Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
9e6e6f7c2683bbce65570e600df6a7bb.exe
Resource
win7-20221111-en
General
-
Target
9e6e6f7c2683bbce65570e600df6a7bb.exe
-
Size
335KB
-
MD5
9e6e6f7c2683bbce65570e600df6a7bb
-
SHA1
dbb3694b114c0c2edd8455529e71efd97c002e18
-
SHA256
4bdfe505e72b4bb6b082967fab23e3e1cf282189c5b5c98f9b096d8a525535c9
-
SHA512
deab3e2bca008a665e30e27c7ee298fe9cea5dd4f94705eb463c43fd6d3d93b13cb403f6aa63d5314cf622f3d780044c045e7e2e82ac45076534991483454bdb
-
SSDEEP
6144:21IUF1z+RxP9aWU/WKlH29hffn3h+3oQ9gOU+fzYBb6:bE0BaWmjWPfnY9gT6
Malware Config
Extracted
redline
easy1018
chardhesha.xyz:81
jalocliche.xyz:81
-
auth_value
56edfa3741d7e2286e0bcfe901712a2c
Extracted
vidar
55.7
1827
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
-
profile_id
1827
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Extracted
redline
KRIPT
212.8.246.157:32348
-
auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1792-133-0x0000000000030000-0x0000000000039000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2876-140-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral2/memory/4224-248-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 120 3896 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
150E.exe1CA1.exe23B6.exe2677.exe3210.exerovwer.exe4367.exerovwer.exerovwer.exepid process 2524 150E.exe 2768 1CA1.exe 4900 23B6.exe 3752 2677.exe 1008 3210.exe 1656 rovwer.exe 2552 4367.exe 3784 rovwer.exe 1640 rovwer.exe -
Processes:
resource yara_rule behavioral2/memory/2220-271-0x0000000000400000-0x0000000000BEB000-memory.dmp upx behavioral2/memory/2220-272-0x0000000000400000-0x0000000000BEB000-memory.dmp upx behavioral2/memory/2220-269-0x0000000000400000-0x0000000000BEB000-memory.dmp upx behavioral2/memory/2220-273-0x0000000000400000-0x0000000000BEB000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1CA1.exerovwer.exe2677.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 1CA1.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation rovwer.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2677.exe -
Loads dropped DLL 3 IoCs
Processes:
1CA1.exerundll32.exepid process 2768 1CA1.exe 2768 1CA1.exe 3896 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
150E.exe3210.exe4367.exedescription pid process target process PID 2524 set thread context of 2876 2524 150E.exe vbc.exe PID 1008 set thread context of 4224 1008 3210.exe ngentask.exe PID 2552 set thread context of 2220 2552 4367.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4556 2524 WerFault.exe 150E.exe 2488 3752 WerFault.exe 2677.exe 1704 2768 WerFault.exe 1CA1.exe 3476 4900 WerFault.exe 23B6.exe 4004 3784 WerFault.exe rovwer.exe 4784 1640 WerFault.exe rovwer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
9e6e6f7c2683bbce65570e600df6a7bb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9e6e6f7c2683bbce65570e600df6a7bb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9e6e6f7c2683bbce65570e600df6a7bb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9e6e6f7c2683bbce65570e600df6a7bb.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1CA1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1CA1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1CA1.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2948 timeout.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 117 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9e6e6f7c2683bbce65570e600df6a7bb.exepid process 1792 9e6e6f7c2683bbce65570e600df6a7bb.exe 1792 9e6e6f7c2683bbce65570e600df6a7bb.exe 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1040 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
9e6e6f7c2683bbce65570e600df6a7bb.exepid process 1792 9e6e6f7c2683bbce65570e600df6a7bb.exe 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 1040 -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
23B6.exevbc.exengentask.exedescription pid process Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeDebugPrivilege 4900 23B6.exe Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeDebugPrivilege 2876 vbc.exe Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeDebugPrivilege 4224 ngentask.exe Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 Token: SeShutdownPrivilege 1040 Token: SeCreatePagefilePrivilege 1040 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
150E.exe2677.exe1CA1.execmd.exerovwer.execmd.exedescription pid process target process PID 1040 wrote to memory of 2524 1040 150E.exe PID 1040 wrote to memory of 2524 1040 150E.exe PID 1040 wrote to memory of 2524 1040 150E.exe PID 2524 wrote to memory of 2876 2524 150E.exe vbc.exe PID 2524 wrote to memory of 2876 2524 150E.exe vbc.exe PID 2524 wrote to memory of 2876 2524 150E.exe vbc.exe PID 2524 wrote to memory of 2876 2524 150E.exe vbc.exe PID 2524 wrote to memory of 2876 2524 150E.exe vbc.exe PID 1040 wrote to memory of 2768 1040 1CA1.exe PID 1040 wrote to memory of 2768 1040 1CA1.exe PID 1040 wrote to memory of 2768 1040 1CA1.exe PID 1040 wrote to memory of 4900 1040 23B6.exe PID 1040 wrote to memory of 4900 1040 23B6.exe PID 1040 wrote to memory of 4900 1040 23B6.exe PID 1040 wrote to memory of 3752 1040 2677.exe PID 1040 wrote to memory of 3752 1040 2677.exe PID 1040 wrote to memory of 3752 1040 2677.exe PID 1040 wrote to memory of 1008 1040 3210.exe PID 1040 wrote to memory of 1008 1040 3210.exe PID 1040 wrote to memory of 1008 1040 3210.exe PID 3752 wrote to memory of 1656 3752 2677.exe rovwer.exe PID 3752 wrote to memory of 1656 3752 2677.exe rovwer.exe PID 3752 wrote to memory of 1656 3752 2677.exe rovwer.exe PID 2768 wrote to memory of 3424 2768 1CA1.exe cmd.exe PID 2768 wrote to memory of 3424 2768 1CA1.exe cmd.exe PID 2768 wrote to memory of 3424 2768 1CA1.exe cmd.exe PID 1040 wrote to memory of 2552 1040 4367.exe PID 1040 wrote to memory of 2552 1040 4367.exe PID 1040 wrote to memory of 1340 1040 explorer.exe PID 1040 wrote to memory of 1340 1040 explorer.exe PID 1040 wrote to memory of 1340 1040 explorer.exe PID 1040 wrote to memory of 1340 1040 explorer.exe PID 1040 wrote to memory of 3592 1040 explorer.exe PID 1040 wrote to memory of 3592 1040 explorer.exe PID 1040 wrote to memory of 3592 1040 explorer.exe PID 1040 wrote to memory of 1648 1040 explorer.exe PID 1040 wrote to memory of 1648 1040 explorer.exe PID 1040 wrote to memory of 1648 1040 explorer.exe PID 1040 wrote to memory of 1648 1040 explorer.exe PID 3424 wrote to memory of 2948 3424 cmd.exe timeout.exe PID 3424 wrote to memory of 2948 3424 cmd.exe timeout.exe PID 3424 wrote to memory of 2948 3424 cmd.exe timeout.exe PID 1040 wrote to memory of 2460 1040 explorer.exe PID 1040 wrote to memory of 2460 1040 explorer.exe PID 1040 wrote to memory of 2460 1040 explorer.exe PID 1656 wrote to memory of 3984 1656 rovwer.exe schtasks.exe PID 1656 wrote to memory of 3984 1656 rovwer.exe schtasks.exe PID 1656 wrote to memory of 3984 1656 rovwer.exe schtasks.exe PID 1656 wrote to memory of 4744 1656 rovwer.exe cmd.exe PID 1656 wrote to memory of 4744 1656 rovwer.exe cmd.exe PID 1656 wrote to memory of 4744 1656 rovwer.exe cmd.exe PID 4744 wrote to memory of 728 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 728 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 728 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 4604 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 4604 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 4604 4744 cmd.exe cacls.exe PID 1040 wrote to memory of 4240 1040 explorer.exe PID 1040 wrote to memory of 4240 1040 explorer.exe PID 1040 wrote to memory of 4240 1040 explorer.exe PID 1040 wrote to memory of 4240 1040 explorer.exe PID 4744 wrote to memory of 3200 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3200 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3200 4744 cmd.exe cacls.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e6e6f7c2683bbce65570e600df6a7bb.exe"C:\Users\Admin\AppData\Local\Temp\9e6e6f7c2683bbce65570e600df6a7bb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\150E.exeC:\Users\Admin\AppData\Local\Temp\150E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 4962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2524 -ip 25241⤵
-
C:\Users\Admin\AppData\Local\Temp\1CA1.exeC:\Users\Admin\AppData\Local\Temp\1CA1.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1CA1.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 19922⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\23B6.exeC:\Users\Admin\AppData\Local\Temp\23B6.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 18282⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\2677.exeC:\Users\Admin\AppData\Local\Temp\2677.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 9082⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\3210.exeC:\Users\Admin\AppData\Local\Temp\3210.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3752 -ip 37521⤵
-
C:\Users\Admin\AppData\Local\Temp\4367.exeC:\Users\Admin\AppData\Local\Temp\4367.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2768 -ip 27681⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4900 -ip 49001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3784 -ip 37841⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1640 -ip 16401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Temp\150E.exeFilesize
234KB
MD5d7812ba32d4c9d84169ee9703e0c13ac
SHA11f964c8797dc08fa46fe442acc371adc8b874d38
SHA25657202ca65b8718fbed9ec980d45e94b2668e3ea40447fcca9125e2e4fa57e7ed
SHA512e957f5cd9b2ef982cf6bbc1f6b63d56306804f05f77ebbbc73c8d475ed6913aa500f5153bb90aa892ed33b39e8bb6bc5703a3146c81c609c75e1e4ccc0cfec24
-
C:\Users\Admin\AppData\Local\Temp\150E.exeFilesize
234KB
MD5d7812ba32d4c9d84169ee9703e0c13ac
SHA11f964c8797dc08fa46fe442acc371adc8b874d38
SHA25657202ca65b8718fbed9ec980d45e94b2668e3ea40447fcca9125e2e4fa57e7ed
SHA512e957f5cd9b2ef982cf6bbc1f6b63d56306804f05f77ebbbc73c8d475ed6913aa500f5153bb90aa892ed33b39e8bb6bc5703a3146c81c609c75e1e4ccc0cfec24
-
C:\Users\Admin\AppData\Local\Temp\1CA1.exeFilesize
274KB
MD539e947318bd7c04280e9266f4b6c0a35
SHA11568c064c8aa24f17549fbbff895fc7eae574dcd
SHA256ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746
SHA51205361abdf59148b763bb5705587a01d8309a5db3b6a8006b70793459af8e48db8c801d41917af9d96e2b74f154a58822d24c4f7585a84f2c5ec43d2f39fb1db2
-
C:\Users\Admin\AppData\Local\Temp\1CA1.exeFilesize
274KB
MD539e947318bd7c04280e9266f4b6c0a35
SHA11568c064c8aa24f17549fbbff895fc7eae574dcd
SHA256ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746
SHA51205361abdf59148b763bb5705587a01d8309a5db3b6a8006b70793459af8e48db8c801d41917af9d96e2b74f154a58822d24c4f7585a84f2c5ec43d2f39fb1db2
-
C:\Users\Admin\AppData\Local\Temp\23B6.exeFilesize
293KB
MD52dee200193091be2f2321d921750c4ed
SHA14c5b6c7512be4d4e200c4141dc0e90bcabce4ca3
SHA2567330807028605eba5b4ecfaca0390b78cb04e4276d1de23eb95b407e1244ef12
SHA5124124e9bc1c7c587ce394ad35ec56fd3c6ec4466167df6e00ffa1d88b09b34fa69072d946337cad696223d31d85f8662ff9d5452c474d20cca06d91a8b9c608ad
-
C:\Users\Admin\AppData\Local\Temp\23B6.exeFilesize
293KB
MD52dee200193091be2f2321d921750c4ed
SHA14c5b6c7512be4d4e200c4141dc0e90bcabce4ca3
SHA2567330807028605eba5b4ecfaca0390b78cb04e4276d1de23eb95b407e1244ef12
SHA5124124e9bc1c7c587ce394ad35ec56fd3c6ec4466167df6e00ffa1d88b09b34fa69072d946337cad696223d31d85f8662ff9d5452c474d20cca06d91a8b9c608ad
-
C:\Users\Admin\AppData\Local\Temp\2677.exeFilesize
372KB
MD5d162fc0c82665c30829ebe8bc9b6155d
SHA1df0896eb352c9ce886dd1da00800a35dd35cb293
SHA2566d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6
SHA512c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91
-
C:\Users\Admin\AppData\Local\Temp\2677.exeFilesize
372KB
MD5d162fc0c82665c30829ebe8bc9b6155d
SHA1df0896eb352c9ce886dd1da00800a35dd35cb293
SHA2566d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6
SHA512c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91
-
C:\Users\Admin\AppData\Local\Temp\3210.exeFilesize
1.2MB
MD5f96144b1d5b53d93caadddade38db5e9
SHA11587e66f9a4d83060ee597f983a7323a556bc1c0
SHA25663018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146
SHA512824a86438150df143c7475605600b4a03dbfa819806f193be248650a3a70e97bdcd3d20cac9b8b00693d464b5cbd168e1f0c78beaa00d167b8a877cfbce3c34c
-
C:\Users\Admin\AppData\Local\Temp\3210.exeFilesize
1.2MB
MD5f96144b1d5b53d93caadddade38db5e9
SHA11587e66f9a4d83060ee597f983a7323a556bc1c0
SHA25663018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146
SHA512824a86438150df143c7475605600b4a03dbfa819806f193be248650a3a70e97bdcd3d20cac9b8b00693d464b5cbd168e1f0c78beaa00d167b8a877cfbce3c34c
-
C:\Users\Admin\AppData\Local\Temp\4367.exeFilesize
3.0MB
MD544a7e13ecc55ce9797c5121b230d9927
SHA1b99f1d86e6d9c7e0d694ca605abd205663278487
SHA2569e0425e14520485fa7e86057d07d26e8064f99a7ad09e35211edd4a428ee57ae
SHA51274df06b20d23483f854b5a88e5ccdfe534497630a105614e6cd87f3238398e0fb03218cb864fd6f7798b69e083c1098225010aecd959fbec28d63c0626711a9f
-
C:\Users\Admin\AppData\Local\Temp\4367.exeFilesize
3.0MB
MD544a7e13ecc55ce9797c5121b230d9927
SHA1b99f1d86e6d9c7e0d694ca605abd205663278487
SHA2569e0425e14520485fa7e86057d07d26e8064f99a7ad09e35211edd4a428ee57ae
SHA51274df06b20d23483f854b5a88e5ccdfe534497630a105614e6cd87f3238398e0fb03218cb864fd6f7798b69e083c1098225010aecd959fbec28d63c0626711a9f
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
372KB
MD5d162fc0c82665c30829ebe8bc9b6155d
SHA1df0896eb352c9ce886dd1da00800a35dd35cb293
SHA2566d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6
SHA512c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
372KB
MD5d162fc0c82665c30829ebe8bc9b6155d
SHA1df0896eb352c9ce886dd1da00800a35dd35cb293
SHA2566d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6
SHA512c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
372KB
MD5d162fc0c82665c30829ebe8bc9b6155d
SHA1df0896eb352c9ce886dd1da00800a35dd35cb293
SHA2566d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6
SHA512c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
372KB
MD5d162fc0c82665c30829ebe8bc9b6155d
SHA1df0896eb352c9ce886dd1da00800a35dd35cb293
SHA2566d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6
SHA512c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/412-233-0x0000000000000000-mapping.dmp
-
memory/484-239-0x0000000000000000-mapping.dmp
-
memory/484-242-0x0000000000E00000-0x0000000000E07000-memory.dmpFilesize
28KB
-
memory/484-243-0x0000000000BF0000-0x0000000000BFD000-memory.dmpFilesize
52KB
-
memory/484-265-0x0000000000E00000-0x0000000000E07000-memory.dmpFilesize
28KB
-
memory/516-264-0x0000000000490000-0x0000000000496000-memory.dmpFilesize
24KB
-
memory/516-238-0x0000000000480000-0x000000000048B000-memory.dmpFilesize
44KB
-
memory/516-241-0x0000000000490000-0x0000000000496000-memory.dmpFilesize
24KB
-
memory/516-236-0x0000000000000000-mapping.dmp
-
memory/728-223-0x0000000000000000-mapping.dmp
-
memory/1008-240-0x000000000FA70000-0x000000000FBC2000-memory.dmpFilesize
1.3MB
-
memory/1008-231-0x000000000228A000-0x0000000002379000-memory.dmpFilesize
956KB
-
memory/1008-169-0x0000000000000000-mapping.dmp
-
memory/1008-235-0x000000000FA70000-0x000000000FBC2000-memory.dmpFilesize
1.3MB
-
memory/1008-206-0x0000000002804000-0x0000000002CC5000-memory.dmpFilesize
4.8MB
-
memory/1008-252-0x000000000228A000-0x0000000002379000-memory.dmpFilesize
956KB
-
memory/1340-208-0x0000000001290000-0x000000000129B000-memory.dmpFilesize
44KB
-
memory/1340-203-0x00000000012A0000-0x00000000012A7000-memory.dmpFilesize
28KB
-
memory/1340-199-0x0000000000000000-mapping.dmp
-
memory/1440-232-0x0000000000000000-mapping.dmp
-
memory/1440-237-0x0000000000840000-0x0000000000849000-memory.dmpFilesize
36KB
-
memory/1440-234-0x0000000000850000-0x0000000000855000-memory.dmpFilesize
20KB
-
memory/1440-260-0x0000000000850000-0x0000000000855000-memory.dmpFilesize
20KB
-
memory/1648-213-0x0000000001290000-0x0000000001299000-memory.dmpFilesize
36KB
-
memory/1648-211-0x0000000000000000-mapping.dmp
-
memory/1648-255-0x00000000012A0000-0x00000000012A5000-memory.dmpFilesize
20KB
-
memory/1648-212-0x00000000012A0000-0x00000000012A5000-memory.dmpFilesize
20KB
-
memory/1656-219-0x0000000000983000-0x00000000009A2000-memory.dmpFilesize
124KB
-
memory/1656-257-0x0000000000400000-0x0000000000860000-memory.dmpFilesize
4.4MB
-
memory/1656-189-0x0000000000000000-mapping.dmp
-
memory/1656-220-0x0000000000400000-0x0000000000860000-memory.dmpFilesize
4.4MB
-
memory/1792-132-0x0000000000BB2000-0x0000000000BC8000-memory.dmpFilesize
88KB
-
memory/1792-134-0x0000000000400000-0x0000000000857000-memory.dmpFilesize
4.3MB
-
memory/1792-135-0x0000000000400000-0x0000000000857000-memory.dmpFilesize
4.3MB
-
memory/1792-133-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2220-270-0x0000000000BE8EA0-mapping.dmp
-
memory/2220-272-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/2220-269-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/2220-273-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/2220-271-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/2260-228-0x0000000000000000-mapping.dmp
-
memory/2460-258-0x0000000000750000-0x0000000000756000-memory.dmpFilesize
24KB
-
memory/2460-222-0x0000000000740000-0x000000000074C000-memory.dmpFilesize
48KB
-
memory/2460-216-0x0000000000000000-mapping.dmp
-
memory/2460-221-0x0000000000750000-0x0000000000756000-memory.dmpFilesize
24KB
-
memory/2524-136-0x0000000000000000-mapping.dmp
-
memory/2552-196-0x0000000000000000-mapping.dmp
-
memory/2768-156-0x00000000006F0000-0x000000000073A000-memory.dmpFilesize
296KB
-
memory/2768-145-0x0000000000000000-mapping.dmp
-
memory/2768-209-0x0000000000918000-0x0000000000945000-memory.dmpFilesize
180KB
-
memory/2768-210-0x0000000000400000-0x00000000005A9000-memory.dmpFilesize
1.7MB
-
memory/2768-153-0x0000000000918000-0x0000000000945000-memory.dmpFilesize
180KB
-
