amadey | cad9a76421a4817de3461299b122dff7aedbf112627fb724a0ba88b7585a80ea

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe
Size

173KB
MD5

45c787fae28e23b61a47e0eb0a6a441f
SHA1

a2e376a9b1a31898214b1750a994c57e2a391fcc
SHA256

d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3
SHA512

4b5ac3734d67ad3e5b7156aeebd2f611c49c5d3f8d6ff9d3752161209c368b2b55bc96851d7116b8f3892dd5f005e45a76ef89b8d706ac5229936f6ce391ca14
SSDEEP

3072:ajRfxxeuQdKdvZO5rNRGtGzy4X8I4U9yY5YGOGELlV:at/Qd6oNRbWYAuc

Score

10^/10

amadey djvu smokeloader backdoor collection discovery persistence ransomware trojan

Malware Config

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.kcbu
offline_id
hlqzhQ6w5SquNDF4Ul2XBDJQkSIKbAT6rmRBTit1
payload_url
http://uaery.top/dl/build2.exe

http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-lj5qINGbTc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0608Jhyjd

rsa_pubkey.plain

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/444-165-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3316-166-0x0000000002760000-0x000000000287B000-memory.dmp	family_djvu
behavioral2/memory/444-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/444-162-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/444-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/444-188-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4688-200-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4688-197-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4688-210-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/920-133-0x0000000002450000-0x0000000002459000-memory.dmp	family_smokeloader
behavioral2/memory/3100-170-0x00000000001C0000-0x00000000001C9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

5C39.exe5DE0.exe5EEB.exe613D.exe62E4.exe5C39.exerovwer.exerovwer.exe5C39.exe5C39.exe

pid process

3316 5C39.exe
3100 5DE0.exe
2132 5EEB.exe
4172 613D.exe
4288 62E4.exe
444 5C39.exe
4152 rovwer.exe
4072 rovwer.exe
4884 5C39.exe
4688 5C39.exe

pid	process
3316	5C39.exe
3100	5DE0.exe
2132	5EEB.exe
4172	613D.exe
4288	62E4.exe
444	5C39.exe
4152	rovwer.exe
4072	rovwer.exe
4884	5C39.exe
4688	5C39.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

613D.exe62E4.exe5C39.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	613D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	62E4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5C39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

5092 regsvr32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3812 icacls.exe

pid	process
5092	regsvr32.exe

pid	process
3812	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5C39.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e7c91ac9-69a1-4cb0-afda-b65c41067210\\5C39.exe\" --AutoStart"	5C39.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 api.2ip.ua
49 api.2ip.ua
75 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

5C39.exe5C39.exe

description pid process target process

PID 3316 set thread context of 444 3316 5C39.exe 5C39.exe
PID 4884 set thread context of 4688 4884 5C39.exe 5C39.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
48	api.2ip.ua
49	api.2ip.ua
75	api.2ip.ua

description	pid	process	target process
PID 3316 set thread context of 444	3316	5C39.exe	5C39.exe
PID 4884 set thread context of 4688	4884	5C39.exe	5C39.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
548	2132	WerFault.exe	5EEB.exe
4860	4172	WerFault.exe	613D.exe
4944	4288	WerFault.exe	62E4.exe
3708	4288	WerFault.exe	62E4.exe
1112	4072	WerFault.exe	rovwer.exe
2044	4072	WerFault.exe	rovwer.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5DE0.exed964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5DE0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5DE0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5DE0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2952 schtasks.exe

pid	process
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe

pid	process
920	d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe
920	d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932
2932

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2932
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe5DE0.exe

pid process

920 d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe
2932
2932
2932
2932
3100 5DE0.exe

pid	process
2932

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932
Token: SeShutdownPrivilege	2932
Token: SeCreatePagefilePrivilege	2932

