djvu | 014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
Size

661KB
MD5

5d9028e036648917b4bf2413a516f593
SHA1

dbdabc2417799e6cd1aadfed876dcb2a1c194ccb
SHA256

014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb
SHA512

8df058884ff3ceaa0f4188ff398a5478a2d70c7ca8247358ce70d01dbab6e5dca674719e4ad7d5b62708efeae3e6cb89931c52f7efa328868e8ce39667985037

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Signatures

Detected Djvu ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2864-131-0x0000000000AD0000-0x0000000000BEA000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1284 icacls.exe

pid	process
1284	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\06684abf-e12d-4081-9d9e-4c0587589d79\\014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe\" --AutoStart"	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.2ip.ua
7 api.2ip.ua
25 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
6	api.2ip.ua
7	api.2ip.ua
25	api.2ip.ua

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4456	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
1252	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
2556	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4688	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
3624	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
3924	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4620	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
332	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4116	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4136	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
3560	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4884	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
3224	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
220	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
2044	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4916	2864	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
3636	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4276	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
1016	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4348	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4784	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4340	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
3464	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
400	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
4048	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
3900	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
1780	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
1268	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
1156	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
552	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
2180	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
2268	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
5060	2464	WerFault.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

pid	process
2864	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
2864	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
2464	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
2464	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

description	pid	process	target process
PID 2864 wrote to memory of 1284	2864	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe	icacls.exe
PID 2864 wrote to memory of 1284	2864	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe	icacls.exe
PID 2864 wrote to memory of 1284	2864	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe	icacls.exe
PID 2864 wrote to memory of 2464	2864	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
PID 2864 wrote to memory of 2464	2864	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
PID 2864 wrote to memory of 2464	2864	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe	014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

C:\Users\Admin\AppData\Local\Temp\014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
"C:\Users\Admin\AppData\Local\Temp\014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 836
  2⤵
  - Program crash
  PID:4456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 856
  2⤵
  - Program crash
  PID:1252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 856
  2⤵
  - Program crash
  PID:2556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 872
  2⤵
  - Program crash
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 984
  2⤵
  - Program crash
  PID:3624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1060
  2⤵
  - Program crash
  PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1524
  2⤵
  - Program crash
  PID:4620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1600
  2⤵
  - Program crash
  PID:332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1804
  2⤵
  - Program crash
  PID:4116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1616
  2⤵
  - Program crash
  PID:4136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1828
  2⤵
  - Program crash
  PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1676
  2⤵
  - Program crash
  PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1600
  2⤵
  - Program crash
  PID:3224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1844
  2⤵
  - Program crash
  PID:220
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\06684abf-e12d-4081-9d9e-4c0587589d79" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:1284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 2096
  2⤵
  - Program crash
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe
  "C:\Users\Admin\AppData\Local\Temp\014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 768
    3⤵
    - Program crash
    PID:3636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 784
    3⤵
    - Program crash
    PID:4276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 800
    3⤵
    - Program crash
    PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 856
    3⤵
    - Program crash
    PID:4348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 960
    3⤵
    - Program crash
    PID:4784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1056
    3⤵
    - Program crash
    PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1300
    3⤵
    - Program crash
    PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1416
    3⤵
    - Program crash
    PID:400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1624
    3⤵
    - Program crash
    PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1660
    3⤵
    - Program crash
    PID:3900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1684
    3⤵
    - Program crash
    PID:1780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1712
    3⤵
    - Program crash
    PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1336
    3⤵
    - Program crash
    PID:1156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1664
    3⤵
    - Program crash
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1680
    3⤵
    - Program crash
    PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1744
    3⤵
    - Program crash
    PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 776
    3⤵
    - Program crash
    PID:5060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 2076
  2⤵
  - Program crash
  PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2864 -ip 2864
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2864 -ip 2864
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2864 -ip 2864
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2864 -ip 2864
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2864 -ip 2864
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2864 -ip 2864
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2864 -ip 2864
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2864 -ip 2864
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2864 -ip 2864
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2864 -ip 2864
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2864 -ip 2864
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2864 -ip 2864
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2864 -ip 2864
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2864 -ip 2864
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2864 -ip 2864
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2864 -ip 2864
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2464 -ip 2464
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2464 -ip 2464
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2464 -ip 2464
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2464 -ip 2464
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2464 -ip 2464
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2464 -ip 2464
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2464 -ip 2464
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2464 -ip 2464
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2464 -ip 2464
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2464 -ip 2464
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2464 -ip 2464
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2464 -ip 2464
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2464 -ip 2464
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2464 -ip 2464
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2464 -ip 2464
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2464 -ip 2464
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2464 -ip 2464
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
727B

