hxxps://demo2[.]cloudwp[.]dev/trial-x029t019/13-2/

Analysis

max time kernel
150s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://demo2.cloudwp.dev/trial-x029t019/13-2/
Sample

210122-eaba6dv486

Score

6^/10

ransomware

Malware Config

Signatures

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\13-2[1].htm	js
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\13-2[1].htm	js
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\13-2[1].htm	js

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2312	4048	WerFault.exe	IEXPLORE.EXE
2320	4044	WerFault.exe	IEXPLORE.EXE
1304	1308	WerFault.exe	IEXPLORE.EXE
3192	1152	WerFault.exe	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 70 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30863512"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev\ = "72"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "44"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev\ = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev\Total = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev\ = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev\ = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "58"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a0000000002000000000010660000000100002000000033afcd95e7ad529976c9facb0f045c2ee9d9b36cfcb202f96607a90cd5bea064000000000e800000000200002000000024bfea88c3379bdb0469ec5be0311c27a9e4362cc5eec961f11eed1fea0dc67620000000ef85c4f419497ba3e0ec06198275b883888bf92e10fa80a6f182b68e0fcf8384400000008bead1cc3a65bef23ea5e2e78a17163e6acf2d926e8e0af573773b811236ef5643b38b3785ee00f91a3847fb2272870f02c50fb71bfb57268bf2711fd42a6671	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "86"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{963FB0E7-5C8B-11EB-B59A-FE97B1193F0B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000abba4db0520896c93241bda50d9bb19974b1603728ba39a0dd8f83ec986e15a9000000000e8000000002000020000000e583d60f11cc7fccd42603634960da27bbc2923acd14706f6a3e7a5bf0305f26e0000000da067f0a44fd58db7a43b1a2a2e1774544cc6d633ad8b4b62038dd33a40ed907a176a1f06e86e72432bf4271efb662cbb77206358ceb48d651f11176e22e740f2ff30a26238223c0d655e61c0fad4336d467d6997f48b898269536c0772e84165e3a6e6f0237d0736d749c0d94c626251e5b9d7b9e5efc312cbfa69cadeafbdbe5395f83056eac6a566f2412831f2d52902ce15d7ab911d78146f17c534c1596a6821fe6a13fd2716334327d024f4134f29a632daeee77e14e77129cee6e481f13653c3466bdd9a5678d9ae99db5e81b1493fdb58699ab4faeb3e905a5bb754340000000248b54bd55a0ef4f6bff96c28b7c2903a1169cf2c4c2f51cf7f10674c0272bea2d1e73333005a64cd377b6b9cbfd0cd85f0d8cc7d46374847122254b83f8ee6f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev\Total = "86"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603a036a98f0d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev\ = "86"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30863512"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "72"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev\Total = "86"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1801414365"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev\ = "58"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev\Total = "58"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "86"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev\Total = "44"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev\Total = "72"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1801414365"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000159106c43653e93143699a918312cb48dbcf7913232e2cd6327a2dabc5de17cf000000000e8000000002000020000000e96e26219ce5603d854a13fea35e55779949ab0ec5c95a79ac06d315c4a85a9ee0000000ca6cd0fd1178a25a44c7b2cd1c9f7e9e7975d5a49e6f876642bd191624d73fda62f51295069462487da6e98831b9b211d40cc75464c0b1b6e9bc98f724f82d33b269e74f591af8deb0d2ec0d8efcc233ace629d663e6204935164a363ca8866eccd5a0fd22db66e0664487e0598cb917ef4dfc1d04cde60f9057a9fcda3631b25c2127dd8e1a3175ced3ceadfcfbb736e6c64e53c407a899b1cf3f51e04f01d9063135467f5a144b7b391f415d642216bc78d6ccdbd902dd26a15d1f0052669881abd5ce8398edf5c0953942212e5ec44580d5213b906e8407506b6d6aa2ce25400000001a89fe658b972d92c659dcfac5cc1f41220e19cd5cdd233865cd13208e343d4724e5356eaf8ad373682d3130f72fc7ded44955cba1749398555af7deca7ab5e2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\demo2.cloudwp.dev\ = "44"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudwp.dev\Total = "86"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 66 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2312	WerFault.exe
Token: SeBackupPrivilege	2312	WerFault.exe
Token: SeDebugPrivilege	2312	WerFault.exe
Token: SeDebugPrivilege	2320	WerFault.exe
Token: SeDebugPrivilege	1304	WerFault.exe
Token: SeDebugPrivilege	3192	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