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

regsvr32.exe5C39.exe5C39.exe62E4.exe613D.exe5C39.exerovwer.exe

description	pid	process	target process
PID 2932 wrote to memory of 3316	2932		5C39.exe
PID 2932 wrote to memory of 3316	2932		5C39.exe
PID 2932 wrote to memory of 3316	2932		5C39.exe
PID 2932 wrote to memory of 3100	2932		5DE0.exe
PID 2932 wrote to memory of 3100	2932		5DE0.exe
PID 2932 wrote to memory of 3100	2932		5DE0.exe
PID 2932 wrote to memory of 2132	2932		5EEB.exe
PID 2932 wrote to memory of 2132	2932		5EEB.exe
PID 2932 wrote to memory of 2132	2932		5EEB.exe
PID 2932 wrote to memory of 4172	2932		613D.exe
PID 2932 wrote to memory of 4172	2932		613D.exe
PID 2932 wrote to memory of 4172	2932		613D.exe
PID 2932 wrote to memory of 4288	2932		62E4.exe
PID 2932 wrote to memory of 4288	2932		62E4.exe
PID 2932 wrote to memory of 4288	2932		62E4.exe
PID 2932 wrote to memory of 5020	2932		regsvr32.exe
PID 2932 wrote to memory of 5020	2932		regsvr32.exe
PID 5020 wrote to memory of 5092	5020	regsvr32.exe	regsvr32.exe
PID 5020 wrote to memory of 5092	5020	regsvr32.exe	regsvr32.exe
PID 5020 wrote to memory of 5092	5020	regsvr32.exe	regsvr32.exe
PID 2932 wrote to memory of 5096	2932		explorer.exe
PID 2932 wrote to memory of 5096	2932		explorer.exe
PID 2932 wrote to memory of 5096	2932		explorer.exe
PID 2932 wrote to memory of 5096	2932		explorer.exe
PID 2932 wrote to memory of 1792	2932		explorer.exe
PID 2932 wrote to memory of 1792	2932		explorer.exe
PID 2932 wrote to memory of 1792	2932		explorer.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 3316 wrote to memory of 444	3316	5C39.exe	5C39.exe
PID 444 wrote to memory of 3812	444	5C39.exe	icacls.exe
PID 444 wrote to memory of 3812	444	5C39.exe	icacls.exe
PID 444 wrote to memory of 3812	444	5C39.exe	icacls.exe
PID 4288 wrote to memory of 4152	4288	62E4.exe	rovwer.exe
PID 4288 wrote to memory of 4152	4288	62E4.exe	rovwer.exe
PID 4288 wrote to memory of 4152	4288	62E4.exe	rovwer.exe
PID 4172 wrote to memory of 4072	4172	613D.exe	rovwer.exe
PID 4172 wrote to memory of 4072	4172	613D.exe	rovwer.exe
PID 4172 wrote to memory of 4072	4172	613D.exe	rovwer.exe
PID 444 wrote to memory of 4884	444	5C39.exe	5C39.exe
PID 444 wrote to memory of 4884	444	5C39.exe	5C39.exe
PID 444 wrote to memory of 4884	444	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4884 wrote to memory of 4688	4884	5C39.exe	5C39.exe
PID 4152 wrote to memory of 2952	4152	rovwer.exe	schtasks.exe
PID 4152 wrote to memory of 2952	4152	rovwer.exe	schtasks.exe
PID 4152 wrote to memory of 2952	4152	rovwer.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe
"C:\Users\Admin\AppData\Local\Temp\d964a34c3d9e21b6f9aaa43459863b0d2feb573fa0dae5a6cd6b1ce3a4c31eb3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:920

C:\Users\Admin\AppData\Local\Temp\5C39.exe
C:\Users\Admin\AppData\Local\Temp\5C39.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\5C39.exe
C:\Users\Admin\AppData\Local\Temp\5C39.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e7c91ac9-69a1-4cb0-afda-b65c41067210" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3812

C:\Users\Admin\AppData\Local\Temp\5C39.exe
"C:\Users\Admin\AppData\Local\Temp\5C39.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\5C39.exe
"C:\Users\Admin\AppData\Local\Temp\5C39.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:4688

C:\Users\Admin\AppData\Local\Temp\5DE0.exe
C:\Users\Admin\AppData\Local\Temp\5DE0.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3100

C:\Users\Admin\AppData\Local\Temp\5EEB.exe
C:\Users\Admin\AppData\Local\Temp\5EEB.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 344
2⤵
- Program crash
PID:548

