Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 11:01
Static task
static1
Behavioral task
behavioral1
Sample
3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
Resource
win10v2004-20220812-en
General
-
Target
3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
-
Size
320KB
-
MD5
d4fae7a6d40bfaced3456d116c06636b
-
SHA1
08be33fe4ef5d9600b401b8d188da09236fe6ad8
-
SHA256
3e33cba3607467b99b975f6b69b90dfa3d63fc670e8449f37dd7c3356ec39fd3
-
SHA512
38788407eb16e8583099a0ba82c90e9c02fff037aba46b5fd381db87c7ed74a3625b27fd5e57fafa93c4ad08a7499706656630d45e47c7724762d79ce04ed471
-
SSDEEP
3072:XE1wAS2i/i5li6Y+VcuOuNMxCnFSe2KdVDAiFJRgO0VggjcGkNIVqIV7:uwAS2iapYacuO+QaJrDR3RXw7ITsq
Malware Config
Extracted
redline
slovarik15btc
78.153.144.3:2510
-
auth_value
bfedad55292538ad3edd07ac95ad8952
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Amadey credential stealer module 4 IoCs
resource yara_rule behavioral2/files/0x000300000000071f-271.dat amadey_cred_module behavioral2/files/0x000300000000071f-273.dat amadey_cred_module behavioral2/memory/2788-274-0x0000000000730000-0x0000000000754000-memory.dmp amadey_cred_module behavioral2/files/0x000300000000071f-272.dat amadey_cred_module -
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/4772-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/memory/4716-141-0x0000000000412000-0x0000000000433000-memory.dmp family_redline behavioral2/memory/4716-142-0x0000000000410000-0x0000000000438000-memory.dmp family_redline behavioral2/memory/4328-168-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 58 2788 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
pid Process 4940 D21A.exe 3200 E564.exe 2656 E91E.exe 3588 EBB0.exe 2268 sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe 2032 F8E0.exe 1032 A46.exe 1136 LYKAA.exe 1992 rovwer.exe 3632 rovwer.exe 1532 rovwer.exe -
resource yara_rule behavioral2/files/0x0007000000022e39-183.dat upx behavioral2/files/0x0007000000022e39-182.dat upx behavioral2/memory/2032-188-0x0000000000750000-0x0000000000F39000-memory.dmp upx behavioral2/memory/2032-190-0x0000000000750000-0x0000000000F39000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation EBB0.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation LYKAA.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation A46.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 5 IoCs
pid Process 4884 InstallUtil.exe 4884 InstallUtil.exe 4884 InstallUtil.exe 2788 rundll32.exe 2788 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4940 set thread context of 4716 4940 D21A.exe 89 PID 3200 set thread context of 4884 3200 E564.exe 95 PID 2656 set thread context of 4328 2656 E91E.exe 96 PID 1136 set thread context of 4164 1136 LYKAA.exe 126 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2524 1032 WerFault.exe 104 1252 3632 WerFault.exe 123 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2208 schtasks.exe 3620 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2260 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4772 3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe 4772 3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3008 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 4772 3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeDebugPrivilege 2268 sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeDebugPrivilege 4328 vbc.exe Token: SeDebugPrivilege 4716 vbc.exe Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeDebugPrivilege 1136 LYKAA.exe Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found Token: SeShutdownPrivilege 3008 Process not Found Token: SeCreatePagefilePrivilege 3008 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 4940 3008 Process not Found 87 PID 3008 wrote to memory of 4940 3008 Process not Found 87 PID 3008 wrote to memory of 4940 3008 Process not Found 87 PID 4940 wrote to memory of 4716 4940 D21A.exe 89 PID 4940 wrote to memory of 4716 4940 D21A.exe 89 PID 4940 wrote to memory of 4716 4940 D21A.exe 89 PID 4940 wrote to memory of 4716 4940 D21A.exe 89 PID 4940 wrote to memory of 4716 4940 D21A.exe 89 PID 3008 wrote to memory of 3200 3008 Process not Found 91 PID 3008 wrote to memory of 3200 3008 Process not Found 91 PID 3008 wrote to memory of 3200 3008 Process not Found 91 PID 3008 wrote to memory of 2656 3008 Process not Found 92 PID 3008 wrote to memory of 2656 3008 Process not Found 92 PID 3008 wrote to memory of 2656 3008 Process not Found 92 PID 3008 wrote to memory of 3588 3008 Process not Found 94 PID 3008 wrote to memory of 3588 3008 Process not Found 94 PID 3200 wrote to memory of 4884 3200 E564.exe 95 PID 3200 wrote to memory of 4884 3200 E564.exe 95 PID 3200 wrote to memory of 4884 3200 E564.exe 95 PID 3200 wrote to memory of 4884 3200 E564.exe 95 PID 3200 wrote to memory of 4884 3200 E564.exe 95 PID 3200 wrote to memory of 4884 3200 E564.exe 95 PID 3200 wrote to memory of 4884 3200 E564.exe 95 PID 3200 wrote to memory of 4884 3200 E564.exe 95 PID 2656 wrote to memory of 4328 2656 E91E.exe 96 PID 2656 wrote to memory of 4328 2656 E91E.exe 96 PID 2656 wrote to memory of 4328 2656 E91E.exe 96 PID 2656 wrote to memory of 4328 2656 E91E.exe 96 PID 2656 wrote to memory of 4328 2656 E91E.exe 96 PID 3588 wrote to memory of 2268 3588 EBB0.exe 97 PID 3588 wrote to memory of 2268 3588 EBB0.exe 97 PID 3008 wrote to memory of 2032 3008 Process not Found 98 PID 3008 wrote to memory of 2032 3008 Process not Found 98 PID 2268 wrote to memory of 2196 2268 sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe 99 PID 2268 wrote to memory of 2196 2268 sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe 99 PID 2196 wrote to memory of 2260 2196 cmd.exe 101 PID 2196 wrote to memory of 2260 2196 cmd.exe 101 PID 2032 wrote to memory of 3536 2032 F8E0.exe 102 PID 2032 wrote to memory of 3536 2032 F8E0.exe 102 PID 3008 wrote to memory of 1032 3008 Process not Found 104 PID 3008 wrote to memory of 1032 3008 Process not Found 104 PID 3008 wrote to memory of 1032 3008 Process not Found 104 PID 3008 wrote to memory of 2584 3008 Process not Found 105 PID 3008 wrote to memory of 2584 3008 Process not Found 105 PID 3008 wrote to memory of 2584 3008 Process not Found 105 PID 3008 wrote to memory of 2584 3008 Process not Found 105 PID 3008 wrote to memory of 4804 3008 Process not Found 106 PID 3008 wrote to memory of 4804 3008 Process not Found 106 PID 3008 wrote to memory of 4804 3008 Process not Found 106 PID 2196 wrote to memory of 1136 2196 cmd.exe 107 PID 2196 wrote to memory of 1136 2196 cmd.exe 107 PID 3008 wrote to memory of 4700 3008 Process not Found 108 PID 3008 wrote to memory of 4700 3008 Process not Found 108 PID 3008 wrote to memory of 4700 3008 Process not Found 108 PID 3008 wrote to memory of 4700 3008 Process not Found 108 PID 1136 wrote to memory of 3412 1136 LYKAA.exe 109 PID 1136 wrote to memory of 3412 1136 LYKAA.exe 109 PID 3412 wrote to memory of 2208 3412 cmd.exe 111 PID 3412 wrote to memory of 2208 3412 cmd.exe 111 PID 3008 wrote to memory of 2188 3008 Process not Found 112 PID 3008 wrote to memory of 2188 3008 Process not Found 112 PID 3008 wrote to memory of 2188 3008 Process not Found 112 PID 1032 wrote to memory of 1992 1032 A46.exe 113 PID 1032 wrote to memory of 1992 1032 A46.exe 113 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe"C:\Users\Admin\AppData\Local\Temp\3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4772
-
C:\Users\Admin\AppData\Local\Temp\D21A.exeC:\Users\Admin\AppData\Local\Temp\D21A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\E564.exeC:\Users\Admin\AppData\Local\Temp\E564.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Loads dropped DLL
PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\E91E.exeC:\Users\Admin\AppData\Local\Temp\E91E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\EBB0.exeC:\Users\Admin\AppData\Local\Temp\EBB0.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe"C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp697.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2260
-
-
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"6⤵
- Creates scheduled task(s)
PID:2208
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 65⤵PID:4164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls6⤵PID:1072
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F8E0.exeC:\Users\Admin\AppData\Local\Temp\F8E0.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\cmd.execmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\F8E0.exe"2⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\A46.exeC:\Users\Admin\AppData\Local\Temp\A46.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
PID:1992 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F3⤵
- Creates scheduled task(s)
PID:3620
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:2788
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 12442⤵
- Program crash
PID:2524
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2584
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4804
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4700
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1032 -ip 10321⤵PID:2932
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3336
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4724
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1552
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4964
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 4202⤵
- Program crash
PID:1252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3632 -ip 36321⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
PID:1532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
837KB
MD59796f845b710c1e68ee9f93592503665
SHA19be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51
SHA2562c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f
SHA512c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135
-
Filesize
837KB
MD59796f845b710c1e68ee9f93592503665
SHA19be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51
SHA2562c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f
SHA512c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
2KB
MD58730644b84be7e133ab21f97a43c0117
SHA1ac45ce1b256bed8f94a55153c5acdf1c6438b72d
SHA2569562509765e4b604537ad94da94dfb7a675bc481e39ac98df0e245fa50a87169
SHA512d9f1a3479e4e362a7343213b2baaf4911b071effc066d3d8c07157116334f10f856823f937a1d768857af5186b826d4de2d7075a5e6a17fffaead7740348bf49
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
366KB
MD5287572edc287d01d1e625d3b93efa326
SHA11ed75fcfe9a37ba94ab8c59bf5048b1a85932857
SHA256b6c62694edd72c240d022a7a33276ee091fa986437f571c50a34fd67c9b44e45
SHA51202994440785ec5347fd4f0895d674456f360ef43bc2ed96502cce72210600ff0af912ce169d66716893ccdb1a6894d2a7c2c6715b0652178fbb0535962e170e9
-
Filesize
366KB
MD5287572edc287d01d1e625d3b93efa326
SHA11ed75fcfe9a37ba94ab8c59bf5048b1a85932857
SHA256b6c62694edd72c240d022a7a33276ee091fa986437f571c50a34fd67c9b44e45
SHA51202994440785ec5347fd4f0895d674456f360ef43bc2ed96502cce72210600ff0af912ce169d66716893ccdb1a6894d2a7c2c6715b0652178fbb0535962e170e9
-
Filesize
1.2MB
MD5b67545f8f9bcc95c2efca01d65d4c429
SHA1062c213d68a70dfdaef4bc9828fbfd8ec0e0dbaf
SHA2565c5b2716906f6be939574770f2ce1822dd3d4874dc1924a82096bccc377afde4
SHA5124ca32731de173cc6a71f5b76ec94b98d340e3186f52719bdc7ed79849c5b2c4d5b2952c33e20716ce9af35d50d0e962521904a4a8d977e182dc3aabfdfa3d563
-
Filesize
1.2MB
MD5b67545f8f9bcc95c2efca01d65d4c429
SHA1062c213d68a70dfdaef4bc9828fbfd8ec0e0dbaf
SHA2565c5b2716906f6be939574770f2ce1822dd3d4874dc1924a82096bccc377afde4
SHA5124ca32731de173cc6a71f5b76ec94b98d340e3186f52719bdc7ed79849c5b2c4d5b2952c33e20716ce9af35d50d0e962521904a4a8d977e182dc3aabfdfa3d563
-
Filesize
366KB
MD5b6f73df0d1c7d5fef86b5f3034767901
SHA10bc4f94c5100cbfae5c520ca7b541c3c86d528f3
SHA25682a405a195eb3815d8a5ead1c6271cb279f7dbc11abebb7129b59561ad36e4b2
SHA512196c7c0321c6f35f9222d278fa226c9a5b28d5bdb22636be1a365db3f18d37c12371dff9881324244bd284cc764e257744b1d134860ce4485d4b3c8dc74b5f8a
-
Filesize
366KB
MD5b6f73df0d1c7d5fef86b5f3034767901
SHA10bc4f94c5100cbfae5c520ca7b541c3c86d528f3
SHA25682a405a195eb3815d8a5ead1c6271cb279f7dbc11abebb7129b59561ad36e4b2
SHA512196c7c0321c6f35f9222d278fa226c9a5b28d5bdb22636be1a365db3f18d37c12371dff9881324244bd284cc764e257744b1d134860ce4485d4b3c8dc74b5f8a
-
Filesize
1.1MB
MD53cbeec829f400bbc837e6cedf044a6cb
SHA1b6906942e53a1482069c123ca7f127cdf50c25fc
SHA256f2ba48f9b1da2b3971f2e70b772a4d6fc503eb4b890fca1923b322687b77dd9f
SHA512285f08009934e530ef37b1c98097e7ab1134943e0796fbc0413883e367110aa1d4f14f5ed242b9386d8677e2cbc3000bbe3ccea5ac27b0aa72128425c8106806
-
Filesize
1.1MB
MD53cbeec829f400bbc837e6cedf044a6cb
SHA1b6906942e53a1482069c123ca7f127cdf50c25fc
SHA256f2ba48f9b1da2b3971f2e70b772a4d6fc503eb4b890fca1923b322687b77dd9f
SHA512285f08009934e530ef37b1c98097e7ab1134943e0796fbc0413883e367110aa1d4f14f5ed242b9386d8677e2cbc3000bbe3ccea5ac27b0aa72128425c8106806
-
Filesize
2.8MB
MD5e654228f62c81cfa6da658858a46ccff
SHA16926e074d206a7f1bdab2a5c4f374c75338a4a93
SHA256e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003
SHA512bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a
-
Filesize
2.8MB
MD5e654228f62c81cfa6da658858a46ccff
SHA16926e074d206a7f1bdab2a5c4f374c75338a4a93
SHA256e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003
SHA512bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
152B
MD5d277601503cf70e63f6cf3be0fc94432
SHA1b358c6815829ef9526f9a8898a4701704fcb0ad5
SHA2563b4ee4d1825febdee2e702e20a57d10915a67956e70d9049b1e1482c7967d6a8
SHA5128f54ba9bf10e7533b2acc8ae489993c8b0365a3209144143ac7bc2f62bb96d5c41802c1b80b8f0e408d70df4aad6ee59fd472590615d0e3159bd8745ae390a20
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
837KB
MD59796f845b710c1e68ee9f93592503665
SHA19be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51
SHA2562c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f
SHA512c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135
-
Filesize
837KB
MD59796f845b710c1e68ee9f93592503665
SHA19be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51
SHA2562c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f
SHA512c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135