640 iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
640	iexplore.exe
640	iexplore.exe
4048	IEXPLORE.EXE
4048	IEXPLORE.EXE
4044	IEXPLORE.EXE
4044	IEXPLORE.EXE
4044	IEXPLORE.EXE
4044	IEXPLORE.EXE
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 640 wrote to memory of 4048	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 4048	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 4048	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 4044	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 4044	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 4044	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 1308	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 1308	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 1308	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 1152	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 1152	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 1152	640	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://demo2.cloudwp.dev/trial-x029t019/13-2/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 2868
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:148482 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 3152
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:148484 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 2748
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:279553 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 3124
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
f4026be98ff3846eb5bddba81c1aadb1

SHA1
a704562a673b08b505a8e6b1c408a88315b10ca8

SHA256
15ca074712f92d2b82c3bd6c46f069824cee697f9451d99ac9956ae9dfb1fea9

SHA512
7563c933e7c7353307e7f5966542e193d370800262cad4c81813a78d0f45fb82504ce926cf5e6e163ff4cc8eaf9f50a3ad6e47029cd9f3489212a24adbb64e0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
dc173c854897fcf3b808e489b222ce3d

SHA1
841facd20e1e315b7f98eb1b4439c15300dd9509

SHA256
121da3265a3a5b46c4cea77fd0cac5a3b67b813f896a91b8263dd59c522e07b4

SHA512
d1a2b4d9240a7a80c5a4d0d705094ccec3cfcba477ae15d575f301928745b7b0844f168ea4469c18aaa79c60870cb587b59a28dcaf0a0b018ceafd1b56375c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\F2R6ZSHA\demo2.cloudwp[1].xml
MD5
92dd35e57b5d3dc7f8f178b4b329d25d

SHA1
37a295e17fac08c46dbd24bc392e96c731f76e00

SHA256
4e0760a2c0185e5d5265970a1becda7292925f36d9e810eb943951eecc773338

SHA512
ee8540a654116e9daaedb7c9d7839e2382eed6005eb802bb1398cbfe848091a1ef51e2728a29b377e77efad66d1a5c7a50aa04df57baf8c0037ee5a8f3c0e7e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\F2R6ZSHA\demo2.cloudwp[1].xml
MD5
df4d596f9cb2d5cd7acd05cb0dab0027

SHA1
b6de318044a8f649ebe48fff33cbb82849c3cca4

SHA256
cd4a27b7e044ba056de358c7e6b6daf797eb01f796f8641f4aacfaf17e538467

SHA512
eef57cd06f9719a50e035ef48c1a83041c2f4aee202e6ccc3c4ce12602dbf0c8c85520baa336c0020f779fcf11da031b5891d918d4732fc3c3118bfb1addd5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\F2R6ZSHA\demo2.cloudwp[1].xml
MD5
bd15c75d7097c8a5ac88722749dcaca6

SHA1
cf3edeabd2928ff44136264c90a9bc5bd9f149b7

SHA256
3d5ebd5fcbce6d3f30c4a8dfbf5bf57ec459ce8dc06fb0c742993064ee11850f

SHA512
d0eb745d2097621d783b6e8eeb1e6a21129060ffadd3abfba90f9aec03493e4bc6a5002d9d2632f9d72b9eaf5d12eafeaad23c815ea6f223b45da5294d6d0562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\13-2[1].htm
MD5
eeb420327c008554dd2ae978ee4dc4b7

SHA1
31d1c2015a572e6201b164defe1d85935c9d7a4b

SHA256
5b4c623888ecf7d8a98492b049adbab7847e9c1763395f308b6635e2e2286070

SHA512
41209b4e41e1b37b6990a3825db33699df1d6b9803e58c9a03bd7c1c77f4f68bb1e9878b251743c279c2b843bc251814c9da4c7e86383b49a9f30ae14515e1e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\13-2[1].htm
MD5
481dda79ec8781fa8630e5c1767c0223

