2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a

Analysis

max time kernel
156s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 12:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
Size

6.1MB
MD5

e7b743dd5393cc94d59d6cac5481793b
SHA1

eb09cfcdb80820f2815dce73468767e396fab889
SHA256

2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a
SHA512

7014904a8acf609e2cb7fd8491d0e01eb463a8ed52f30b1848d8db4abfebd420025737175ed1b8259e6060142ecb4f901c1e8f7b34b13d8b0c8f2ce2de66ea23
SSDEEP

196608:+PaDvNGrrdav0DCveiuUW/v66sH6L6dsZypDf2b:b4riF3t4vBsaL6ds8Dfa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
32	3952	rundll32.exe
35	3952	rundll32.exe
37	3380	rundll32.exe
39	3380	rundll32.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe

Loads dropped DLL 9 IoCs

pid	Process
3952	rundll32.exe
1992	rundll32.exe
1404	rundll32.exe
1404	rundll32.exe
4572	rundll32.exe
3380	rundll32.exe
3380	rundll32.exe
4048	rundll32.exe
4048	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 1712	3952	rundll32.exe	207

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 62 IoCs

pid	pid_target	Process	procid_target
4496	1428	WerFault.exe	81
4468	1428	WerFault.exe	81
4812	1428	WerFault.exe	81
4804	1428	WerFault.exe	81
2564	1428	WerFault.exe	81
872	1428	WerFault.exe	81
4272	1428	WerFault.exe	81
4852	1428	WerFault.exe	81
4800	4376	WerFault.exe	105
2928	4376	WerFault.exe	105
736	4376	WerFault.exe	105
4532	4376	WerFault.exe	105
3796	4376	WerFault.exe	105
4608	4376	WerFault.exe	105
1644	4376	WerFault.exe	105
1888	4376	WerFault.exe	105
1932	2528	WerFault.exe	122
2000	1428	WerFault.exe	81
5108	2528	WerFault.exe	122
2620	2528	WerFault.exe	122
1500	2528	WerFault.exe	122
3320	2528	WerFault.exe	122
4468	4376	WerFault.exe	105
4812	2528	WerFault.exe	122
3732	2528	WerFault.exe	122
2564	2528	WerFault.exe	122
2904	2528	WerFault.exe	122
3540	3696	WerFault.exe	145
2168	3696	WerFault.exe	145
4120	3696	WerFault.exe	145
4636	3696	WerFault.exe	145
4208	3696	WerFault.exe	145
2012	3696	WerFault.exe	145
4840	3696	WerFault.exe	145
3748	3696	WerFault.exe	145
2636	3696	WerFault.exe	145
4584	628	WerFault.exe	165
3528	628	WerFault.exe	165
2788	628	WerFault.exe	165
2540	628	WerFault.exe	165
3476	628	WerFault.exe	165
2780	628	WerFault.exe	165
1952	628	WerFault.exe	165
916	628	WerFault.exe	165
3532	628	WerFault.exe	165
3768	628	WerFault.exe	165
4084	4320	WerFault.exe	187
2272	4320	WerFault.exe	187
4876	4320	WerFault.exe	187
4188	4320	WerFault.exe	187
2852	4320	WerFault.exe	187
4272	4320	WerFault.exe	187
1148	4320	WerFault.exe	187
2472	4320	WerFault.exe	187
2320	4320	WerFault.exe	187
2332	2016	WerFault.exe	208
4760	2016	WerFault.exe	208
3396	2016	WerFault.exe	208
2780	2016	WerFault.exe	208
1952	2016	WerFault.exe	208
916	2016	WerFault.exe	208
4880	2016	WerFault.exe	208

Checks processor information in registry 2 TTPs 49 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1712	rundll32.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4376	1428	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	105
PID 1428 wrote to memory of 4376	1428	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	105
PID 1428 wrote to memory of 4376	1428	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	105
PID 4376 wrote to memory of 2528	4376	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	122
PID 4376 wrote to memory of 2528	4376	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	122
PID 4376 wrote to memory of 2528	4376	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	122
PID 1428 wrote to memory of 3952	1428	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	127
PID 1428 wrote to memory of 3952	1428	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	127
PID 1428 wrote to memory of 3952	1428	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	127
PID 4376 wrote to memory of 1992	4376	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	138
PID 4376 wrote to memory of 1992	4376	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	138
PID 4376 wrote to memory of 1992	4376	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	138
PID 2528 wrote to memory of 3696	2528	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	145
PID 2528 wrote to memory of 3696	2528	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	145
PID 2528 wrote to memory of 3696	2528	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	145
PID 2528 wrote to memory of 1404	2528	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	146
PID 2528 wrote to memory of 1404	2528	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	146
PID 2528 wrote to memory of 1404	2528	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	146
PID 3696 wrote to memory of 628	3696	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	165
PID 3696 wrote to memory of 628	3696	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	165
PID 3696 wrote to memory of 628	3696	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	165
PID 3696 wrote to memory of 4572	3696	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	166
PID 3696 wrote to memory of 4572	3696	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	166
PID 3696 wrote to memory of 4572	3696	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	166
PID 628 wrote to memory of 4320	628	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	187
PID 628 wrote to memory of 4320	628	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	187
PID 628 wrote to memory of 4320	628	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	187
PID 628 wrote to memory of 3380	628	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	188
PID 628 wrote to memory of 3380	628	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	188
PID 628 wrote to memory of 3380	628	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	188
PID 3952 wrote to memory of 1712	3952	rundll32.exe	207
PID 3952 wrote to memory of 1712	3952	rundll32.exe	207
PID 3952 wrote to memory of 1712	3952	rundll32.exe	207
PID 4320 wrote to memory of 2016	4320	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	208
PID 4320 wrote to memory of 2016	4320	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	208
PID 4320 wrote to memory of 2016	4320	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	208
PID 4320 wrote to memory of 4048	4320	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	209
PID 4320 wrote to memory of 4048	4320	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	209
PID 4320 wrote to memory of 4048	4320	2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe	209

C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
"C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 628
  2⤵
  - Program crash
  PID:4496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 908
  2⤵
  - Program crash
  PID:4468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 944
  2⤵
  - Program crash
  PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 980
  2⤵
  - Program crash
  PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 960
  2⤵
  - Program crash
  PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 980
  2⤵
  - Program crash
  PID:872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1152
  2⤵
  - Program crash
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
  "C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 600
    3⤵
    - Program crash
    PID:4800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 996
    3⤵
    - Program crash
    PID:2928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1004
    3⤵
    - Program crash
    PID:736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1004
    3⤵
    - Program crash
    PID:4532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1100
    3⤵
    - Program crash
    PID:3796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1108
    3⤵
    - Program crash
    PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1140
    3⤵
    - Program crash
    PID:1644
- - C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
    "C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 600
      4⤵
      Program crash
      PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 996
      4⤵
      Program crash
      PID:5108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1004
      4⤵
      Program crash
      PID:2620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1068
      4⤵
      Program crash
      PID:1500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1084
      4⤵
      Program crash
      PID:3320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 996
      4⤵
      Program crash
      PID:4812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1108
      4⤵
      Program crash
      PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
      "C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 600
        5⤵
        Program crash
        
        PID:3540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 884
        5⤵
        Program crash
        
        PID:2168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 924
        5⤵
        Program crash
        
        PID:4120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1104
        5⤵
        Program crash
        
        PID:4636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1040
        5⤵
        Program crash
        
        PID:4208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1104
        5⤵
        Program crash
        
        PID:2012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 924
        5⤵
        Program crash
        
        PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 600
        6⤵
        Program crash
        
        PID:4584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 996
        6⤵
        Program crash
        
        PID:3528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1004
        6⤵
        Program crash
        
        PID:2788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1004
        6⤵
        Program crash
        
        PID:2540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1112
        6⤵
        Program crash
        
        PID:3476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1068
        6⤵
        Program crash
        
        PID:2780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1076
        6⤵
        Program crash
        
        PID:1952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1108
        6⤵
        Program crash
        
        PID:916
      - C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 600
        7⤵
        Program crash
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 980
        7⤵
        Program crash
        
        PID:2272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 984
        7⤵
        Program crash
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 980
        7⤵
        Program crash
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 980
        7⤵
        Program crash
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1104
        7⤵
        Program crash
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 984
        7⤵
        Program crash
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b4cea65e0eda303abf53617728952e4c5764527b7007050ee8b7eb48e8ee51a.exe"
        7⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 192
        8⤵
        Program crash
        
        PID:2332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 900
        8⤵
        Program crash
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1056
        8⤵
        Program crash
        
        PID:3396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1064
        8⤵
        Program crash
        
        PID:2780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1092
        8⤵
        Program crash
        
        PID:1952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1068
        8⤵
        Program crash
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1072
        8⤵
        Program crash
        
        PID:4880
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        7⤵
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1004
        7⤵
        Program crash
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1156
        7⤵
        Program crash
        
        PID:2320
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 984
        6⤵
        Program crash
        
        PID:3532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1116
        6⤵
        Program crash
        
        PID:3768
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        5⤵
        Loads dropped DLL
        
        PID:4572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1016
        5⤵
        Program crash
        
        PID:3748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 912
        5⤵
        Program crash
        