MD5
263d12469947e2539c2a2a04bb056345

SHA1
a63fd9efc397db4cc1a82cf89b7fc8e0f6694d39

SHA256
102af65a56e5cea616b871487be0aa8525e3258d514ca80d3a2918c3a4f23315

SHA512
571bd3d3ec72023ea4ec0861baeff535fc3e71716f2c08c3305f25d615448b13a4d4bc0f7d05c500f523ad13e6ba3c2e2549891c63cc170b7f1743bc8a148df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
1670ab0904b0779e9046a6c0ae0ccf8b

SHA1
0030369be3da0ef23ac809d8963fdeb76de17eeb

SHA256
34a5f72509ddfed75552cbb5007e460c9c9f6dc6c511b12e32083b1a9c030ba5

SHA512
e0cf63ec3f97979c2ad1318954f2daecc3639c3112548796ba8996eb119443a4bca933e1353f1dfd4068de7925ef765a3a9f4f5591702c5876b9a46246415e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
402B

MD5
548b11fdfd5d206084cd25505872b4b5

SHA1
8e3a2efd01e851d89e1d354e54616097ee27441e

SHA256
12348248f2196aad042d4820e8f958d4cdf705217752fdb32c09da29c85b83e6

SHA512
1145bb7e94c54d2115a01241e442bc5ea6ffc5fa5efb63ecb809033100b7e26580b1128eeda157741bfea17267d37ecc114281d677acc04d3897797a14002ec4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
b061b0d60855b02f840d068e8777d6aa

SHA1
6f3a4ac0de756cb1a17a9693ab44c44814d9de9e

SHA256
8490bd3561ef59c24e138d2c4c61bf1e5e2fd4230055d15d12b068c0b2e10e2f

SHA512
62434011f41029ace8f43111da922040ea01c7e1fcd4328469e6210bfeade1ab2fd6e3ea37061da2a6c2d894b01378557adeb5a96d7bf44e9a5cba9a0a4ef2d2

Download Submit
C:\Users\Admin\AppData\Local\06684abf-e12d-4081-9d9e-4c0587589d79\014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb.exe

Filesize
661KB

MD5
5d9028e036648917b4bf2413a516f593

SHA1
dbdabc2417799e6cd1aadfed876dcb2a1c194ccb

SHA256
014cd29999543ef41ee3b37b9c7307d8e2c782111d0b3c9cb0961e88d04921eb

SHA512
8df058884ff3ceaa0f4188ff398a5478a2d70c7ca8247358ce70d01dbab6e5dca674719e4ad7d5b62708efeae3e6cb89931c52f7efa328868e8ce39667985037

Download Submit
memory/1284-133-0x0000000000000000-mapping.dmp

Download
memory/2464-135-0x0000000000000000-mapping.dmp

Download
memory/2464-136-0x00000000008E9000-0x000000000097A000-memory.dmp

Filesize
580KB

Download
memory/2464-137-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2864-130-0x0000000000A25000-0x0000000000AB6000-memory.dmp

Filesize
580KB

Download
memory/2864-132-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2864-131-0x0000000000AD0000-0x0000000000BEA000-memory.dmp

Filesize
1.1MB

Download