SHA1
1c3a565466aac2a5524c980b75fbbad02c9bb062

SHA256
1e035929481caae9e1bbecec44c05049d7c2ed1c610c3bd27fdc0755f9110e6c

SHA512
b2fc99945600b974ef49d6fe126e5fbbc9be1a8c710d3813f7f811a79899ca2c464826fe142a99f63595336b727ca282ed3d218fc06509a2f72f4e606abeb91e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\wp-embed.min[1].js
MD5
8ed6038a5dbf62380de72a681340afd3

SHA1
1b7f829b844eaa1a3e2d05f51fa81d6579d76738

SHA256
6ebcda7a3a41ef97f0b4071160ceb1020e540fdc0f790079a5c2ef01ab654fe0

SHA512
cf69087b8f92f7b81efa788c3eb0b8a551405cdc7fa137e09a918349617359715ad5ef833f901e8d6e80c9ff20f63091710b492224e2ad23848673995dff5610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\wp-emoji-release.min[1].js
MD5
c748456e1cf97f3303ee25c838b1ad76

SHA1
80b17d30a5e36f28c203a0cfc798792b532d85e7

SHA256
3685c3818240f5f390073c7d04f944a5cb5d848093224f3a7888034e8c050eb4

SHA512
2a649d4a6d8071ed0cd3945ecb8f53f5184f4fde392b6ce4ce56b37d15424c12b87f05885d63a13b27c2c339a525138f6c3e9ade4d20473fe13e30b3517a2e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\Page[1].jpg
MD5
8106f7ddb54685c2d155a4c7e7b1dddf

SHA1
ac4b477ea2c20850b7f720ed7c70ac055796ad3f

SHA256
5ef87bd59a3f591118bf1bd7367154e852d42cfa179dd42cc280624506aedee5

SHA512
487593fe44b6d529bc90faa7a44d3a0249f20a6cc2a428c715127585d1f316f219791e73cb3dc2e57f82d41bb35b5b1e03f07a097d275ff1ddedf22164f9e31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\ie[1].css
MD5
f2a53edf5dfb233f03b459741dd40782

SHA1
b1adfd125538bf43fa696b22a8117092fa3262c9

SHA256
e36c5c45861c21239b61ef2f16697eb6259fcd070130dd98b25c57a0c4481d17

SHA512
f7b525d5f3bb55a1889ab8560f9780da167e5425c9ab61f32b172972d3d6fae1d79be69894d67ed05253b029a1a5bb17c34c3485846684aad4528b2c94a1b13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\print[1].css
MD5
e8e8832f251be73550f32c605bc94036

SHA1
9b76b710a452a0a7b6843fe45460661fda0f1b1e

SHA256
3467f3eee5c95a86bb4992918b1368458185bf349949f862e6e3c5954fcd69f9

SHA512
f00cd37ab6fd66afe001b435eb0f04966b16980de8c6975b93bf171bc50cbedc375c8954fa4fda09bb3f87ee2d0277e08c95bc89cc0ab4e28f38bef847f7c93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\13-2[1].htm
MD5
a1d7872e8ab04b159c389026a6fe2f6c

SHA1
c8911b46c20d6f22fa405fd113630820960949eb

SHA256
10f548f99e62df57a79703450d6ee1443759f1b1a8e3e16a89c2e2d1e2e2958f

SHA512
e4d88a8755abd8fcf7a6bc8a853b5b6431d301dbcb6aab032415ff99471528a19979d320aa5834fb1ce51d37c0d7d00abfe1fade801670f74936b45596513ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\polyfills[1].js
MD5
3e85c0a757f48a5c902e199b9541202e

SHA1
f15488894000ed6af9ed1b5cbe3b498df3bd0b0e

SHA256
b59940a4e21a682c6762d2a7e30e44c321d1532232a8bd8d0ba47ca214a87081

SHA512
28c06432a28c5c2220d90b741863e28756dcffe46135798e749cda4b14070d69e1544612db55d9e13764f514498f124213b3021bf50f1108e71f3745da76a98a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\responsive-embeds[1].js
MD5
e1bca0c59d4d7cdc71cd40dd976212ab

SHA1
48a13f7b218ed8098dfb905225bf706549afa8a9

SHA256
8e310a36b1291f2852665240afbe4ce5c3c60877bbbd47f861edab8992dbf876

SHA512
e80685a2e5b41f79d504e59adc40d8015efa69d48e84df01c36f13ed366d0e8811e051deef60ada663d8de00a3b621a3a9bdd72d4b0a11176ad292e2670657c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XMX44WX9\style.min[1].css
MD5
27f5295ccf3ad9e0e85dcac543630288

SHA1
19810723999badc836eca3dee977b4de1bbca8ed

SHA256
5c2288ca7b324881faae5e368eb4d69457e2784e042e868de335d3827bb90981

SHA512
ffa38a60e417b21083ed1a26301e0ce8af712939d31fe1fc1cb3931844d9b0cac8f998c6437fcedadea2a86a66ba286025a5fe1d9a411b057d12a357c68aa2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XMX44WX9\theme.min[1].css
MD5
fedc9311ebafd1704b6a71d3a5b3101a

SHA1
bff32573461a723d78e462c1e06f0624a8e5cddd

SHA256
83596846d160e44c98d8674d1f4b35be40646ec5ea30d9df136012028d354aa6

SHA512
9c8bcd7ed6c02f2ff8a3549ba95ae9257b16cfb1d77ef477940da021d7f3ebc4d557b2d033adb7b46026d2265ef429fb3c1cbd3f7e632aab4231a18d87a58a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3V0CVJG4.cookie
MD5
13ca8be25469eb59c490db815a368874

SHA1
c14cc00a1830a479425d2ee4777fd3799c7f17cf

SHA256
d696fb41b12ea789d36f360926757a9eb36b8c4370e880c24f4a55e68238970c

SHA512
4e6625ae6e11d0b85bee66a903392ac63ea53b832f72351cc4f8b154482905df5340126018931cb81b4982761668ccf844ac628ca963851a7c459bd623fc9d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\49U7MCGV.cookie
MD5
91e249cc70cf23c929237af517c416e4

SHA1
e0f4c81b59482133423d492b485af32444482a26

SHA256
1892d6eef0515f990d696dc15e09d26e23035c8a32b4486514e16cb192ede2d7

SHA512
ce3935f96608f2e79476741e77b56b155226e7d5e597f0edb538cf6050ae7ce3568fe9e5385793d511b2ad84211a88b5f7feb964305a56a71d36c0dfcfe62ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O7VAEBOC.cookie
MD5
995d578b1656e7dc33bafdeae2aa98b3

SHA1
b9da0f63851532a0c168fec7f7e7202a8a372ccd

SHA256
2dfc8994ef14db90108144c0e2b4ec816434af913437eb1ea2661df7d7adf2e3

SHA512
126e9a1d80b99792c69f6c980652fdb1fe8e47c532fac896e0772efde87d71a72ce02e59753fb50d03b5bad1a415cfe75314d79472635d66771c0a090ef4d88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VL639UT6.cookie
MD5
77c15ddd43b1df7e4077feafef748150

SHA1
c2e457d0ac3e7eefce7cd0407a3b99e0e7593866

SHA256
b2a16369203806b98aba9952835c23579e123eb63dcae1e6224655dce99a9f91

SHA512
1ea7a6249f9e999c2975697c236e31f6cfd8025f743c2a81d191c5724b610923170121725f63d30dec32e3254d33304b1d61912c2a46cd094320e65a46fa8431

Download Submit
memory/1152-23-0x0000000000000000-mapping.dmp

Download
memory/1304-28-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/1308-22-0x0000000000000000-mapping.dmp

Download
memory/2312-7-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2312-6-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2320-21-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3192-32-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/4044-9-0x0000000000000000-mapping.dmp

Download
memory/4048-2-0x0000000000000000-mapping.dmp

Download