        PID:2636
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
      4⤵
      Loads dropped DLL
      PID:1404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 984
      4⤵
      Program crash
      PID:2564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1128
      4⤵
      Program crash
      PID:2904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 984
    3⤵
    - Program crash
    PID:1888
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
    3⤵
    - Loads dropped DLL
    PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 600
    3⤵
    - Program crash
    PID:4468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1048
  2⤵
  - Program crash
  PID:4852
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14070
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1152
  2⤵
  - Program crash
  PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1428 -ip 1428
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1428 -ip 1428
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1428 -ip 1428
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1428 -ip 1428
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1428 -ip 1428
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1428 -ip 1428
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1428 -ip 1428
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1428 -ip 1428
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4376 -ip 4376
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4376 -ip 4376
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4376 -ip 4376
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4376 -ip 4376
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4376 -ip 4376
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4376 -ip 4376
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4376 -ip 4376
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4376 -ip 4376
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2528 -ip 2528
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1428 -ip 1428
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2528 -ip 2528
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2528 -ip 2528
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2528 -ip 2528
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2528 -ip 2528
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4376 -ip 4376
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2528 -ip 2528
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2528 -ip 2528
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2528 -ip 2528
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2528 -ip 2528
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3696 -ip 3696
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3696 -ip 3696
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3696 -ip 3696
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3696 -ip 3696
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3696 -ip 3696
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3696 -ip 3696
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3696 -ip 3696
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3696 -ip 3696
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3696 -ip 3696
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 628 -ip 628
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 628 -ip 628
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 628 -ip 628
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 628 -ip 628
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 628 -ip 628
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 628 -ip 628
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 628 -ip 628
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 628 -ip 628
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 628 -ip 628
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 628 -ip 628
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4320 -ip 4320
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4320 -ip 4320
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4320 -ip 4320
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4320 -ip 4320
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4320 -ip 4320
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 4320 -ip 4320
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 4320 -ip 4320
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 4320 -ip 4320
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 4320 -ip 4320
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 2016 -ip 2016
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 2016 -ip 2016
1⤵
PID:1340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 2016 -ip 2016
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 2016 -ip 2016
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2016 -ip 2016
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 2016 -ip 2016
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 2016 -ip 2016
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84c7bf32-db39-40e7-95b4-e9bdddb0a182.tmp

Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
eccfb0448e3d62bb2b68716a6484ce47

SHA1
e2fc41456f9bcc5eb2f1c251371162c6d10a0277

SHA256
dccb53d2002d129a653c84c4365ada3fbe522754ce1f7c72aead496239c18558

SHA512
65facc17173670afdbe20501c174b5d78bfe21655e194af9beabfb963886a35a0bdfd3e1b604223eeeb81531c719b75405fe73963019d058c05540c1a7bab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeesisuoeiaqit.tmp

Filesize
3.5MB

MD5
30d9bc7452d5819b304b121c517a8f73

SHA1
ea1b8ffa9f4918a90dfd7f574b5b0694bedb1d01

SHA256
364c226e4aadbfbe0ba89b0eeb4e8346462cf33f8e4a26ba9cf6501f196f3710

SHA512
db2e7649e3bbfa81234442e70666bf966edf904f3f33551940af6c77dada6cd958be81c003c34d71eb929e3f7ce3d3aa4665135fb67f420092b03931209c8fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7626.txt

Filesize
414KB

MD5
1665e1695efb8cff7253aa22d3b8d1af

SHA1
bb5cfec3bfdba7957199595d25dc5871ba1e55d9

SHA256
29ae5501fbe82cf6ca45bc724e22db29fe115d5ee4ff67c1fac3055eaec04816

SHA512
c9abb0bc028617a4152a27ce89a1b92f973d23fcc7cc6d2893c4a714f65ffd36255c9874c5bfacad4d514e7b67ecf5c37dd9cf017a25584c925c9bc490d0e9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7626.txt

Filesize
11KB

MD5
3c93e285f3bbe6e86160089a0a7ecc11

SHA1
8de0d9f28e092e4cc12a343c1a01331b3c83901b

SHA256
c1806d15c75249bf5c76a2119add70bc35932fa352195e869336c875729fd91b

SHA512
027e65e768f04c310b094e9dd029ac59bda27aef30605856336354b5490f0982267a8e5743a15bd7cfebe60dfe169f7c1d8ec7b5b492dd9008a15521023b55b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct4ED3.tmp

Filesize
62KB

MD5
2e8f497235815362c3d2fe5f4d56010c

SHA1
c6c9c84fbdb7b85261ba818adbc18cab8158d692

SHA256
4420111c2dcd4928407eb5dec0c7270d382375392635959c816faf8b50cb95e3

SHA512
046993e0cbc526bda57a098cbe3902cc1ee81f90540fadd9004a2ac800b6f37703222986de994a07c175555c51cb641e2f71e9c560b6f174fe039b8dc1217133