C:\Users\Admin\AppData\Local\Temp\613D.exe
C:\Users\Admin\AppData\Local\Temp\613D.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 448
3⤵
- Program crash
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 456
3⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 876
2⤵
- Program crash
PID:4860

C:\Users\Admin\AppData\Local\Temp\62E4.exe
C:\Users\Admin\AppData\Local\Temp\62E4.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 916
2⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1248
2⤵
- Program crash
PID:3708

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\66FC.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\66FC.dll
2⤵
- Loads dropped DLL
PID:5092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:5096

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2132 -ip 2132
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4288 -ip 4288
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4172 -ip 4172
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4288 -ip 4288
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4072 -ip 4072
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4072 -ip 4072
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
8cd381eca2d5342e36b1e65a9b7f82d5

SHA1
d9b529576e1ea26e8daf88fcda26b7a0069da217

SHA256
17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

SHA512
c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
8641ac0a62e1e72023be75ceed4638a9

SHA1
a347dbd79e99d81cdd6ec77783008fec9f7e7d42

SHA256
d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

SHA512
9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
a433d9ef9c65e393313607197a856adc

SHA1
a9629912ce7a7a2173b5efc9686e23b38798d252

SHA256
8837cf5571b1c1be4690c5786b46c66d3ce5e2722b912bee4efea79844defcb3

SHA512
379d09bf6ac0dff2b342a64da6a8c093931a0217ee31d73d6d0e65203c09d37b2f2f85a55928b28606f3436840b228070e213e29a7a10a7cb8cc6981e590857d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
748a0f71641487a53c1ce94327b5b00d

SHA1
80f90f75b4c36d8a449f33cbb5e9b19b8c351b05

SHA256
0c378027cdc26d66ac684515585cd4b0c3ba0c893d81a028c8fc64e88035b142

SHA512
6215a51d9fd1217fc867e9895c37eaf3144563d2f53978e203ee2c053d6d564ca8e15a76d124e87a68966cf5b52d834832bd9e4049c1e6d981804738fe9f80c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
226KB

MD5
7d5768018e43db010843b5c0f87cf507

SHA1
5dcde68657061bdc91f84449a5c9836a0327748d

SHA256
a718e90f08e4e3a15d0acbe4d6f1ac4e49dc3e5e95460d4a4a9e2a77e4cf6217

SHA512
7f05d2a3a13614bc0a0433cc9b7beb306d1cc5f384f201227c6011d116d036071b3fe1aca08857fc32ca544ce610f2341f9cc8bf5bb3d84ccb26a37ce444f91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
233KB

MD5
a11cd81b9c09d6c4e68a2b7d5c6e11b6

SHA1
c4fdfe503e03863a1ecf4f37ff589e99fd9dc81d

SHA256
4ee2520ed9dc5ab83648b0ff057a7b407a1d4ee5667e3b1ecf5fa750d0e7cdf8

SHA512
73d8b8a7b52d7523db845d4fe1e5b76ffa2f86627f4e7487275f23e0e8883e3c0c436250121351d9ee7ebd72b357b0c19310c3b17cbee8f42dd316c2e55eae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
233KB

MD5
a11cd81b9c09d6c4e68a2b7d5c6e11b6

SHA1
c4fdfe503e03863a1ecf4f37ff589e99fd9dc81d

SHA256
4ee2520ed9dc5ab83648b0ff057a7b407a1d4ee5667e3b1ecf5fa750d0e7cdf8

SHA512
73d8b8a7b52d7523db845d4fe1e5b76ffa2f86627f4e7487275f23e0e8883e3c0c436250121351d9ee7ebd72b357b0c19310c3b17cbee8f42dd316c2e55eae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
233KB

MD5
a11cd81b9c09d6c4e68a2b7d5c6e11b6

SHA1
c4fdfe503e03863a1ecf4f37ff589e99fd9dc81d

SHA256
4ee2520ed9dc5ab83648b0ff057a7b407a1d4ee5667e3b1ecf5fa750d0e7cdf8

SHA512
73d8b8a7b52d7523db845d4fe1e5b76ffa2f86627f4e7487275f23e0e8883e3c0c436250121351d9ee7ebd72b357b0c19310c3b17cbee8f42dd316c2e55eae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C39.exe
Filesize
707KB

MD5
e247b89d3bc2876d10757ed38f77364a

SHA1
5549d29df0c494ea0b317684a4a89fffc9421752

SHA256
7e915057b8dee9e425ce461eca6c1accb8e30c0cbc9ffbb4799460c57733cf47

SHA512
22072d0b98a03e246c2639bb0cfeb16819e8a328e92e81ec6096b37966f3856ebcdcadb4ac5aa9bb7d127dd0c77ebb528bb2bc5559882d24d56e174feebfe281

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C39.exe
Filesize
707KB

MD5
e247b89d3bc2876d10757ed38f77364a

SHA1
5549d29df0c494ea0b317684a4a89fffc9421752

SHA256
7e915057b8dee9e425ce461eca6c1accb8e30c0cbc9ffbb4799460c57733cf47

SHA512
22072d0b98a03e246c2639bb0cfeb16819e8a328e92e81ec6096b37966f3856ebcdcadb4ac5aa9bb7d127dd0c77ebb528bb2bc5559882d24d56e174feebfe281

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C39.exe
Filesize
707KB

MD5
e247b89d3bc2876d10757ed38f77364a

SHA1
5549d29df0c494ea0b317684a4a89fffc9421752

SHA256
7e915057b8dee9e425ce461eca6c1accb8e30c0cbc9ffbb4799460c57733cf47

SHA512
22072d0b98a03e246c2639bb0cfeb16819e8a328e92e81ec6096b37966f3856ebcdcadb4ac5aa9bb7d127dd0c77ebb528bb2bc5559882d24d56e174feebfe281

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C39.exe
Filesize
707KB

MD5
e247b89d3bc2876d10757ed38f77364a

SHA1
5549d29df0c494ea0b317684a4a89fffc9421752

SHA256
7e915057b8dee9e425ce461eca6c1accb8e30c0cbc9ffbb4799460c57733cf47

SHA512
22072d0b98a03e246c2639bb0cfeb16819e8a328e92e81ec6096b37966f3856ebcdcadb4ac5aa9bb7d127dd0c77ebb528bb2bc5559882d24d56e174feebfe281

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C39.exe
Filesize
707KB

MD5
e247b89d3bc2876d10757ed38f77364a

SHA1
5549d29df0c494ea0b317684a4a89fffc9421752

SHA256
7e915057b8dee9e425ce461eca6c1accb8e30c0cbc9ffbb4799460c57733cf47

SHA512
22072d0b98a03e246c2639bb0cfeb16819e8a328e92e81ec6096b37966f3856ebcdcadb4ac5aa9bb7d127dd0c77ebb528bb2bc5559882d24d56e174feebfe281

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DE0.exe
Filesize
167KB

MD5
e7aa32d45efb01feb230ea061d63a423

SHA1
5a4797ea34363b6c13a3a5c858650d4634c8bcf8

SHA256
e114b82dbb273f622092d7d379134f861879aea5c30855a9056d4b12299a4d0e

SHA512
4ce9c89874ae6fc836383568dc8f4ed2a19d1b03b407d3f665bf20bfef7b849d7e938759d86044b6335ca0a7fd81741f6af48476dcdf010ec4f774a817009d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DE0.exe
Filesize
167KB

MD5
e7aa32d45efb01feb230ea061d63a423

SHA1
5a4797ea34363b6c13a3a5c858650d4634c8bcf8

SHA256
e114b82dbb273f622092d7d379134f861879aea5c30855a9056d4b12299a4d0e

SHA512
4ce9c89874ae6fc836383568dc8f4ed2a19d1b03b407d3f665bf20bfef7b849d7e938759d86044b6335ca0a7fd81741f6af48476dcdf010ec4f774a817009d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EEB.exe
Filesize
174KB

