Analysis
-
max time kernel
295s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:57
Static task
static1
Behavioral task
behavioral1
Sample
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
Resource
win10-20231220-en
General
-
Target
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
-
Size
810KB
-
MD5
07afa7fb45fe53d165679586b77be770
-
SHA1
a4065fbfaa0d0344983f5eaa760504845cdc8f87
-
SHA256
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6
-
SHA512
a47911bd2fdbb476c9ca96a253f9737411f562185da9f064b6698994cefe9f34187e29ba3be315a2abfba7ef746aff2aaa8b1bda793b4c89c918b6665ef66440
-
SSDEEP
12288:2xkismkgVjrrwdGmfO/SYQiU9By6FKhQseDMqfnu+qcspmi177gJzWF:wkgVaGwO/xXUPy6ohdeAqBqc7z
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cdwe
-
offline_id
dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral1/memory/2084-157-0x00000000003A0000-0x00000000003EB000-memory.dmp family_vidar_v6 behavioral1/memory/2112-159-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2112-158-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2112-152-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2112-280-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 14 IoCs
resource yara_rule behavioral1/memory/1888-7-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1888-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1888-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-3-0x00000000008F0000-0x0000000000A0B000-memory.dmp family_djvu behavioral1/memory/1888-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-39-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-122-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-135-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-136-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-156-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-282-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-284-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-285-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1356-286-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2084 build2.exe 2112 build2.exe -
Loads dropped DLL 6 IoCs
pid Process 1356 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 1356 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 2504 WerFault.exe 2504 WerFault.exe 2504 WerFault.exe 2504 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2904 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9694d6b-38b7-4597-9328-f327c57c0aa4\\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe\" --AutoStart" c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 9 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2552 set thread context of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2720 set thread context of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2084 set thread context of 2112 2084 build2.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2504 2112 WerFault.exe 34 -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 1356 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 1356 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 2552 wrote to memory of 1888 2552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 28 PID 1888 wrote to memory of 2904 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 29 PID 1888 wrote to memory of 2904 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 29 PID 1888 wrote to memory of 2904 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 29 PID 1888 wrote to memory of 2904 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 29 PID 1888 wrote to memory of 2720 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 30 PID 1888 wrote to memory of 2720 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 30 PID 1888 wrote to memory of 2720 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 30 PID 1888 wrote to memory of 2720 1888 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 30 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 2720 wrote to memory of 1356 2720 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 31 PID 1356 wrote to memory of 2084 1356 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 33 PID 1356 wrote to memory of 2084 1356 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 33 PID 1356 wrote to memory of 2084 1356 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 33 PID 1356 wrote to memory of 2084 1356 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 33 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2084 wrote to memory of 2112 2084 build2.exe 34 PID 2112 wrote to memory of 2504 2112 build2.exe 37 PID 2112 wrote to memory of 2504 2112 build2.exe 37 PID 2112 wrote to memory of 2504 2112 build2.exe 37 PID 2112 wrote to memory of 2504 2112 build2.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c9694d6b-38b7-4597-9328-f327c57c0aa4" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 14407⤵
