Analysis
-
max time kernel
57s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 18:26
Static task
static1
Behavioral task
behavioral1
Sample
160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
Resource
win10v2004-20220812-en
General
-
Target
160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
-
Size
272KB
-
MD5
8432e504f078f9319133a9ad826773fc
-
SHA1
9d913d1aff658215553c79c74ec0cc3030248845
-
SHA256
160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda
-
SHA512
809769c7dc53c43de7d9de08f09ca06e286b91cac073fd01a8fc60bd9e3409f1cfbbf876ed69c5215c976a2fedecc5c49971dff93716f2eee073398087f388bc
-
SSDEEP
6144:+ydAhddLVf6VaM/WSr/hBuzbgwu7wVfU+:+64dhf1cunnS+
Malware Config
Extracted
djvu
http://winnlinne.com/lancer/get.php
-
extension
.adww
-
offline_id
z8lhl4oForVEc7gy9Ra8rSqjYMl3xiFRuIW4not1
-
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-g28rVcqA58 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0573Jhyjd
Signatures
-
Detected Djvu ransomware 10 IoCs
Processes:
resource yara_rule behavioral2/memory/3480-155-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3480-157-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2636-160-0x0000000002320000-0x000000000243B000-memory.dmp family_djvu behavioral2/memory/3480-159-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3480-163-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3480-170-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3480-181-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4320-190-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4320-192-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4320-197-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects Smokeloader packer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4928-133-0x0000000000590000-0x0000000000599000-memory.dmp family_smokeloader behavioral2/memory/3996-166-0x0000000000560000-0x0000000000569000-memory.dmp family_smokeloader -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
E9E8.exeF032.exeF256.exeE9E8.exeE9E8.exeE9E8.exebuild2.exepid process 2636 E9E8.exe 4800 F032.exe 3996 F256.exe 3480 E9E8.exe 796 E9E8.exe 4320 E9E8.exe 3040 build2.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E9E8.exeE9E8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation E9E8.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation E9E8.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4252 regsvr32.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
E9E8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a1149413-0a47-482c-a6ea-d82528ddf9eb\\E9E8.exe\" --AutoStart" E9E8.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 api.2ip.ua 25 api.2ip.ua 41 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
E9E8.exeE9E8.exedescription pid process target process PID 2636 set thread context of 3480 2636 E9E8.exe E9E8.exe PID 796 set thread context of 4320 796 E9E8.exe E9E8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3520 4800 WerFault.exe F032.exe 1016 4800 WerFault.exe F032.exe 380 4800 WerFault.exe F032.exe 2668 4800 WerFault.exe F032.exe 1884 4800 WerFault.exe F032.exe 1312 4800 WerFault.exe F032.exe 3356 4800 WerFault.exe F032.exe 508 4800 WerFault.exe F032.exe 1996 4800 WerFault.exe F032.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
F256.exe160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F256.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F256.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F256.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exepid process 4928 160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe 4928 160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exeF256.exepid process 4928 160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe 2864 2864 2864 2864 3996 F256.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeIncreaseQuotaPrivilege 1272 wmic.exe Token: SeSecurityPrivilege 1272 wmic.exe Token: SeTakeOwnershipPrivilege 1272 wmic.exe Token: SeLoadDriverPrivilege 1272 wmic.exe Token: SeSystemProfilePrivilege 1272 wmic.exe Token: SeSystemtimePrivilege 1272 wmic.exe Token: SeProfSingleProcessPrivilege 1272 wmic.exe Token: SeIncBasePriorityPrivilege 1272 wmic.exe Token: SeCreatePagefilePrivilege 1272 wmic.exe Token: SeBackupPrivilege 1272 wmic.exe Token: SeRestorePrivilege 1272 wmic.exe Token: SeShutdownPrivilege 1272 wmic.exe Token: SeDebugPrivilege 1272 wmic.exe Token: SeSystemEnvironmentPrivilege 1272 wmic.exe Token: SeRemoteShutdownPrivilege 1272 wmic.exe Token: SeUndockPrivilege 1272 wmic.exe Token: SeManageVolumePrivilege 1272 wmic.exe Token: 33 1272 wmic.exe Token: 34 1272 wmic.exe Token: 35 1272 wmic.exe Token: 36 1272 wmic.exe Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeIncreaseQuotaPrivilege 1272 wmic.exe Token: SeSecurityPrivilege 1272 wmic.exe Token: SeTakeOwnershipPrivilege 1272 wmic.exe Token: SeLoadDriverPrivilege 1272 wmic.exe Token: SeSystemProfilePrivilege 1272 wmic.exe Token: SeSystemtimePrivilege 1272 wmic.exe Token: SeProfSingleProcessPrivilege 1272 wmic.exe Token: SeIncBasePriorityPrivilege 1272 wmic.exe Token: SeCreatePagefilePrivilege 1272 wmic.exe Token: SeBackupPrivilege 1272 wmic.exe Token: SeRestorePrivilege 1272 wmic.exe Token: SeShutdownPrivilege 1272 wmic.exe Token: SeDebugPrivilege 1272 wmic.exe Token: SeSystemEnvironmentPrivilege 1272 wmic.exe Token: SeRemoteShutdownPrivilege 1272 wmic.exe Token: SeUndockPrivilege 1272 wmic.exe Token: SeManageVolumePrivilege 1272 wmic.exe Token: 33 1272 wmic.exe Token: 34 1272 wmic.exe Token: 35 1272 wmic.exe Token: 36 1272 wmic.exe Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeIncreaseQuotaPrivilege 728 WMIC.exe Token: SeSecurityPrivilege 728 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeE9E8.exeE9E8.exeF032.execmd.execmd.exeE9E8.exeE9E8.exedescription pid process target process PID 2864 wrote to memory of 2636 2864 E9E8.exe PID 2864 wrote to memory of 2636 2864 E9E8.exe PID 2864 wrote to memory of 2636 2864 E9E8.exe PID 2864 wrote to memory of 4800 2864 F032.exe PID 2864 wrote to memory of 4800 2864 F032.exe PID 2864 wrote to memory of 4800 2864 F032.exe PID 2864 wrote to memory of 3996 2864 F256.exe PID 2864 wrote to memory of 3996 2864 F256.exe PID 2864 wrote to memory of 3996 2864 F256.exe PID 2864 wrote to memory of 3872 2864 regsvr32.exe PID 2864 wrote to memory of 3872 2864 regsvr32.exe PID 3872 wrote to memory of 4252 3872 regsvr32.exe regsvr32.exe PID 3872 wrote to memory of 4252 3872 regsvr32.exe regsvr32.exe PID 3872 wrote to memory of 4252 3872 regsvr32.exe regsvr32.exe PID 2864 wrote to memory of 2348 2864 explorer.exe PID 2864 wrote to memory of 2348 2864 explorer.exe PID 2864 wrote to memory of 2348 2864 explorer.exe PID 2864 wrote to memory of 2348 2864 explorer.exe PID 2864 wrote to memory of 1048 2864 explorer.exe PID 2864 wrote to memory of 1048 2864 explorer.exe PID 2864 wrote to memory of 1048 2864 explorer.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 2636 wrote to memory of 3480 2636 E9E8.exe E9E8.exe PID 3480 wrote to memory of 1908 3480 E9E8.exe icacls.exe PID 3480 wrote to memory of 1908 3480 E9E8.exe icacls.exe PID 3480 wrote to memory of 1908 3480 E9E8.exe icacls.exe PID 3480 wrote to memory of 796 3480 E9E8.exe E9E8.exe PID 3480 wrote to memory of 796 3480 E9E8.exe E9E8.exe PID 3480 wrote to memory of 796 3480 E9E8.exe E9E8.exe PID 4800 wrote to memory of 1272 4800 F032.exe wmic.exe PID 4800 wrote to memory of 1272 4800 F032.exe wmic.exe PID 4800 wrote to memory of 1272 4800 F032.exe wmic.exe PID 4800 wrote to memory of 5000 4800 F032.exe cmd.exe PID 4800 wrote to memory of 5000 4800 F032.exe cmd.exe PID 4800 wrote to memory of 5000 4800 F032.exe cmd.exe PID 5000 wrote to memory of 728 5000 cmd.exe WMIC.exe PID 5000 wrote to memory of 728 5000 cmd.exe WMIC.exe PID 5000 wrote to memory of 728 5000 cmd.exe WMIC.exe PID 4800 wrote to memory of 4092 4800 F032.exe cmd.exe PID 4800 wrote to memory of 4092 4800 F032.exe cmd.exe PID 4800 wrote to memory of 4092 4800 F032.exe cmd.exe PID 4092 wrote to memory of 2136 4092 cmd.exe WMIC.exe PID 4092 wrote to memory of 2136 4092 cmd.exe WMIC.exe PID 4092 wrote to memory of 2136 4092 cmd.exe WMIC.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 796 wrote to memory of 4320 796 E9E8.exe E9E8.exe PID 4320 wrote to memory of 3040 4320 E9E8.exe build2.exe PID 4320 wrote to memory of 3040 4320 E9E8.exe build2.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe"C:\Users\Admin\AppData\Local\Temp\160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exeC:\Users\Admin\AppData\Local\Temp\E9E8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exeC:\Users\Admin\AppData\Local\Temp\E9E8.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a1149413-0a47-482c-a6ea-d82528ddf9eb" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exe"C:\Users\Admin\AppData\Local\Temp\E9E8.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exe"C:\Users\Admin\AppData\Local\Temp\E9E8.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\b719d7fd-1c2a-4830-a157-7d38e925b57f\build2.exe"C:\Users\Admin\AppData\Local\b719d7fd-1c2a-4830-a157-7d38e925b57f\build2.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F032.exeC:\Users\Admin\AppData\Local\Temp\F032.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 5402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 5402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 6762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 7602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 8602⤵
- Program crash
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 13042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 13402⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1402⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\F256.exeC:\Users\Admin\AppData\Local\Temp\F256.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\F574.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\F574.dll2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4800 -ip 48001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4800 -ip 48001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4800 -ip 48001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4800 -ip 48001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4800 -ip 48001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4800 -ip 48001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4800 -ip 48001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4800 -ip 48001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4800 -ip 48001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD5596d2fdcebb9285d08c83e8c66f21dc9
SHA1d634a64d292467c4fe9f1b2b80ac3bf82a08d49f
SHA2560231bc4602667ff24bfa1caab1d56c225a54031c452c9de84b810be18628a3e3
SHA512fd0399c36455095561381c33ba0f6f98496dc2fd63792f148ec9dfbc06ed6ad24a6bf9aa7f559dba7f257ccd145ee8532418606c2eb282a42ca678de4231d818
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD5b6f52795b677b4e2ad47736ffe3704a5
SHA1945cb962aae5a0986c476650006227debf93b51c
SHA256c8aff1f15506340e6abd76c8a8382e9caeba4fa8e8483254cf7ab9d22c2a57fe
SHA5121e241b4c9bf53a97c980dd09bc73abcaf05ed8ccc641d5b0ad1eadc4502b4c1519b62d9c51f8e38c73898c2eca4a4a2e81777763731bf0f36dc5c04a30ae0450
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD592a86bd3ffd9fbb1663c56818ffd5495
SHA14a0da29ee9fd29d5db3011e3d86851c22480ea5b
SHA256dec6e885be5f1530dd8df70698d4f96141f27d49c0757a91e490ad18f64e2898
SHA512f76fd0c019bfb1e9034b133f08908bc534e8499df53f83b64ee4d710e82536db507db86b264b8acc3c2190473d8dc9ec638f90bb0966bca247b89e46955d308f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD505797fbdcfeb816e423f716d187feb13
SHA1becee715528610bd14714b44ca88112b928ac2ee
SHA2567e03492f2e99f226f8aaba4379abedbf2854b5ad3c43864d89d49f8082e0865f
SHA51273cd1994dbd6bd2c7a1049a9129bd5475aec27ed140487abd8fbb1b523d160fee07589751d4ba35065118addd5a31b79dddd4eba539ec0488b5754b21a9eca96
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exeFilesize
791KB
MD5b8e31e6ad8d3e923f655411ee61abefb
SHA19c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9
SHA2568d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7
SHA512f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exeFilesize
791KB
MD5b8e31e6ad8d3e923f655411ee61abefb
SHA19c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9
SHA2568d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7
SHA512f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exeFilesize
791KB
MD5b8e31e6ad8d3e923f655411ee61abefb
SHA19c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9
SHA2568d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7
SHA512f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exeFilesize
791KB
MD5b8e31e6ad8d3e923f655411ee61abefb
SHA19c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9
SHA2568d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7
SHA512f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2
-
C:\Users\Admin\AppData\Local\Temp\E9E8.exeFilesize
791KB
MD5b8e31e6ad8d3e923f655411ee61abefb
SHA19c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9
SHA2568d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7
SHA512f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2
-
C:\Users\Admin\AppData\Local\Temp\F032.exeFilesize
4.7MB
MD5f82e733fd7852c5143178e0665cfe0e4
SHA1d20a424dc1ae2bd6bd38a42b15b6c6805e54ce0f
SHA2560660a4343785eb72d375da179986e06adbb452aff45268965e5159ce36ace2b7
SHA512915120a9c164a189d3a83260731f0429571f74840a0b2e6470c424761f2309b6a2db80da26afd0fd091b6e055d376285dd0fa181fe93bc0bfa46cee82d3f5c70
-
C:\Users\Admin\AppData\Local\Temp\F032.exeFilesize
4.7MB
MD5f82e733fd7852c5143178e0665cfe0e4
SHA1d20a424dc1ae2bd6bd38a42b15b6c6805e54ce0f
SHA2560660a4343785eb72d375da179986e06adbb452aff45268965e5159ce36ace2b7
SHA512915120a9c164a189d3a83260731f0429571f74840a0b2e6470c424761f2309b6a2db80da26afd0fd091b6e055d376285dd0fa181fe93bc0bfa46cee82d3f5c70
-
C:\Users\Admin\AppData\Local\Temp\F256.exeFilesize
272KB
MD540a0a6c5e1e1740c65df2422bc8bfa68
SHA13df83e4ce8c6a63be7455e25dae444e28e6bdc4a
SHA256bbc376e926f6d2218f5b0ec97c402c54f888dedf6fe438b6fddbd0358e69606f
SHA51270c7e894aec4b8de391f6f7ac93ab841bdc735b69acf6b3ec8a34aacd6bf640803178c50a04d17050f0a94fdab4038953aa7522aa34e334e738a1cadea88e9b1
-
C:\Users\Admin\AppData\Local\Temp\F256.exeFilesize
272KB
MD540a0a6c5e1e1740c65df2422bc8bfa68
SHA13df83e4ce8c6a63be7455e25dae444e28e6bdc4a
SHA256bbc376e926f6d2218f5b0ec97c402c54f888dedf6fe438b6fddbd0358e69606f
SHA51270c7e894aec4b8de391f6f7ac93ab841bdc735b69acf6b3ec8a34aacd6bf640803178c50a04d17050f0a94fdab4038953aa7522aa34e334e738a1cadea88e9b1
-
C:\Users\Admin\AppData\Local\Temp\F574.dllFilesize
2.0MB
MD59d92c298bce081adbc27970066117179
SHA16edbb822af723e4dbe7905ef569d510d0baf4491
SHA2567ea496fa0b759993e1dcb0a359a3cd94e07ee3782bf259ba50ea12a1abb16af3
SHA5129f1fa84f683af8b98225c9ff0044c4d85dbab8a19b0ae402a4214fa1b98c101e076111f7fb87d0e76000c9f3ac18e986544d1cae0d4331521bfdf9b34bbf5c2e
-
C:\Users\Admin\AppData\Local\Temp\F574.dllFilesize
2.0MB
MD59d92c298bce081adbc27970066117179
SHA16edbb822af723e4dbe7905ef569d510d0baf4491
SHA2567ea496fa0b759993e1dcb0a359a3cd94e07ee3782bf259ba50ea12a1abb16af3
SHA5129f1fa84f683af8b98225c9ff0044c4d85dbab8a19b0ae402a4214fa1b98c101e076111f7fb87d0e76000c9f3ac18e986544d1cae0d4331521bfdf9b34bbf5c2e
-
C:\Users\Admin\AppData\Local\a1149413-0a47-482c-a6ea-d82528ddf9eb\E9E8.exeFilesize
791KB
MD5b8e31e6ad8d3e923f655411ee61abefb
SHA19c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9
SHA2568d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7
SHA512f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2
-
C:\Users\Admin\AppData\Local\b719d7fd-1c2a-4830-a157-7d38e925b57f\build2.exeFilesize
255KB
MD59c3d4324a153c6438f48083bc333a962
SHA1033e80e2008f4f62d2716ce0473bb0d763d52277
SHA2565ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98
SHA5128cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd
-
C:\Users\Admin\AppData\Local\b719d7fd-1c2a-4830-a157-7d38e925b57f\build2.exeFilesize
255KB
MD59c3d4324a153c6438f48083bc333a962
SHA1033e80e2008f4f62d2716ce0473bb0d763d52277
SHA2565ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98
SHA5128cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd
-
memory/728-184-0x0000000000000000-mapping.dmp
-
memory/796-178-0x0000000000000000-mapping.dmp
-
memory/796-191-0x000000000211B000-0x00000000021AC000-memory.dmpFilesize
580KB
-
memory/1048-151-0x0000000000000000-mapping.dmp
-
memory/1048-152-0x0000000000F10000-0x0000000000F1C000-memory.dmpFilesize
48KB
-
memory/1272-182-0x0000000000000000-mapping.dmp
-
memory/1908-168-0x0000000000000000-mapping.dmp
-
memory/2136-186-0x0000000000000000-mapping.dmp
-
memory/2348-153-0x00000000012E0000-0x000000000134B000-memory.dmpFilesize
428KB
-
memory/2348-150-0x0000000001350000-0x00000000013C5000-memory.dmpFilesize
468KB
-
memory/2348-148-0x0000000000000000-mapping.dmp
-
memory/2348-164-0x00000000012E0000-0x000000000134B000-memory.dmpFilesize
428KB
-
memory/2636-160-0x0000000002320000-0x000000000243B000-memory.dmpFilesize
1.1MB
-
memory/2636-158-0x000000000216D000-0x00000000021FE000-memory.dmpFilesize
580KB
-
memory/2636-136-0x0000000000000000-mapping.dmp
-
memory/3040-199-0x0000000000000000-mapping.dmp
-
memory/3480-163-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3480-159-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3480-170-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3480-154-0x0000000000000000-mapping.dmp
-
memory/3480-155-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3480-157-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3480-181-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3872-145-0x0000000000000000-mapping.dmp
-
memory/3996-166-0x0000000000560000-0x0000000000569000-memory.dmpFilesize
36KB
-
memory/3996-169-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/3996-165-0x00000000005AF000-0x00000000005C0000-memory.dmpFilesize
68KB
-
memory/3996-142-0x0000000000000000-mapping.dmp
-
memory/3996-167-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4092-185-0x0000000000000000-mapping.dmp
-
memory/4252-147-0x0000000000000000-mapping.dmp
-
memory/4252-179-0x0000000002D00000-0x0000000002E2D000-memory.dmpFilesize
1.2MB
-
memory/4252-162-0x0000000002D00000-0x0000000002E2D000-memory.dmpFilesize
1.2MB
-
memory/4252-161-0x0000000002A60000-0x0000000002BCE000-memory.dmpFilesize
1.4MB
-
memory/4252-175-0x0000000002F20000-0x0000000002FCC000-memory.dmpFilesize
688KB
-
memory/4252-174-0x0000000002E40000-0x0000000002F02000-memory.dmpFilesize
776KB
-
memory/4320-197-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4320-187-0x0000000000000000-mapping.dmp
-
memory/4320-190-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4320-192-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4800-172-0x0000000002F70000-0x00000000033B7000-memory.dmpFilesize
4.3MB
-
memory/4800-173-0x0000000000400000-0x00000000008AE000-memory.dmpFilesize
4.7MB
-
memory/4800-139-0x0000000000000000-mapping.dmp
-
memory/4800-198-0x0000000000400000-0x00000000008AE000-memory.dmpFilesize
4.7MB
-
memory/4928-132-0x00000000006DF000-0x00000000006F0000-memory.dmpFilesize
68KB
-
memory/4928-135-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4928-134-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4928-133-0x0000000000590000-0x0000000000599000-memory.dmpFilesize
36KB
-
memory/5000-183-0x0000000000000000-mapping.dmp