MD5
ef2c619b770cc571fb13e5a8bb4b69a8

SHA1
05f7cfdadabf0a358632f4a648ff554fe7bcf6e5

SHA256
e224e02680f9c604585651149f8fdf8854ba6716948b4c1d0a2f9284f714126a

SHA512
c738aeece85c0467632dd39d73d6e4343177bdaa39a45c9a07d5d500ada13530a1c1e4cd1d75f62974bf37c52575ddda427388f820724ca62118ac5bb5d44364

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EEB.exe
Filesize
174KB

MD5
ef2c619b770cc571fb13e5a8bb4b69a8

SHA1
05f7cfdadabf0a358632f4a648ff554fe7bcf6e5

SHA256
e224e02680f9c604585651149f8fdf8854ba6716948b4c1d0a2f9284f714126a

SHA512
c738aeece85c0467632dd39d73d6e4343177bdaa39a45c9a07d5d500ada13530a1c1e4cd1d75f62974bf37c52575ddda427388f820724ca62118ac5bb5d44364

Download Submit
C:\Users\Admin\AppData\Local\Temp\613D.exe
Filesize
226KB

MD5
7d5768018e43db010843b5c0f87cf507

SHA1
5dcde68657061bdc91f84449a5c9836a0327748d

SHA256
a718e90f08e4e3a15d0acbe4d6f1ac4e49dc3e5e95460d4a4a9e2a77e4cf6217

SHA512
7f05d2a3a13614bc0a0433cc9b7beb306d1cc5f384f201227c6011d116d036071b3fe1aca08857fc32ca544ce610f2341f9cc8bf5bb3d84ccb26a37ce444f91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\613D.exe
Filesize
226KB

MD5
7d5768018e43db010843b5c0f87cf507

SHA1
5dcde68657061bdc91f84449a5c9836a0327748d

SHA256
a718e90f08e4e3a15d0acbe4d6f1ac4e49dc3e5e95460d4a4a9e2a77e4cf6217

SHA512
7f05d2a3a13614bc0a0433cc9b7beb306d1cc5f384f201227c6011d116d036071b3fe1aca08857fc32ca544ce610f2341f9cc8bf5bb3d84ccb26a37ce444f91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\62E4.exe
Filesize
233KB

MD5
a11cd81b9c09d6c4e68a2b7d5c6e11b6

SHA1
c4fdfe503e03863a1ecf4f37ff589e99fd9dc81d

SHA256
4ee2520ed9dc5ab83648b0ff057a7b407a1d4ee5667e3b1ecf5fa750d0e7cdf8

SHA512
73d8b8a7b52d7523db845d4fe1e5b76ffa2f86627f4e7487275f23e0e8883e3c0c436250121351d9ee7ebd72b357b0c19310c3b17cbee8f42dd316c2e55eae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\62E4.exe
Filesize
233KB

MD5
a11cd81b9c09d6c4e68a2b7d5c6e11b6

SHA1
c4fdfe503e03863a1ecf4f37ff589e99fd9dc81d

SHA256
4ee2520ed9dc5ab83648b0ff057a7b407a1d4ee5667e3b1ecf5fa750d0e7cdf8

SHA512
73d8b8a7b52d7523db845d4fe1e5b76ffa2f86627f4e7487275f23e0e8883e3c0c436250121351d9ee7ebd72b357b0c19310c3b17cbee8f42dd316c2e55eae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\66FC.dll
Filesize
2.0MB

MD5
eef81751e9f7ff84e6d8ccf9aebe3883

SHA1
7dd92a79f69c30b7d00c385390b561a1e93e1574

SHA256
f881acc597313fe673a90c90d2e17e7f2c170a86e7ece1513b3882036e433933

SHA512
40f4dffa54e2f0e81d8dd5d66c9082fadc384f965222fb92c0a54cf0a1da28f4f529562ac5bed380fd6e8e617f9e6321558cfdc2cc5d0da8bbd37ca4e6adbb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\66FC.dll
Filesize
2.0MB

MD5
eef81751e9f7ff84e6d8ccf9aebe3883

SHA1
7dd92a79f69c30b7d00c385390b561a1e93e1574

SHA256
f881acc597313fe673a90c90d2e17e7f2c170a86e7ece1513b3882036e433933

SHA512
40f4dffa54e2f0e81d8dd5d66c9082fadc384f965222fb92c0a54cf0a1da28f4f529562ac5bed380fd6e8e617f9e6321558cfdc2cc5d0da8bbd37ca4e6adbb26

Download Submit
C:\Users\Admin\AppData\Local\e7c91ac9-69a1-4cb0-afda-b65c41067210\5C39.exe
Filesize
707KB

MD5
e247b89d3bc2876d10757ed38f77364a

SHA1
5549d29df0c494ea0b317684a4a89fffc9421752

SHA256
7e915057b8dee9e425ce461eca6c1accb8e30c0cbc9ffbb4799460c57733cf47

SHA512
22072d0b98a03e246c2639bb0cfeb16819e8a328e92e81ec6096b37966f3856ebcdcadb4ac5aa9bb7d127dd0c77ebb528bb2bc5559882d24d56e174feebfe281

Download Submit
memory/444-188-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/444-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/444-161-0x0000000000000000-mapping.dmp

Download
memory/444-165-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/444-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/444-162-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/920-133-0x0000000002450000-0x0000000002459000-memory.dmp

Filesize
36KB

Download
memory/920-134-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/920-132-0x00000000008BE000-0x00000000008CE000-memory.dmp

Filesize
64KB

Download
memory/920-135-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/1792-158-0x0000000000000000-mapping.dmp

Download
memory/1792-159-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download
memory/2132-175-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/2132-174-0x000000000077D000-0x000000000078E000-memory.dmp

Filesize
68KB

Download
memory/2132-142-0x0000000000000000-mapping.dmp

Download
memory/2952-199-0x0000000000000000-mapping.dmp

Download
memory/3100-170-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3100-171-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3100-169-0x0000000000A1D000-0x0000000000A2D000-memory.dmp

Filesize
64KB

Download
memory/3100-191-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3100-139-0x0000000000000000-mapping.dmp

Download
memory/3316-163-0x0000000000C0A000-0x0000000000C9C000-memory.dmp

Filesize
584KB

Download
memory/3316-136-0x0000000000000000-mapping.dmp

Download
memory/3316-166-0x0000000002760000-0x000000000287B000-memory.dmp

Filesize
1.1MB

Download
memory/3812-173-0x0000000000000000-mapping.dmp

Download
memory/4072-204-0x000000000086C000-0x000000000088B000-memory.dmp

Filesize
124KB

Download
memory/4072-205-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4072-184-0x0000000000000000-mapping.dmp

Download
memory/4152-183-0x0000000000000000-mapping.dmp

Download
memory/4152-201-0x0000000000B00000-0x0000000000B1F000-memory.dmp

Filesize
124KB

Download
memory/4152-203-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4172-145-0x0000000000000000-mapping.dmp

Download
memory/4172-176-0x00000000009CD000-0x00000000009EC000-memory.dmp

Filesize
124KB

Download
memory/4172-190-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4172-177-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/4172-178-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4288-148-0x0000000000000000-mapping.dmp

Download
memory/4288-182-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4288-192-0x000000000082D000-0x000000000084C000-memory.dmp

Filesize
124KB

Download
memory/4288-193-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4288-179-0x000000000082D000-0x000000000084C000-memory.dmp

Filesize
124KB

Download
memory/4688-197-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4688-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4688-194-0x0000000000000000-mapping.dmp

Download
memory/4688-210-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4884-198-0x000000000275F000-0x00000000027F1000-memory.dmp

Filesize
584KB

Download
memory/4884-187-0x0000000000000000-mapping.dmp

Download
memory/5020-151-0x0000000000000000-mapping.dmp

Download
memory/5092-153-0x0000000000000000-mapping.dmp

Download
memory/5096-154-0x0000000000000000-mapping.dmp

Download
memory/5096-157-0x0000000000970000-0x00000000009DB000-memory.dmp

Filesize
428KB

Download
memory/5096-156-0x0000000000C00000-0x0000000000C75000-memory.dmp

Filesize
468KB

Download
memory/5096-160-0x0000000000970000-0x00000000009DB000-memory.dmp

Filesize
428KB

Download