca3b9031f9565d0c3aff18f9994b81e7ea69f6ffc15f66da455890f23e3a0a68db26efb5
-
Filesize
234KB
MD5fbc4bd9fb0250b414366c76893e277b2
SHA1639a6f6d12430f9b212cc30630781847d20044ab
SHA256d544cddff88129c2cfb0e6ed557938460dd5f9872a5210a254a2e38e629626f0
SHA5129dcb0e648337e106ab8aef8e39afaa813007ecfd259734851b7ccd55c4b1f01724706b4a0409f541251370a97c9c9e85643095db3e5e2935321bbb40dd1f2d28
-
Filesize
234KB
MD53ce69540861eb0d065651e7a2d01656c
SHA1836978fd4cc9ff84f1ee50a72c6c8ceb5aec10aa
SHA256b20a35cc93e96e76da2ebf108537d3525bb8eaacaa48b125647c3a50f06eaba0
SHA51216cd73d52fe3d70920b8fb0552206c52e4f09ec8efa9cd22aec24bb38a12302ae73b920fbde6c6ca03b0b0f3ef2c306cd4949d39bb2af0330d624e162cdd6b6a
-
Filesize
264KB
MD59eda6e4ba6f216abd16367e2e0d86c73
SHA1ca4d7810af1b692de7e8c9a06284b45cda355708
SHA256e052ee46405917426fba39ce6ce8cd47a2f539c9cd5e552221425e8417112894
SHA5121b10aad0fa19b5129664f13ef7f30432e26c1f4957a9f5cf571597eec21ecd07fad94ed10f0d86919345e5254124d0ed25e6947493896af888d500f846d6da47
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
660B
MD51c5e1d0ff3381486370760b0f2eb656b
SHA1f9df6be8804ef611063f1ff277e323b1215372de
SHA256f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a
SHA51278f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743
-
Filesize
2KB
MD5d136d3411d4aa688242c53cafb993aa6
SHA11a81cc78e3ca445d5a5193e49ddce26d5e25179f
SHA25600ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397
SHA512282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
Filesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD55c6813be78380f8e2acaa40189b9d235
SHA14afcb8d5d9c6c22b4d7d19357e53385827143114
SHA25605be96bf0986474f7c22ea1bd82b105980145b7ec56dcc4d38cc0fbd6d6da5e1
SHA512b0529ac076729341f1a4c905dbdb0c6a398e178e9894309cd7a49ce9b1a2610bec6f4f82e40a59280f7bd8e23bd6f3c60061f1d0c00661bbae2bc5211e6bc0d1
-
Filesize
147B
MD5cbdd81e5dd81380fdf5355cf9dcd0083
SHA1e166f618b264c29d2cecc5cb196ae89fabb8cdc9
SHA25603bb1e14fc46dd15c059fbc0bc2cd928aedf7af5c697af9915f1ebd158c37cd8
SHA5126ef0ab57ac833e651d5d061117c892447870dd796bd28e18389fa3e043f0b7f0306d32f090e0948469f0f6f7960cc8a8a54596bee690f6491c02d744abca6041
-
Filesize
1KB
MD50922619eff11b2447f3489d70664941f
SHA12c8f5f182d0301f3b16c503f0d60c30dcf21db77
SHA256c00029150bed8e2375548024ddf5c93511dbad58d0e884c6db33911d0c373add
SHA512a1f77e4db77b8e22e3a3faf80feb6dcadfc6b9fae5c3e74deebe29402a24ac969801020cbaf3b717cba637131fc246d51a752bf5911ce6855ce0c2d6723555f8
-
Filesize
771B
MD538cee3d916cf2be0563dec8ad9a75aea
SHA1d09967c023ceef19a469473b6c68398b05896919
SHA256b309cd291090912ce2959995b217762be9674e112d775dea25af05981b71bca2
SHA512e9d77b6bef8680cf21ab8d81cf64ee13cc0e3d4e6a985dcd1966b055f0d5d1e5e6c9ad5efcd6ec630ca074e2753f4a4dcaa5d84214e47f191bf10bbcef3117d6
-
Filesize
65KB
MD536dde308d5e09405a94dad6844ca0c44
SHA1c585d502f48206f767f97ac7f7acd4112c314ccc
SHA256c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b
SHA5125964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923
-
Filesize
39.5MB
MD5e5ea8d7817ca73a49498d161b3e6241a
SHA1cf5e04fb92dcd3d73ab20a2f9f4fc9d817a1b3f4
SHA256a8800374c2bfc020bc6ede2c09f5a299dc629646cf150015f5b41405adbe925b
SHA512d237504f2c992c8dd4be454d76a00f11306f51024735d5e28e917b370065faa5a3a17bf0f2872230e2641bb8cb67f7fdf9b2d42a47ff2a5ca4e961523b91b822
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
264KB
-
Filesize
2.3MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
39.6MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
29.0MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB