djvu | 1d0128fd3184a765076397dd308e51bbc578a3639cb9c08ab6b5c36704d772b4

Resubmissions

14/11/2023, 17:31

231114-v3qg7acf42 10

14/11/2023, 17:21

28/10/2023, 19:29

24/10/2023, 13:29

18/10/2023, 12:04

07/09/2023, 12:10

Analysis

max time kernel
185s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
Size

1.1MB
MD5

5b3c8242aab49db13a10b3454bf14ac8
SHA1

9667f4b95635d6e464963b47a2b559ca8a6add94
SHA256

81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9
SHA512

4aa7493a8a978e67b3e7a6f2f6008b74ca92e7a2bf34846bec189180ffce1022c38b80af39d52713c36e026ff20c9e660c6f80157fc05de4c25b502f35a2be32
SSDEEP

24576:mABwP/lOtVi7TlVvmgwdaeiQAAJLqnVd:5W4q5wg6HZJG

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://dell1.ug/Asjd74ywuhodfgdfgpenelop5/45y87hzjdfg/get.php

Attributes

extension
.boot
offline_id
zZyLTRlsJ8hv1HPF6BPmiyHxTSON3B8vILboott1
payload_url
http://dell1.ug/files/penelop/updatewin1.exe

http://dell1.ug/files/penelop/updatewin2.exe

http://dell1.ug/files/penelop/updatewin.exe

http://dell1.ug/files/penelop/3.exe

http://dell1.ug/files/penelop/4.exe

http://dell1.ug/files/penelop/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-JeLOm18e5g Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0167A73uHsdfs89

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral16/memory/1444-3-0x0000000000D50000-0x0000000000E6A000-memory.dmp	family_djvu
behavioral16/memory/1444-4-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/1444-10-0x0000000000D50000-0x0000000000E6A000-memory.dmp	family_djvu
behavioral16/memory/1444-16-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/1444-18-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/5084-21-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/5084-26-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/5084-27-0x0000000000BE0000-0x0000000000CB2000-memory.dmp	family_djvu
behavioral16/memory/5084-31-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/5084-32-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/3468-36-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/5084-37-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/3468-38-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu
behavioral16/memory/5084-349-0x0000000000400000-0x000000000053B000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe

Executes dropped EXE 1 IoCs

pid	Process
3468	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3692	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0a4ad479-c70d-4277-bd39-95cbdfcb7d85\\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe\" --AutoStart"	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	api.2ip.ua
51	api.2ip.ua
52	api.2ip.ua
69	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 44 IoCs

pid	pid_target	Process	procid_target
612	1444	WerFault.exe	85
3944	1444	WerFault.exe	85
4488	1444	WerFault.exe	85
3840	1444	WerFault.exe	85
224	1444	WerFault.exe	85
1524	1444	WerFault.exe	85
924	1444	WerFault.exe	85
3968	1444	WerFault.exe	85
3700	1444	WerFault.exe	85
772	1444	WerFault.exe	85
2496	1444	WerFault.exe	85
4732	1444	WerFault.exe	85
1984	1444	WerFault.exe	85
1148	1444	WerFault.exe	85
4992	1444	WerFault.exe	85
644	1444	WerFault.exe	85
4880	5084	WerFault.exe	129
4588	5084	WerFault.exe	129
3748	5084	WerFault.exe	129
568	5084	WerFault.exe	129
1684	5084	WerFault.exe	129
3968	5084	WerFault.exe	129
832	5084	WerFault.exe	129
4948	5084	WerFault.exe	129
4340	5084	WerFault.exe	129
4456	5084	WerFault.exe	129
2704	5084	WerFault.exe	129
2500	5084	WerFault.exe	129
4948	5084	WerFault.exe	129
4732	5084	WerFault.exe	129
676	5084	WerFault.exe	129
2704	5084	WerFault.exe	129
2072	3468	WerFault.exe	173
1772	3468	WerFault.exe	173
4776	3468	WerFault.exe	173
2760	3468	WerFault.exe	173
2624	3468	WerFault.exe	173
3972	3468	WerFault.exe	173
1344	3468	WerFault.exe	173
4496	3468	WerFault.exe	173
3684	3468	WerFault.exe	173
2104	3468	WerFault.exe	173
4352	5084	WerFault.exe	129
228	5084	WerFault.exe	129

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1444	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
1444	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
5084	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
5084	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
3468	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
3468	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
5084	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
5084	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3692	1444	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe	124
PID 1444 wrote to memory of 3692	1444	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe	124
PID 1444 wrote to memory of 3692	1444	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe	124
PID 1444 wrote to memory of 5084	1444	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe	129
PID 1444 wrote to memory of 5084	1444	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe	129
PID 1444 wrote to memory of 5084	1444	81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe	129

C:\Users\Admin\AppData\Local\Temp\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
"C:\Users\Admin\AppData\Local\Temp\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 844
  2⤵
  - Program crash
  PID:612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 884
  2⤵
  - Program crash
  PID:3944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 904
  2⤵
  - Program crash
  PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 864
  2⤵
  - Program crash
  PID:3840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 984
  2⤵
  - Program crash
  PID:224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1104
  2⤵
  - Program crash
  PID:1524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1124
  2⤵
  - Program crash
  PID:924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1524
  2⤵
  - Program crash
  PID:3968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1524
  2⤵
  - Program crash
  PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1596
  2⤵
  - Program crash
  PID:772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1832
  2⤵
  - Program crash
  PID:2496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1524
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1848
  2⤵
  - Program crash
  PID:1984
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\0a4ad479-c70d-4277-bd39-95cbdfcb7d85" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:3692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1828
  2⤵
  - Program crash
  PID:1148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 2096
  2⤵
  - Program crash
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
  "C:\Users\Admin\AppData\Local\Temp\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 700
    3⤵
    - Program crash
    PID:4880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 800
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 820
    3⤵
    - Program crash
    PID:3748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 884
    3⤵
    - Program crash
    PID:568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1000
    3⤵
    - Program crash
    PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1112
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1412
    3⤵
    - Program crash
    PID:832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1568
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1652
    3⤵
    - Program crash
    PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1568
    3⤵
    - Program crash
    PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1696
    3⤵
    - Program crash
    PID:2704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1556
    3⤵
    - Program crash
    PID:2500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1752
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1740
    3⤵
    - Program crash
    PID:4732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1664
    3⤵
    - Program crash
    PID:676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1728
    3⤵
    - Program crash
    PID:2704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1784
    3⤵
    - Program crash
    PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1672
    3⤵
    - Program crash
    PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1884
  2⤵
  - Program crash
  PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1444 -ip 1444
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1444 -ip 1444
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1444 -ip 1444
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1444 -ip 1444
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1444 -ip 1444
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1444 -ip 1444
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1444 -ip 1444
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1444 -ip 1444
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1444 -ip 1444
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1444 -ip 1444
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1444 -ip 1444
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1444 -ip 1444
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1444 -ip 1444
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1444 -ip 1444
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1444 -ip 1444
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1444 -ip 1444
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5084 -ip 5084
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5084 -ip 5084
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5084 -ip 5084
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5084 -ip 5084
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5084 -ip 5084
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5084 -ip 5084
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5084 -ip 5084
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5084 -ip 5084
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5084 -ip 5084
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5084 -ip 5084
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5084 -ip 5084
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5084 -ip 5084
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5084 -ip 5084
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5084 -ip 5084
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5084 -ip 5084
1⤵
PID:1400

C:\Users\Admin\AppData\Local\0a4ad479-c70d-4277-bd39-95cbdfcb7d85\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe
C:\Users\Admin\AppData\Local\0a4ad479-c70d-4277-bd39-95cbdfcb7d85\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 832
  2⤵
  - Program crash
  PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 876
  2⤵
  - Program crash
  PID:1772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 876
  2⤵
  - Program crash
  PID:4776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 904
  2⤵
  - Program crash
  PID:2760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1064
  2⤵
  - Program crash
  PID:2624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1072
  2⤵
  - Program crash
  PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1444
  2⤵
  - Program crash
  PID:1344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1452
  2⤵
  - Program crash
  PID:4496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1596
  2⤵
  - Program crash
  PID:3684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1632
  2⤵
  - Program crash
  PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3468 -ip 3468
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3468 -ip 3468
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3468 -ip 3468
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3468 -ip 3468
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3468 -ip 3468
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3468 -ip 3468
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3468 -ip 3468
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3468 -ip 3468
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3468 -ip 3468
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3468 -ip 3468
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5084 -ip 5084
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5084 -ip 5084
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5efe7f817ac703bbf63c79ad97ec948f

SHA1
3c34d7611f0aa11b18774e268c6bb62df313479c

SHA256
df6ec3b076296ad1765293a1e51ea922d748a36f45baea635a3bc52a01f8e697

SHA512
3700a312e2c846b8a58603ccef23561dc39b2eccf377abd6cf5bcfba4b7e32c8e702b183994f2aed371237f2c2b298e9fd15ab3a73548350dcf9f5d56b5e5ae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c4fb085aecb2e27a8877e885d2c1e4e6

SHA1
311647963bc7fae72a297d9c51e30343749fd66e

SHA256
1da9ee2826977bb4b833a94f3c845720bb90f2b1f4b8a445bd7673d07f9b628d

SHA512
31b3afac613105b49e25f73ccb5e251c93ef19b02fbda9dbda56721d8087419ee9600945e41df75f7e0ff49ecd953f1fc69ed28826e1702bef1e3b3741c492cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
e7c18b43937b6686d6bae5dcf7584791

SHA1
69a2a70ea2b259481da65073bf599743c378e70f

SHA256
aa56ace171008c47f24362de573397b29f1834a2e8a8404618e357997c4c386a

SHA512
27a3ca788b67b236f1a483e6e83802be9848d737d2fe46eba40fe80ccf13ea96aadb2d670cab99b8390652c554bd813dd452d8d33d2db75706a73e2d44d3e8cb

Download Submit
C:\Users\Admin\AppData\Local\0a4ad479-c70d-4277-bd39-95cbdfcb7d85\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe

Filesize
1.1MB

MD5
5b3c8242aab49db13a10b3454bf14ac8

SHA1
9667f4b95635d6e464963b47a2b559ca8a6add94

SHA256
81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9

SHA512
4aa7493a8a978e67b3e7a6f2f6008b74ca92e7a2bf34846bec189180ffce1022c38b80af39d52713c36e026ff20c9e660c6f80157fc05de4c25b502f35a2be32

Download Submit
C:\Users\Admin\AppData\Local\0a4ad479-c70d-4277-bd39-95cbdfcb7d85\81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9.exe

Filesize
1.1MB

MD5
5b3c8242aab49db13a10b3454bf14ac8

SHA1
9667f4b95635d6e464963b47a2b559ca8a6add94

SHA256
81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9

SHA512
4aa7493a8a978e67b3e7a6f2f6008b74ca92e7a2bf34846bec189180ffce1022c38b80af39d52713c36e026ff20c9e660c6f80157fc05de4c25b502f35a2be32

Download Submit
memory/1444-16-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1444-2-0x0000000000C80000-0x0000000000D45000-memory.dmp

Filesize
788KB

Download
memory/1444-18-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1444-0-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1444-3-0x0000000000D50000-0x0000000000E6A000-memory.dmp

Filesize
1.1MB

Download
memory/1444-10-0x0000000000D50000-0x0000000000E6A000-memory.dmp

Filesize
1.1MB

Download
memory/1444-5-0x0000000000C80000-0x0000000000D45000-memory.dmp

Filesize
788KB

Download
memory/1444-4-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3468-35-0x0000000000CC0000-0x0000000000D92000-memory.dmp

Filesize
840KB

Download
memory/3468-36-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3468-38-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/5084-21-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/5084-26-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/5084-27-0x0000000000BE0000-0x0000000000CB2000-memory.dmp

Filesize
840KB

Download
memory/5084-31-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/5084-32-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/5084-20-0x0000000000BE0000-0x0000000000CB2000-memory.dmp

Filesize
840KB

Download
memory/5084-37-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/5084-349-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download