djvu | hxxps://bazaar[.]abuse[.]ch/sample/2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7/#comments

Analysis

max time kernel
128s
max time network
112s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-09-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7/#comments

Score

10^/10

djvu discovery ransomware

Malware Config

Extracted

Family

djvu

http://jfus.top/nddddhsspen6/get.php

Attributes

extension
.rejg
offline_id
ffMYeEIl8VXTNtDFDB8XTask2PZgkOrOTmhHKet1
payload_url
http://jfus.top/files/penelop/updatewin1.exe

http://jfus.top/files/penelop/updatewin2.exe

http://jfus.top/files/penelop/updatewin.exe

http://jfus.top/files/penelop/3.exe

http://jfus.top/files/penelop/4.exe

http://jfus.top/files/penelop/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-t9u4WFnEtN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0295Sirj

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/4400-258-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Executes dropped EXE 1 IoCs

pid	Process
4400	2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	api.2ip.ua
34	api.2ip.ua

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2780	4400	WerFault.exe	88
2516	4400	WerFault.exe	88
3904	4400	WerFault.exe	88
4216	4400	WerFault.exe	88
4204	4400	WerFault.exe	88
3448	4400	WerFault.exe	88
2748	4400	WerFault.exe	88
5052	4400	WerFault.exe	88
220	4400	WerFault.exe	88
1000	4400	WerFault.exe	88
4644	4400	WerFault.exe	88
2948	4400	WerFault.exe	88
3720	4400	WerFault.exe	88
4612	4400	WerFault.exe	88
4852	4400	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133721170999360932"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
588	chrome.exe
588	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeShutdownPrivilege	588	chrome.exe
Token: SeCreatePagefilePrivilege	588	chrome.exe
Token: SeRestorePrivilege	984	7zG.exe
Token: 35	984	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
984	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe
588	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2596	588	chrome.exe	72
PID 588 wrote to memory of 2596	588	chrome.exe	72
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 5028	588	chrome.exe	74
PID 588 wrote to memory of 2368	588	chrome.exe	75
PID 588 wrote to memory of 2368	588	chrome.exe	75
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76
PID 588 wrote to memory of 4596	588	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7/#comments
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe349d9758,0x7ffe349d9768,0x7ffe349d9778
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:2
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4484 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4876 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 --field-trial-handle=1824,i,14440356354874307950,16963314504820320558,131072 /prefetch:8
  2⤵
  PID:4528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5088

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap10009:190:7zEvent8364
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:984

C:\Users\Admin\Downloads\2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7.exe
"C:\Users\Admin\Downloads\2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 868
  2⤵
  - Program crash
  PID:2780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 856
  2⤵
  - Program crash
  PID:2516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 932
  2⤵
  - Program crash
  PID:3904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1116
  2⤵
  - Program crash
  PID:4216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1080
  2⤵
  - Program crash
  PID:4204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1176
  2⤵
  - Program crash
  PID:3448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1484
  2⤵
  - Program crash
  PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1124
  2⤵
  - Program crash
  PID:5052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1516
  2⤵
  - Program crash
  PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1724
  2⤵
  - Program crash
  PID:1000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1512
  2⤵
  - Program crash
  PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1716
  2⤵
  - Program crash
  PID:2948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1492
  2⤵
  - Program crash
  PID:3720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1108
  2⤵
  - Program crash
  PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 832
  2⤵
  - Program crash
  PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
22KB

MD5
3b5537dce96f57098998e410b0202920

SHA1
7732b57e4e3bbc122d63f67078efa7cf5f975448

SHA256
a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88

SHA512
c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
97KB

MD5
7bcda9c71a803cb277e033fe0d50f3ed

SHA1
b3cfb74441d3adc76a68b95efa565ab8b4b4ace9

SHA256
be8b321d20855bd02e9b894a4d0764a0c63a5fea0480b31d8ee475abc95a80e9

SHA512
c21f565b805b3f425b2e39cc43bf16e8e2af82ba11942e3cf30da6c74334b3a318b418c18a9d7a1d0940650269af8c8066ae756fb972557dabe8296a6ebaeed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
3b49c87daa14c91d090d41ae8c8577a7

SHA1
8c873b7f96ef8ab28e9f78d701980d5b47ad1147

SHA256
26631798c1dca5e6bf2fbdb34b91e2069c58f07ba1ed431368ffac92f0e18f9e

SHA512
252ba77c73f2b4c53a46cfc1c93f67965fcea401b8f0b1661d64fae1cf4502c24d0dc7b668d6c6406d4841822ad004918e90fbd2f0cf6256c7f1c92d2102551b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6fd9afd2a36215e74d2eb06c1f5e482e

SHA1
2c0f1293dcc0f4de6516eecf3dac0aede199ef78

SHA256
aeb5055519b3bf13043167e293bb12f9efb04fa802cf3cd434f77ce404b9d69f

SHA512
05a8e8a5d88fcb4fe70b3153a61a4f9fb0f27e1384e53ae7ca51bd42ade2b5c1b0209071fe0b2b3bde7f585d513ca6be46a1f1a8967ad130328a28272293b48c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
093947a68ff300468227d200e9b02c07

SHA1
d22ffbc831cd822d0361532df3a2bae7f3eb7dc0

SHA256
8701898d5563951bfa779b7db39bc1c412170a25fa12ee21ea7a20243e5aedd6

SHA512
590ed1ebcfc7be79bf8527caefc7db984db19e97fec1aa2afd7dd5f242988bf8d4ee1e94a25d7ca14deee3d5a87b0df3b486fad2072d42f04c3114a73bdfe68c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
700de86b3ca0b2f1b64915d0245312cb

SHA1
a476344186f2edc085a4d32b7d62af2a69e971f0

SHA256
fd2b6f52d5d088db9a118ca9adf22d1a2409cff9b46081ca3a4df4d38e89f77b

SHA512
29d13af11ab76be61a52e83a5257b478ad8d239f08360e7ff164efa2fffdc0584b9e8e0da4c7c8ff27dc6dff20f943efd114c51e7afb2729ca79ba4bfd542f7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
f4dd1e2d2e2aa32f9213633efed5aa14

SHA1
e30c7ad5e9a752f4181a78eea3d8224ba667f2fa

SHA256
fee50408fcc1afd9a9f9f34949249b4c73394bdb64af42c92a3eb52e18984a83

SHA512
eb1a199709678f4b8ad520ba126abb7af4192c46f4b72aa8f85bcd2c5492110f51527cf472b2e1f9c619ce36b839e35dcdc03946630636ce75785890576baa7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ee34cfa8bcd674aa53a776752969b084

SHA1
efdf1d613234e039ebcc00fa13390f7c8be6dfcf

SHA256
a351a607fbdf862be07d51e2fd656b1f342b1d06e1ec5d6be64af5aea3c87da7

SHA512
8e73590cd42fd88340c0bdd8b1837922afe12091fdf2c6202565eacf0cb03caa75957ae8493fff0243f3df68f8d7a4b5f9925ed001bdca31f720e6885184bb85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2c272b8d3eeabbc7cb2fe4cb77bf0c68

SHA1
33c0d17ade87a4ded56e161a05c8c26fc5cb89b0

SHA256
733419318a5b2daf99bb0d5e1d3dd5510718f41fd87d76479f7e490db2accf5d

SHA512
f271f20881cccb642ec89955fde6e94974b9bfa5cafd2509351a7bb218b2ec86b7da4d3084ccde46ccd3538a1a5b5e320ee42a0dd582b5311b7d0a3f6872d09d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
ee7ecb149d6ce2277496dc1b2b277426

SHA1
26fc1ef37bc66dbf4f961532ca8bd84f0eff058e

SHA256
d496ab89fc30e86f62faaaa8d9f846746e12eb59896fbb653d02964e42510dad

SHA512
bb7e9f0d4cdb02a550019558b63c2a09c2ff19343ae68c0798a7ea3bb33b620571f7f67e4cc1186e6054627f7d582f4567f4784c7c2e41f9331d121775a89108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
5dc7e2bfb0d0cefaa8098e3c3dd4b2e0

SHA1
35f1c8fd10985c792dcdaa236c4a6d193511f294

SHA256
6dd4055f3aeec569e90d4395bb8d4d93ba5f057226134fb3b247696d64cec97a

SHA512
f12bff034b9612a9cbc062f7a3217ef6088a6842d437725fccc713ef2e92bd6dee86c7c008047a7483e2b78ba45f722cf31010c3156343ac0f11caa6d393ba68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
bc88c3d1351d90fd53315bac8291a37b

SHA1
1ca4c8316c397b85569176e8e3a2dcf9d5a790b0

SHA256
84e5d5272705cc029a3242be14daaafdd00a998e888fc5c11ac6e168c7aa2bbd

SHA512
b2e8d4c2d3bda84853a6e4aa5f00a7ed2faadff815b7e52b1a09887bb016e50fd7a77e286b70593646c960faf064f258d487a65da54b7d24dcd9c4bdca798c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7.exe

Filesize
869KB

MD5
b61223f5063b9290cb7177e0915be648

SHA1
041b2958f50c016f1d2525848b2e0b3cefad1dc3

SHA256
2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7

SHA512
d492e72bea3996df52eb0631c411e806a9130bc1bc2dea514247f0c834c3316473bbe751dfa6692355d035ee229cb8fe7e5df609af757963d9c4641c35eb589f

Download Submit
C:\Users\Admin\Downloads\2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7.zip

Filesize
721KB

MD5
76c73448e643dfe153046629ebb819e2

SHA1
ee94503456bf15e36831e4c526b5ab43dec42f13

SHA256
f211d7386484d1a345c2504e30b03bc102582be3dd5313dd284684fb69d8860f

SHA512
133c1d57250d2ad7196e9eb21dc066bfd6d056ea80a8392336591ad3726a700273de2c0e87fe3847749899fb1012614a7bf890c582df38f40de24b8505bd33e1

Download Submit
memory/4400-258-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download