Analysis
-
max time kernel
156s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2022 16:38
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
232KB
-
MD5
52ffaf10efe8795445a3df86abd0ded2
-
SHA1
c1daa480214146034e1bdb20286196246b7a7428
-
SHA256
10670270d9e09c0b5b515ad8fe190c975ac0427fb1f4a8257445ee0dbb7db2bd
-
SHA512
77db60f3fd3f930e7244f7728a1bc029fefbaa8f2161a040961c1256691eaf8fb6f4100dc0faea1d1ee96f5f3f828861fa977650cb0e87e58777f4fb2e4df4c6
-
SSDEEP
3072:sXN7q4qOU4rN6cMmlfez5r65zW+16b5A4dJQmEPc9HfmqJZ0K+Gyq0VP:oXqOOEfa6hbkbysQmt9FZ0zd
Malware Config
Extracted
djvu
http://winnlinne.com/lancer/get.php
-
extension
.powz
-
offline_id
tHl9RvVtHhFQisMomKMdXzz2soNLhV0cuok85it1
-
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-oTIha7SI4s Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0581Jhyjd
Signatures
-
Detected Djvu ransomware 6 IoCs
resource yara_rule behavioral2/memory/2452-149-0x00000000021A0000-0x00000000022BB000-memory.dmp family_djvu behavioral2/memory/1148-151-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1148-153-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1148-154-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1148-160-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1148-164-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects Smokeloader packer 3 IoCs
resource yara_rule behavioral2/memory/4224-133-0x00000000005F0000-0x00000000005F9000-memory.dmp family_smokeloader behavioral2/memory/1824-185-0x0000000000470000-0x0000000000479000-memory.dmp family_smokeloader behavioral2/memory/4132-207-0x00000000004B0000-0x00000000004B7000-memory.dmp family_smokeloader -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 1028 gvgsivb 4460 8DE8.exe 2452 CC6A.exe 1148 CC6A.exe 2632 35A4.exe 1824 4565.exe 3160 473A.exe 3876 4FA8.exe -
resource yara_rule behavioral2/files/0x000400000000072f-168.dat vmprotect behavioral2/files/0x000400000000072f-169.dat vmprotect behavioral2/memory/2632-170-0x0000000140000000-0x0000000140613000-memory.dmp vmprotect behavioral2/files/0x000b00000000a3c1-195.dat vmprotect behavioral2/files/0x000b00000000a3c1-194.dat vmprotect behavioral2/memory/3876-196-0x0000000140000000-0x0000000140613000-memory.dmp vmprotect -
Loads dropped DLL 2 IoCs
pid Process 1240 regsvr32.exe 1240 regsvr32.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4748 icacls.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\49b02f67-198e-4234-80e5-7dea0d075e6c\\CC6A.exe\" --AutoStart" CC6A.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 api.2ip.ua 47 api.2ip.ua -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2452 set thread context of 1148 2452 CC6A.exe 92 -
Program crash 10 IoCs
pid pid_target Process procid_target 4632 4460 WerFault.exe 88 3504 4460 WerFault.exe 88 380 4460 WerFault.exe 88 4804 4460 WerFault.exe 88 1220 4460 WerFault.exe 88 3484 3160 WerFault.exe 104 1784 4460 WerFault.exe 88 2104 4460 WerFault.exe 88 3240 4460 WerFault.exe 88 384 4460 WerFault.exe 88 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gvgsivb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gvgsivb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gvgsivb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4565.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4565.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4565.