memory/2768-157-0x0000000000400000-0x00000000005A9000-memory.dmpFilesize
1.7MB
-
memory/2768-161-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/2876-200-0x0000000006790000-0x00000000067F6000-memory.dmpFilesize
408KB
-
memory/2876-204-0x0000000007280000-0x0000000007442000-memory.dmpFilesize
1.8MB
-
memory/2876-207-0x0000000007980000-0x0000000007EAC000-memory.dmpFilesize
5.2MB
-
memory/2876-148-0x0000000005980000-0x0000000005F98000-memory.dmpFilesize
6.1MB
-
memory/2876-149-0x0000000005500000-0x000000000560A000-memory.dmpFilesize
1.0MB
-
memory/2876-150-0x0000000005430000-0x0000000005442000-memory.dmpFilesize
72KB
-
memory/2876-151-0x00000000054A0000-0x00000000054DC000-memory.dmpFilesize
240KB
-
memory/2876-140-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2876-139-0x0000000000000000-mapping.dmp
-
memory/2948-214-0x0000000000000000-mapping.dmp
-
memory/3200-226-0x0000000000000000-mapping.dmp
-
memory/3424-195-0x0000000000000000-mapping.dmp
-
memory/3592-215-0x0000000000FE0000-0x0000000000FEF000-memory.dmpFilesize
60KB
-
memory/3592-205-0x0000000000000000-mapping.dmp
-
memory/3592-256-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/3752-158-0x0000000000000000-mapping.dmp
-
memory/3752-180-0x0000000000AE3000-0x0000000000B02000-memory.dmpFilesize
124KB
-
memory/3752-183-0x00000000001C0000-0x00000000001FE000-memory.dmpFilesize
248KB
-
memory/3752-201-0x0000000000AE3000-0x0000000000B02000-memory.dmpFilesize
124KB
-
memory/3752-202-0x0000000000400000-0x0000000000860000-memory.dmpFilesize
4.4MB
-
memory/3752-184-0x0000000000400000-0x0000000000860000-memory.dmpFilesize
4.4MB
-
memory/3784-263-0x0000000000400000-0x0000000000860000-memory.dmpFilesize
4.4MB
-
memory/3784-262-0x0000000000AF4000-0x0000000000B12000-memory.dmpFilesize
120KB
-
memory/3896-275-0x0000000000000000-mapping.dmp
-
memory/3984-217-0x0000000000000000-mapping.dmp
-
memory/4216-227-0x0000000000000000-mapping.dmp
-
memory/4224-248-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4224-267-0x00000000073D0000-0x0000000007420000-memory.dmpFilesize
320KB
-
memory/4224-266-0x0000000006CE0000-0x0000000006D56000-memory.dmpFilesize
472KB
-
memory/4224-245-0x0000000000000000-mapping.dmp
-
memory/4224-246-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4240-259-0x0000000000710000-0x0000000000732000-memory.dmpFilesize
136KB
-
memory/4240-225-0x0000000000000000-mapping.dmp
-
memory/4240-230-0x00000000006E0000-0x0000000000707000-memory.dmpFilesize
156KB
-
memory/4240-229-0x0000000000710000-0x0000000000732000-memory.dmpFilesize
136KB
-
memory/4604-224-0x0000000000000000-mapping.dmp
-
memory/4612-250-0x0000000000740000-0x0000000000748000-memory.dmpFilesize
32KB
-
memory/4612-251-0x0000000000730000-0x000000000073B000-memory.dmpFilesize
44KB
-
memory/4612-244-0x0000000000000000-mapping.dmp
-
memory/4744-218-0x0000000000000000-mapping.dmp
-
memory/4900-186-0x0000000000400000-0x00000000005AE000-memory.dmpFilesize
1.7MB
-
memory/4900-152-0x0000000000000000-mapping.dmp
-
memory/4900-185-0x0000000000710000-0x000000000074E000-memory.dmpFilesize
248KB
-
memory/4900-253-0x00000000008A8000-0x00000000008D9000-memory.dmpFilesize
196KB
-
memory/4900-190-0x0000000004D10000-0x00000000052B4000-memory.dmpFilesize
5.6MB
-
memory/4900-194-0x00000000008A8000-0x00000000008D9000-memory.dmpFilesize
196KB
-
memory/4900-261-0x0000000000400000-0x00000000005AE000-memory.dmpFilesize
1.7MB
-
memory/4900-191-0x0000000004B80000-0x0000000004C12000-memory.dmpFilesize
584KB
-
memory/4900-249-0x0000000000400000-0x00000000005AE000-memory.dmpFilesize
1.7MB