- Loads dropped DLL
- Program crash
PID:2504
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5f31d5c5bf9375633b9286d0d5b375458
SHA1c3b7d745f792350a47ff412f51047e2700e6c6b4
SHA25692d3e1b18d3d584ee0078f0f533358b2268a5365a3303c0d8f7a3b188981070e
SHA5124c1642dec922a60510f192be1da86d3e362d24ee059c83a18d3d8b87d4ef34ac68a03f803df435501067e1ab6f5a49294ac32c8961b7181f568dd6a2c4fa83c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD589a0c1c21f3bd545e158879bed7a8228
SHA14b38d02bdfc1574f36afa41531c55529df763d04
SHA2565f694dfef7674a2a7194f6016f653fef5d581ee6b8636464aee4e8ba48132e42
SHA512ac075d58748b91fda370c5c79451bb5fb691fa09f56e337675b19fa3329e1045f76c6cac3f28fcc81f41cc640e1154c615149abab650bcfb8f31a1628ce33f8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59423b96985768570a95246bb08952e28
SHA13ce52f0dff9e71dd0722e4b51531175fc6c73268
SHA256d631f9f346af6b6d6e07a0f599e20fe177174a8c2944d01f0291453adcd05c82
SHA5123a0a948c61a1e3983f1f61190c467289b770a40d9fa415b05d87061d737483513c5a6fa66d8f1445ddfa73b3c79cd9f5b525ee2cce371362eb624bbe51ba0069
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5616ef8e533eec916885308024aafe48e
SHA15f42dfe598f6b6ee1a31839bbbc9c028b7d2ff6c
SHA2560c6c1253ddd7bae0ef012920f88c4150c21443464f8fa8078504b0ad6d2f2e22
SHA512daa96bc706990b6fd96242d15455647a0315c5f4ffd407682938ec504b984ae43ee88007f3ea5600633434518830572b1e9e2fd853b0b1ff3e69f98861ecf5c8
-
Filesize
265KB
MD555a7daea46e293fa9bf4c1e243bcf405
SHA199061832836e646cc5c58025ca6de08c985ac68c
SHA2566c74c9fe6046767d60df451ab627ee488111eaa82bab035daad1d90d6d41ce1e
SHA512a51f47a77f13d59d0f5f83c6f607a550000b7693821b48a41a1412147a9aa5a837d712e78ec96f5f7d185c2772eb7241bc42624a0acc5ac89d7d15d722060f3a
-
Filesize
234KB
MD533b11b6a7a2afb431ede5d36f06940c6
SHA15e06682e4644f1ff858297d1b023bc3f3be44c2f
SHA256af8b4702af58b11b4d4935bd60064c23d020b0a24bfc3b8ed7fb9f318d530da6
SHA512bb73b026b3e17f8de30eaa272115f8edc59e48834b53a762a121e038d8cb71743f98a879c95ae9dd4b38fcae24e8469e1beadb28d45893d281a52ec34dc6ff78
-
Filesize
201KB
MD527dd517ce59cb2d294cf664d9e7cbe50
SHA1a35d64c2b10326bdd5b9ec103669edf60e82d0ca
SHA2562e7f5d862172e2ade52a1a0077b068e43735d40a30c6ff293168c055910c9b1a
SHA5125a32465d8818e97174dfe36de6ebff60eff2fd66ccab93346649ed413b0890cd38b90d6bbc0a792a60a1f92711fea0270205db765fce4992282fc3830fad2356
-
Filesize
138KB
MD595fa82818b09faaf29e49db216e67b59
SHA12e827e2694ab73733f2fa23a846b186c23124ac5
SHA256bdeaa1fa185fac8563112c99f98a9e178224fb03c590cb93cfa31cfcf174850f
SHA512dbc8803bccfd39e4d26c93c30002cae1f698cb7c1e3b7d601f9d8d72ec15719ad350feb3ee37d67de2852005cd2a46c6d117f35484ed4e21b8f88e64c64ff0fd
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\c9694d6b-38b7-4597-9328-f327c57c0aa4\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
Filesize614KB
MD538fac68cda54410b4e04271adfb5f905
SHA17b859379d5cf75ea6f7ce28a548e98bc092b7777
SHA2567953af02b394cf7ad1fac3202df4ef47ad3397c51123799fa0be9ddb08e16133
SHA512288ffd48dc72442ba5ae2132dd9afb7717b3352275f3c4ad24edbb81a3e62047c9d6c568e1308cd99a7705252d2ceee0d2d2cc0641fe87ee46f5b3050543aee0
-
Filesize
358KB
MD5c4070da9f9b0581171af16e681ccdff8
SHA13fb4182921fdc3acd7873ebe113ac5522585312a
SHA25626063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427
-
Filesize
206KB
MD50431cb8e36a74e4b0378bc97069e7ae1
SHA100d90d43700e3c072dabaacb511f0f57ec2df4ce
SHA2562daf1caa0302954352b04b81f66dea0e2f9e1eb566e0b1ac67b877df6cc765e5
SHA512d85609624ca9d75a6b618e774dd6fe83cfcd96644d1019d1eb50bf71b799bcc5e619502dcb2257729a70a5c0fcd81fd3533c877b63dcf8512c9a8702789640b7
-
Filesize
326KB
MD5ff63e9b7a52eab1cd039bfe4072a8216
SHA11b1ba9bbedcbeecaece8629e6a4e15c6b38122ad
SHA256ce37a41e7ecbc5f7f59488d679fc13a780d64bfb2e84c6da0d6782a9940d45b2
SHA51245cb1d90d2bdf258d1b49109985282fb736ba3805e24efcba2ee71c8d1a1f9ecbac43a25ad9c29d8b233f1689b5a863776fe1cce28960d55450fe2e200c155be
-
Filesize
262KB
MD5a2627830af7d1ff75c7606461de62601
SHA1ded6c1393484fdb2cb76f54c3cba8ff9f59dbadd
SHA2568732609ee2c59b5ae851f97bf434c8a1e15b2bbb9c18fb433ad6e55c05e411c2
SHA512863d01021e23ace70726f507768aa3cee013fb28d29b7bb79743f0580351013f925f25cc27fec23f7755111fdb8469b76a33e8fb9cda981e1b556e89fca38baa
-
Filesize
219KB
MD50a2b1a7792cddc54139263be91b9f83a
SHA1aa7f0c411e778a3e0ddcdd9299b3a198a33f4e74
SHA2562657b81283e43270700463ed49206c7e3b7499e4ae2b2a02ce9aade496037a03
SHA512d5bb6ad68f1ccb7815861ef32f307cb54555d18309d8638066fdd1cf7fbc18545b69477a4aa6f0d845a18e77d459908e4a916eb1686b12d3e05020b9be3db3bd