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4224 file.exe 4224 file.exe 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 376 Process not Found -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4224 file.exe 1028 gvgsivb 1824 4565.exe 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeIncreaseQuotaPrivilege 1420 wmic.exe Token: SeSecurityPrivilege 1420 wmic.exe Token: SeTakeOwnershipPrivilege 1420 wmic.exe Token: SeLoadDriverPrivilege 1420 wmic.exe Token: SeSystemProfilePrivilege 1420 wmic.exe Token: SeSystemtimePrivilege 1420 wmic.exe Token: SeProfSingleProcessPrivilege 1420 wmic.exe Token: SeIncBasePriorityPrivilege 1420 wmic.exe Token: SeCreatePagefilePrivilege 1420 wmic.exe Token: SeBackupPrivilege 1420 wmic.exe Token: SeRestorePrivilege 1420 wmic.exe Token: SeShutdownPrivilege 1420 wmic.exe Token: SeDebugPrivilege 1420 wmic.exe Token: SeSystemEnvironmentPrivilege 1420 wmic.exe Token: SeRemoteShutdownPrivilege 1420 wmic.exe Token: SeUndockPrivilege 1420 wmic.exe Token: SeManageVolumePrivilege 1420 wmic.exe Token: 33 1420 wmic.exe Token: 34 1420 wmic.exe Token: 35 1420 wmic.exe Token: 36 1420 wmic.exe Token: SeIncreaseQuotaPrivilege 1420 wmic.exe Token: SeSecurityPrivilege 1420 wmic.exe Token: SeTakeOwnershipPrivilege 1420 wmic.exe Token: SeLoadDriverPrivilege 1420 wmic.exe Token: SeSystemProfilePrivilege 1420 wmic.exe Token: SeSystemtimePrivilege 1420 wmic.exe Token: SeProfSingleProcessPrivilege 1420 wmic.exe Token: SeIncBasePriorityPrivilege 1420 wmic.exe Token: SeCreatePagefilePrivilege 1420 wmic.exe Token: SeBackupPrivilege 1420 wmic.exe Token: SeRestorePrivilege 1420 wmic.exe Token: SeShutdownPrivilege 1420 wmic.exe Token: SeDebugPrivilege 1420 wmic.exe Token: SeSystemEnvironmentPrivilege 1420 wmic.exe Token: SeRemoteShutdownPrivilege 1420 wmic.exe Token: SeUndockPrivilege 1420 wmic.exe Token: SeManageVolumePrivilege 1420 wmic.exe Token: 33 1420 wmic.exe Token: 34 1420 wmic.exe Token: 35 1420 wmic.exe Token: 36 1420 wmic.exe Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 376 wrote to memory of 4460 376 Process not Found 88 PID 376 wrote to memory of 4460 376 Process not Found 88 PID 376 wrote to memory of 4460 376 Process not Found 88 PID 376 wrote to memory of 3772 376 Process not Found 90 PID 376 wrote to memory of 3772 376 Process not Found 90 PID 376 wrote to memory of 2452 376 Process not Found 91 PID 376 wrote to memory of 2452 376 Process not Found 91 PID 376 wrote to memory of 2452 376 Process not Found 91 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 2452 wrote to memory of 1148 2452 CC6A.exe 92 PID 3772 wrote to memory of 1240 3772 regsvr32.exe 93 PID 3772 wrote to memory of 1240 3772 regsvr32.exe 93 PID 3772 wrote to memory of 1240 3772 regsvr32.exe 93 PID 1148 wrote to memory of 4748 1148 CC6A.exe 94 PID 1148 wrote to memory of 4748 1148 CC6A.exe 94 PID 1148 wrote to memory of 4748 1148 CC6A.exe 94 PID 376 wrote to memory of 2632 376 Process not Found 96 PID 376 wrote to memory of 2632 376 Process not Found 96 PID 376 wrote to memory of 1824 376 Process not Found 101 PID 376 wrote to memory of 1824 376 Process not Found 101 PID 376 wrote to memory of 1824 376 Process not Found 101 PID 376 wrote to memory of 3160 376 Process not Found 104 PID 376 wrote to memory of 3160 376 Process not Found 104 PID 376 wrote to memory of 3160 376 Process not Found 104 PID 376 wrote to memory of 3876 376 Process not Found 108 PID 376 wrote to memory of 3876 376 Process not Found 108 PID 376 wrote to memory of 1188 376 Process not Found 110 PID 376 wrote to memory of 1188 376 Process not Found 110 PID 376 wrote to memory of 1188 376 Process not Found 110 PID 376 wrote to memory of 1188 376 Process not Found 110 PID 376 wrote to memory of 4132 376 Process not Found 115 PID 376 wrote to memory of 4132 376 Process not Found 115 PID 376 wrote to memory of 4132 376 Process not Found 115 PID 4460 wrote to memory of 1420 4460 8DE8.exe 116 PID 4460 wrote to memory of 1420 4460 8DE8.exe 116 PID 4460 wrote to memory of 1420 4460 8DE8.exe 116 PID 4460 wrote to memory of 4392 4460 8DE8.exe 120 PID 4460 wrote to memory of 4392 4460 8DE8.exe 120 PID 4460 wrote to memory of 4392 4460 8DE8.exe 120 PID 4460 wrote to memory of 5040 4460 8DE8.exe 124 PID 4460 wrote to memory of 5040 4460 8DE8.exe 124 PID 4460 wrote to memory of 5040 4460 8DE8.exe 124 PID 5040 wrote to memory of 3888 5040 cmd.exe 125 PID 5040 wrote to memory of 3888 5040 cmd.exe 125 PID 5040 wrote to memory of 3888 5040 cmd.exe 125 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4224
-
C:\Users\Admin\AppData\Roaming\gvgsivbC:\Users\Admin\AppData\Roaming\gvgsivb1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1028
-
C:\Users\Admin\AppData\Local\Temp\8DE8.exeC:\Users\Admin\AppData\Local\Temp\8DE8.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 5602⤵
- Program crash
PID:4632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 5682⤵
- Program crash
PID:3504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 5802⤵
- Program crash
PID:380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 7002⤵
- Program crash
PID:4804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 7922⤵
- Program crash
PID:1220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 8842⤵
- Program crash
PID:1784
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 13922⤵
- Program crash
PID:2104
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵PID:4392
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵PID:4744
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:3888
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 14162⤵
- Program crash
PID:3240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 13482⤵
- Program crash
PID:384
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\9905.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\9905.dll2⤵
- Loads dropped DLL
PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\CC6A.exeC:\Users\Admin\AppData\Local\Temp\CC6A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\CC6A.exeC:\Users\Admin\AppData\Local\Temp\CC6A.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\49b02f67-198e-4234-80e5-7dea0d075e6c" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4748
-
-
-
C:\Users\Admin\AppData\Local\Temp\35A4.exeC:\Users\Admin\AppData\Local\Temp\35A4.exe1⤵
- Executes dropped EXE
PID:2632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4460 -ip 44601⤵PID:2892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4460 -ip 44601⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\4565.exeC:\Users\Admin\AppData\Local\Temp\4565.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4460 -ip 44601⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\473A.exeC:\Users\Admin\AppData\Local\Temp\473A.exe1⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 4482⤵
- Program crash
PID:3484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4460 -ip 44601⤵PID:2456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3160 -ip 31601⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\4FA8.exeC:\Users\Admin\AppData\Local\Temp\4FA8.exe1⤵
- Executes dropped EXE
PID:3876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4460 -ip 44601⤵PID:3696
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4460 -ip 44601⤵PID:620
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4460 -ip 44601⤵PID:4320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4460 -ip 44601⤵PID:3640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4460 -ip 44601⤵PID:4448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
752KB
MD593e80cf200afb6eb3aef34afa206af0b
SHA1fc15242b02094520aa7698927242f38b92d35035
SHA25611e540177faa07c038cefed9710578df667f5b0f9466d8437d76aa0c29e8061e
SHA512bfebe204bbff1494fb1648c9e2f9f07f669d468a6505fd48c6482292809996cb397f363fb164fefc0cdf6613216430ab62c92cf2f616e4afcddb58da9601c08d
-
Filesize
3.5MB
MD58c31d30ef8674d07d554ebf5d8fbbb6d
SHA104aafe34c5dc8b18e8324fb340a078aba5e792fd
SHA256b2e8dfa026c7e6d1c4548f689ef345d1bb42e5e7aef03f97415516423ee8bbe6
SHA512117c01537b03fc5b8d82224547cd164299ce0020da5abb4e7524ab9dacfa938ce292627118e10a24735fc3152f5edc46611b6872b748d7cf2dbb330c333e8d0d
-
Filesize
3.5MB
MD58c31d30ef8674d07d554ebf5d8fbbb6d
SHA104aafe34c5dc8b18e8324fb340a078aba5e792fd
SHA256b2e8dfa026c7e6d1c4548f689ef345d1bb42e5e7aef03f97415516423ee8bbe6
SHA512117c01537b03fc5b8d82224547cd164299ce0020da5abb4e7524ab9dacfa938ce292627118e10a24735fc3152f5edc46611b6872b748d7cf2dbb330c333e8d0d
-
Filesize
233KB
MD552d849c0184546cbe9e80c012cb8f1ce
SHA17a501787d5d3c154a28ce3cc8e208d223a4c3f26
SHA25623c0c906a9ce311cea8d0f25d327595da8aac6164403401a4825d2605b62aa21
SHA5124011c1b2ad832e2ccf5b6b14d5621eaf487c6b43402fd9580043cc9cc5a17b65118c07db098d649ba2272a7e759e28599502ffac0e5b11164f7438d7d6b67811
-
Filesize
233KB
MD552d849c0184546cbe9e80c012cb8f1ce
SHA17a501787d5d3c154a28ce3cc8e208d223a4c3f26
SHA25623c0c906a9ce311cea8d0f25d327595da8aac6164403401a4825d2605b62aa21
SHA5124011c1b2ad832e2ccf5b6b14d5621eaf487c6b43402fd9580043cc9cc5a17b65118c07db098d649ba2272a7e759e28599502ffac0e5b11164f7438d7d6b67811
-
Filesize
233KB
MD545c91e5c87d55c069402bdebe3dd1012
SHA150e7b4b4044f9d898b9f8928c99562108daad3ac
SHA256cca189213624536dcd09665b8fd0c5bb7a03654879a98464b0394de12516b7aa
SHA512d790b1aac28bae6167b56ae9e1d610de1825d7286939e0537b91feb744eefc6b6bd8afba686fb0b3d446d0a7af5778c473a1709b6e4282d90b74fcc0a8363476
-
Filesize
233KB
MD545c91e5c87d55c069402bdebe3dd1012
SHA150e7b4b4044f9d898b9f8928c99562108daad3ac
SHA256cca189213624536dcd09665b8fd0c5bb7a03654879a98464b0394de12516b7aa
SHA512d790b1aac28bae6167b56ae9e1d610de1825d7286939e0537b91feb744eefc6b6bd8afba686fb0b3d446d0a7af5778c473a1709b6e4282d90b74fcc0a8363476
-
Filesize
3.5MB
MD58c31d30ef8674d07d554ebf5d8fbbb6d
SHA104aafe34c5dc8b18e8324fb340a078aba5e792fd
SHA256b2e8dfa026c7e6d1c4548f689ef345d1bb42e5e7aef03f97415516423ee8bbe6
SHA512117c01537b03fc5b8d82224547cd164299ce0020da5abb4e7524ab9dacfa938ce292627118e10a24735fc3152f5edc46611b6872b748d7cf2dbb330c333e8d0d
-
Filesize
3.5MB
MD58c31d30ef8674d07d554ebf5d8fbbb6d
SHA104aafe34c5dc8b18e8324fb340a078aba5e792fd
SHA256b2e8dfa026c7e6d1c4548f689ef345d1bb42e5e7aef03f97415516423ee8bbe6
SHA512117c01537b03fc5b8d82224547cd164299ce0020da5abb4e7524ab9dacfa938ce292627118e10a24735fc3152f5edc46611b6872b748d7cf2dbb330c333e8d0d
-
Filesize
5.8MB
MD57a44ff9571afa93eaa2e0d782dbcee29
SHA102f57d08fcb94cf5c3994dab72771bb819da0b4c
SHA2566ed16ced92cce116fee370894c01f8b4d5977f48b9bf60144a09e9e328d6e2cc
SHA5123c264412a2ce28c4d9e72677276779ee2c5510a5e51a56a94907252c4f558db8e10c38b898c9b20b4efd1754a289a2b553200f4a99e15d04433c31fd82e78606
-
Filesize
5.8MB
MD57a44ff9571afa93eaa2e0d782dbcee29
SHA102f57d08fcb94cf5c3994dab72771bb819da0b4c
SHA2566ed16ced92cce116fee370894c01f8b4d5977f48b9bf60144a09e9e328d6e2cc
SHA5123c264412a2ce28c4d9e72677276779ee2c5510a5e51a56a94907252c4f558db8e10c38b898c9b20b4efd1754a289a2b553200f4a99e15d04433c31fd82e78606
-
Filesize
1.7MB
MD511fedcc03c7ca6bdefb0323870da3cf6
SHA14c36be2e3ad93396b91fbcc958ad939bdf021de4
SHA2564a44c573dde12af8398b15a241b813f66c383a0ea791369b6d3a3171678dcdb7
SHA512111ab62b9f52cf502341d285d51e203df37de7e4092b873b712d17dea96b3e1bba6073ec0e212b96a09a40f82ea05f0c280e882e2d720e15ca2f05517bb15ccf
-
Filesize
1.7MB
MD511fedcc03c7ca6bdefb0323870da3cf6
SHA14c36be2e3ad93396b91fbcc958ad939bdf021de4
SHA2564a44c573dde12af8398b15a241b813f66c383a0ea791369b6d3a3171678dcdb7
SHA512111ab62b9f52cf502341d285d51e203df37de7e4092b873b712d17dea96b3e1bba6073ec0e212b96a09a40f82ea05f0c280e882e2d720e15ca2f05517bb15ccf
-
Filesize
1.7MB
MD511fedcc03c7ca6bdefb0323870da3cf6
SHA14c36be2e3ad93396b91fbcc958ad939bdf021de4
SHA2564a44c573dde12af8398b15a241b813f66c383a0ea791369b6d3a3171678dcdb7
SHA512111ab62b9f52cf502341d285d51e203df37de7e4092b873b712d17dea96b3e1bba6073ec0e212b96a09a40f82ea05f0c280e882e2d720e15ca2f05517bb15ccf
-
Filesize
752KB
MD593e80cf200afb6eb3aef34afa206af0b
SHA1fc15242b02094520aa7698927242f38b92d35035
SHA25611e540177faa07c038cefed9710578df667f5b0f9466d8437d76aa0c29e8061e
SHA512bfebe204bbff1494fb1648c9e2f9f07f669d468a6505fd48c6482292809996cb397f363fb164fefc0cdf6613216430ab62c92cf2f616e4afcddb58da9601c08d
-
Filesize
752KB
MD593e80cf200afb6eb3aef34afa206af0b
SHA1fc15242b02094520aa7698927242f38b92d35035
SHA25611e540177faa07c038cefed9710578df667f5b0f9466d8437d76aa0c29e8061e
SHA512bfebe204bbff1494fb1648c9e2f9f07f669d468a6505fd48c6482292809996cb397f363fb164fefc0cdf6613216430ab62c92cf2f616e4afcddb58da9601c08d
-
Filesize
752KB
MD593e80cf200afb6eb3aef34afa206af0b
SHA1fc15242b02094520aa7698927242f38b92d35035
SHA25611e540177faa07c038cefed9710578df667f5b0f9466d8437d76aa0c29e8061e
SHA512bfebe204bbff1494fb1648c9e2f9f07f669d468a6505fd48c6482292809996cb397f363fb164fefc0cdf6613216430ab62c92cf2f616e4afcddb58da9601c08d
-
Filesize
232KB
MD552ffaf10efe8795445a3df86abd0ded2
SHA1c1daa480214146034e1bdb20286196246b7a7428
SHA25610670270d9e09c0b5b515ad8fe190c975ac0427fb1f4a8257445ee0dbb7db2bd
SHA51277db60f3fd3f930e7244f7728a1bc029fefbaa8f2161a040961c1256691eaf8fb6f4100dc0faea1d1ee96f5f3f828861fa977650cb0e87e58777f4fb2e4df4c6
-
Filesize
232KB
MD552ffaf10efe8795445a3df86abd0ded2
SHA1c1daa480214146034e1bdb20286196246b7a7428
SHA25610670270d9e09c0b5b515ad8fe190c975ac0427fb1f4a8257445ee0dbb7db2bd
SHA51277db60f3fd3f930e7244f7728a1bc029fefbaa8f2161a040961c1256691eaf8fb6f4100dc0faea1d1ee96f5f3f828861fa977650cb0e87e58777f4fb2e4df4c6