Download Submit
memory/628-176-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/628-167-0x00000000035F6000-0x0000000003BE0000-memory.dmp

Filesize
5.9MB

Download
memory/628-168-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/1404-161-0x0000000002170000-0x00000000024BD000-memory.dmp

Filesize
3.3MB

Download
memory/1404-154-0x0000000002170000-0x00000000024BD000-memory.dmp

Filesize
3.3MB

Download
memory/1404-156-0x0000000002170000-0x00000000024BD000-memory.dmp

Filesize
3.3MB

Download
memory/1428-134-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/1428-132-0x0000000003461000-0x0000000003A4B000-memory.dmp

Filesize
5.9MB

Download
memory/1428-133-0x0000000005430000-0x0000000005A50000-memory.dmp

Filesize
6.1MB

Download
memory/1428-143-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/1712-189-0x000002D9531F0000-0x000002D953330000-memory.dmp

Filesize
1.2MB

Download
memory/1712-194-0x0000000000F40000-0x00000000011E8000-memory.dmp

Filesize
2.7MB

Download
memory/1712-216-0x000002D953360000-0x000002D953619000-memory.dmp

Filesize
2.7MB

Download
memory/1712-192-0x000002D953360000-0x000002D953619000-memory.dmp

Filesize
2.7MB

Download
memory/1712-190-0x000002D9531F0000-0x000002D953330000-memory.dmp

Filesize
1.2MB

Download
memory/1992-158-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1992-148-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2016-214-0x00000000034C8000-0x0000000003AB2000-memory.dmp

Filesize
5.9MB

Download
memory/2016-217-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/2528-140-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/2528-139-0x00000000034BA000-0x0000000003AA4000-memory.dmp

Filesize
5.9MB

Download
memory/2528-157-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/3380-174-0x0000000002500000-0x000000000284D000-memory.dmp

Filesize
3.3MB

Download
memory/3380-175-0x0000000002500000-0x000000000284D000-memory.dmp

Filesize
3.3MB

Download
memory/3380-183-0x0000000002500000-0x000000000284D000-memory.dmp

Filesize
3.3MB

Download
memory/3696-159-0x000000000367F000-0x0000000003C69000-memory.dmp

Filesize
5.9MB

Download
memory/3696-166-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/3696-160-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/3952-193-0x0000000003690000-0x00000000041EF000-memory.dmp

Filesize
11.4MB

Download
memory/3952-180-0x0000000003690000-0x00000000041EF000-memory.dmp

Filesize
11.4MB

Download
memory/3952-187-0x00000000043D0000-0x0000000004510000-memory.dmp

Filesize
1.2MB

Download
memory/3952-186-0x00000000043D0000-0x0000000004510000-memory.dmp

Filesize
1.2MB

Download
memory/3952-179-0x0000000003690000-0x00000000041EF000-memory.dmp

Filesize
11.4MB

Download
memory/3952-181-0x00000000043D0000-0x0000000004510000-memory.dmp

Filesize
1.2MB

Download
memory/3952-184-0x00000000043D0000-0x0000000004510000-memory.dmp

Filesize
1.2MB

Download
memory/3952-182-0x00000000043D0000-0x0000000004510000-memory.dmp

Filesize
1.2MB

Download
memory/3952-149-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/3952-185-0x00000000043D0000-0x0000000004510000-memory.dmp

Filesize
1.2MB

Download
memory/3952-145-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4048-198-0x0000000002370000-0x00000000026BD000-memory.dmp

Filesize
3.3MB

Download
memory/4048-213-0x0000000002370000-0x00000000026BD000-memory.dmp

Filesize
3.3MB

Download
memory/4048-199-0x0000000002370000-0x00000000026BD000-memory.dmp

Filesize
3.3MB

Download
memory/4048-212-0x0000000002C60000-0x00000000037BF000-memory.dmp

Filesize
11.4MB

Download
memory/4048-207-0x0000000002C60000-0x00000000037BF000-memory.dmp

Filesize
11.4MB

Download
memory/4048-206-0x0000000002C60000-0x00000000037BF000-memory.dmp

Filesize
11.4MB

Download
memory/4320-178-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4320-215-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4320-177-0x00000000035FA000-0x0000000003BE4000-memory.dmp

Filesize
5.9MB

Download
memory/4376-136-0x00000000035EA000-0x0000000003BD4000-memory.dmp

Filesize
5.9MB

Download
memory/4376-137-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4376-155-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4572-169-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4572-165-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads