icedid | acf84eb0e00079cf0b3601554ebd3d31b3b1b73ea212c4ac55a1d715c72759cc

Analysis

max time kernel
111s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
Size

310KB
MD5

bf6d16644fd75fc2998358a95dffface
SHA1

e2d530ef0eaf32deee0be90bf17f4b436a815f7c
SHA256

acf84eb0e00079cf0b3601554ebd3d31b3b1b73ea212c4ac55a1d715c72759cc
SHA512

a1f52e3b19a3d38e457abfcf81897047ab9db690085bd68a334372069988bea2d33b1590ecde309548e0b94de990246ce3230853894a6327de1af7e35ec17514

Score

10^/10

icedid smokeloader 1843818144 backdoor banker loader trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Extracted

Family

icedid

Campaign

1843818144

grendafolz.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1708 created 4600 1708 WerFault.exe B282.exe
PID 3692 created 1856 3692 WerFault.exe CF52.exe

description	pid	process	target process
PID 1708 created 4600	1708	WerFault.exe	B282.exe
PID 3692 created 1856	3692	WerFault.exe	CF52.exe

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/688-144-0x0000021FB2090000-0x0000021FB209B000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

101 4720 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

6078.exe7EEE.exeB282.exeCF52.exe

pid process

3376 6078.exe
688 7EEE.exe
4600 B282.exe
1856 CF52.exe

flow	pid	process
101	4720	rundll32.exe

pid	process
3376	6078.exe
688	7EEE.exe
4600	B282.exe
1856	CF52.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4244	4600	WerFault.exe	B282.exe
5020	1856	WerFault.exe	CF52.exe
4072	1856	WerFault.exe	CF52.exe
428	4600	WerFault.exe	B282.exe
456	1856	WerFault.exe	CF52.exe
4892	4600	WerFault.exe	B282.exe
4748	1856	WerFault.exe	CF52.exe
4760	4600	WerFault.exe	B282.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe6078.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6078.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6078.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6078.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CF52.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	CF52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CF52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	CF52.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CF52.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CF52.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	CF52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	CF52.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe

pid	process
4420	ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
4420	ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1068
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe6078.exe

pid process

4420 ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
3376 6078.exe

pid	process
1068

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	4244	WerFault.exe
Token: SeBackupPrivilege	4244	WerFault.exe
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeIncreaseQuotaPrivilege	4192	WMIC.exe
Token: SeSecurityPrivilege	4192	WMIC.exe
Token: SeTakeOwnershipPrivilege	4192	WMIC.exe
Token: SeLoadDriverPrivilege	4192	WMIC.exe
Token: SeSystemProfilePrivilege	4192	WMIC.exe
Token: SeSystemtimePrivilege	4192	WMIC.exe
Token: SeProfSingleProcessPrivilege	4192	WMIC.exe
Token: SeIncBasePriorityPrivilege	4192	WMIC.exe
Token: SeCreatePagefilePrivilege	4192	WMIC.exe
Token: SeBackupPrivilege	4192	WMIC.exe
Token: SeRestorePrivilege	4192	WMIC.exe
Token: SeShutdownPrivilege	4192	WMIC.exe
Token: SeDebugPrivilege	4192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4192	WMIC.exe
Token: SeRemoteShutdownPrivilege	4192	WMIC.exe
Token: SeUndockPrivilege	4192	WMIC.exe
Token: SeManageVolumePrivilege	4192	WMIC.exe
Token: 33	4192	WMIC.exe
Token: 34	4192	WMIC.exe
Token: 35	4192	WMIC.exe
Token: 36	4192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4192	WMIC.exe
Token: SeSecurityPrivilege	4192	WMIC.exe
Token: SeTakeOwnershipPrivilege	4192	WMIC.exe
Token: SeLoadDriverPrivilege	4192	WMIC.exe
Token: SeSystemProfilePrivilege	4192	WMIC.exe
Token: SeSystemtimePrivilege	4192	WMIC.exe
Token: SeProfSingleProcessPrivilege	4192	WMIC.exe
Token: SeIncBasePriorityPrivilege	4192	WMIC.exe
Token: SeCreatePagefilePrivilege	4192	WMIC.exe
Token: SeBackupPrivilege	4192	WMIC.exe
Token: SeRestorePrivilege	4192	WMIC.exe
Token: SeShutdownPrivilege	4192	WMIC.exe
Token: SeDebugPrivilege	4192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4192	WMIC.exe
Token: SeRemoteShutdownPrivilege	4192	WMIC.exe
Token: SeUndockPrivilege	4192	WMIC.exe
Token: SeManageVolumePrivilege	4192	WMIC.exe
Token: 33	4192	WMIC.exe
Token: 34	4192	WMIC.exe
Token: 35	4192	WMIC.exe
Token: 36	4192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3776	WMIC.exe
Token: SeSecurityPrivilege	3776	WMIC.exe
Token: SeTakeOwnershipPrivilege	3776	WMIC.exe
Token: SeLoadDriverPrivilege	3776	WMIC.exe
Token: SeSystemProfilePrivilege	3776	WMIC.exe
Token: SeSystemtimePrivilege	3776	WMIC.exe
Token: SeProfSingleProcessPrivilege	3776	WMIC.exe
Token: SeIncBasePriorityPrivilege	3776	WMIC.exe
Token: SeCreatePagefilePrivilege	3776	WMIC.exe
Token: SeBackupPrivilege	3776	WMIC.exe
Token: SeRestorePrivilege	3776	WMIC.exe
Token: SeShutdownPrivilege	3776	WMIC.exe
Token: SeDebugPrivilege	3776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3776	WMIC.exe
Token: SeRemoteShutdownPrivilege	3776	WMIC.exe
Token: SeUndockPrivilege	3776	WMIC.exe
Token: SeManageVolumePrivilege	3776	WMIC.exe
Token: 33	3776	WMIC.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

B282.exeWerFault.execmd.exeWerFault.exe

description	pid	process	target process
PID 1068 wrote to memory of 3376	1068		6078.exe
PID 1068 wrote to memory of 3376	1068		6078.exe
PID 1068 wrote to memory of 3376	1068		6078.exe
PID 1068 wrote to memory of 688	1068		7EEE.exe
PID 1068 wrote to memory of 688	1068		7EEE.exe
PID 1068 wrote to memory of 4600	1068		B282.exe
PID 1068 wrote to memory of 4600	1068		B282.exe
PID 1068 wrote to memory of 4600	1068		B282.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 1708 wrote to memory of 4600	1708	WerFault.exe	B282.exe
PID 1708 wrote to memory of 4600	1708	WerFault.exe	B282.exe
PID 1068 wrote to memory of 1856	1068		CF52.exe
PID 1068 wrote to memory of 1856	1068		CF52.exe
PID 1068 wrote to memory of 1856	1068		CF52.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 4600 wrote to memory of 4720	4600	B282.exe	rundll32.exe
PID 1068 wrote to memory of 1604	1068		cmd.exe
PID 1068 wrote to memory of 1604	1068		cmd.exe
PID 1604 wrote to memory of 4192	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 4192	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 3776	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 3776	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 1600	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 1600	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 4548	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 4548	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 4576	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 4576	1604	cmd.exe	WMIC.exe
PID 3692 wrote to memory of 1856	3692	WerFault.exe	CF52.exe
PID 3692 wrote to memory of 1856	3692	WerFault.exe	CF52.exe

C:\Users\Admin\AppData\Local\Temp\ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
"C:\Users\Admin\AppData\Local\Temp\ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4420

C:\Users\Admin\AppData\Local\Temp\6078.exe
C:\Users\Admin\AppData\Local\Temp\6078.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3376

C:\Users\Admin\AppData\Local\Temp\7EEE.exe
C:\Users\Admin\AppData\Local\Temp\7EEE.exe
1⤵
- Executes dropped EXE
PID:688

C:\Users\Admin\AppData\Local\Temp\B282.exe
C:\Users\Admin\AppData\Local\Temp\B282.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 608
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 880
2⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 932
2⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1040
2⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4600 -ip 4600
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\CF52.exe
C:\Users\Admin\AppData\Local\Temp\CF52.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 836
2⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 916
2⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 912
2⤵
- Program crash
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 920
2⤵
- Program crash
PID:4748

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1600

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:4548

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1856 -ip 1856
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Roaming\dtaufsr
C:\Users\Admin\AppData\Roaming\dtaufsr
1⤵
PID:476

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4844

C:\Users\Admin\AppData\Roaming\dhaufsr
C:\Users\Admin\AppData\Roaming\dhaufsr
1⤵
PID:3024

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:17410 /prefetch:2
2⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1856 -ip 1856
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4600 -ip 4600
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1856 -ip 1856
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4600 -ip 4600
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1856 -ip 1856
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4600 -ip 4600
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6078.exe

MD5
4d57e60ba0331722725a1383859057db

SHA1
eeea99876485cc9b747009a8de739d75ae3edcf1

SHA256
28b081408c83eef255021424744fa36738df41e3edcb614ba13d9969350d6bde

SHA512
d8362ff9294f3561abccc8cd11b13f3321aa4d0e67dbc74cf7849716e7ff7cf0ed0f07f8c2000869db9116ba82f2c7495b2b80749a5a1263e8fe8cc5c714e86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6078.exe

MD5
4d57e60ba0331722725a1383859057db

SHA1
eeea99876485cc9b747009a8de739d75ae3edcf1

SHA256
28b081408c83eef255021424744fa36738df41e3edcb614ba13d9969350d6bde

SHA512
d8362ff9294f3561abccc8cd11b13f3321aa4d0e67dbc74cf7849716e7ff7cf0ed0f07f8c2000869db9116ba82f2c7495b2b80749a5a1263e8fe8cc5c714e86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EEE.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EEE.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aeesafyftaohi.tmp

MD5
748bbd8633ad346381c0ae69be3a0ca3

SHA1
307a99df0a4ca1c550b536d79574497b4b3163eb

SHA256
25869e4d0fa9fcfb2446560efe9d2ef6cae8f334508d1ba7cea5e539517e40a9

SHA512
7a02ba4eb28a6985b2d4c95fe7ff9cbbc42f93a68db247ef8f58a13fc6b283dd79c594f5b7b5f3b9efc1adedc2d19b476031297bf794cd03c23ce59ad475fca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B282.exe

MD5
e301c4e88d2ef3c3a79f12c47d2db55e

SHA1
5d3904b9cba99d8b643ddf1f6ada00aae3133353

SHA256
bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268

SHA512
d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820

Download Submit
C:\Users\Admin\AppData\Local\Temp\B282.exe

MD5
e301c4e88d2ef3c3a79f12c47d2db55e

SHA1
5d3904b9cba99d8b643ddf1f6ada00aae3133353

SHA256
bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268

SHA512
d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF52.exe

MD5
e301c4e88d2ef3c3a79f12c47d2db55e

SHA1
5d3904b9cba99d8b643ddf1f6ada00aae3133353

SHA256
bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268

SHA512
d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF52.exe

MD5
e301c4e88d2ef3c3a79f12c47d2db55e

SHA1
5d3904b9cba99d8b643ddf1f6ada00aae3133353

SHA256
bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268

SHA512
d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820

Download Submit
C:\Users\Admin\AppData\Roaming\dhaufsr

MD5
bf6d16644fd75fc2998358a95dffface

SHA1
e2d530ef0eaf32deee0be90bf17f4b436a815f7c

SHA256
acf84eb0e00079cf0b3601554ebd3d31b3b1b73ea212c4ac55a1d715c72759cc

SHA512
a1f52e3b19a3d38e457abfcf81897047ab9db690085bd68a334372069988bea2d33b1590ecde309548e0b94de990246ce3230853894a6327de1af7e35ec17514

Download Submit
C:\Users\Admin\AppData\Roaming\dhaufsr

MD5
bf6d16644fd75fc2998358a95dffface

SHA1
e2d530ef0eaf32deee0be90bf17f4b436a815f7c

SHA256
acf84eb0e00079cf0b3601554ebd3d31b3b1b73ea212c4ac55a1d715c72759cc

SHA512
a1f52e3b19a3d38e457abfcf81897047ab9db690085bd68a334372069988bea2d33b1590ecde309548e0b94de990246ce3230853894a6327de1af7e35ec17514

Download Submit
C:\Users\Admin\AppData\Roaming\dtaufsr

MD5
4d57e60ba0331722725a1383859057db

SHA1
eeea99876485cc9b747009a8de739d75ae3edcf1

SHA256
28b081408c83eef255021424744fa36738df41e3edcb614ba13d9969350d6bde

SHA512
d8362ff9294f3561abccc8cd11b13f3321aa4d0e67dbc74cf7849716e7ff7cf0ed0f07f8c2000869db9116ba82f2c7495b2b80749a5a1263e8fe8cc5c714e86e

Download Submit
C:\Users\Admin\AppData\Roaming\dtaufsr

MD5
4d57e60ba0331722725a1383859057db

SHA1
eeea99876485cc9b747009a8de739d75ae3edcf1

SHA256
28b081408c83eef255021424744fa36738df41e3edcb614ba13d9969350d6bde

SHA512
d8362ff9294f3561abccc8cd11b13f3321aa4d0e67dbc74cf7849716e7ff7cf0ed0f07f8c2000869db9116ba82f2c7495b2b80749a5a1263e8fe8cc5c714e86e

Download Submit
memory/688-144-0x0000021FB2090000-0x0000021FB209B000-memory.dmp

Filesize
44KB

Download
memory/1068-158-0x00000000080D0000-0x00000000080DF000-memory.dmp

Filesize
60KB

Download
memory/1068-143-0x0000000002770000-0x0000000002786000-memory.dmp

Filesize
88KB

Download
memory/1068-135-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download
memory/1856-171-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download
memory/1856-209-0x0000000003AD0000-0x0000000003C10000-memory.dmp

Filesize
1.2MB

Download
memory/1856-200-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1856-198-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/1856-176-0x0000000002EC1000-0x000000000390B000-memory.dmp

Filesize
10.3MB

Download
memory/1856-205-0x0000000003AD0000-0x0000000003C10000-memory.dmp

Filesize
1.2MB

Download
memory/1856-206-0x0000000003AD0000-0x0000000003C10000-memory.dmp

Filesize
1.2MB

Download
memory/1856-175-0x0000000077C52000-0x0000000077C53000-memory.dmp

Filesize
4KB

Download
memory/1856-174-0x0000000002EC0000-0x000000000390B000-memory.dmp

Filesize
10.3MB

Download
memory/1856-172-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download
memory/1856-199-0x0000000002EC0000-0x000000000390B000-memory.dmp

Filesize
10.3MB

Download
memory/1856-201-0x0000000003AD0000-0x0000000003C10000-memory.dmp

Filesize
1.2MB

Download
memory/1856-203-0x0000000003AD0000-0x0000000003C10000-memory.dmp

Filesize
1.2MB

Download
memory/1856-204-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1856-208-0x0000000003AD0000-0x0000000003C10000-memory.dmp

Filesize
1.2MB

Download
memory/1856-207-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3376-138-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/3376-139-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/3376-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4320-216-0x0000000001000000-0x000000000192B000-memory.dmp

Filesize
9.2MB

Download
memory/4320-221-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/4320-217-0x0000000077C52000-0x0000000077C53000-memory.dmp

Filesize
4KB

Download
memory/4320-223-0x0000000003FFF000-0x0000000004000000-memory.dmp

Filesize
4KB

Download
memory/4320-213-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/4320-215-0x00000000033C0000-0x0000000003E0B000-memory.dmp

Filesize
10.3MB

Download
memory/4320-224-0x000000000406D000-0x000000000406E000-memory.dmp

Filesize
4KB

Download
memory/4320-220-0x00000000033C0000-0x0000000003E0B000-memory.dmp

Filesize
10.3MB

Download
memory/4320-219-0x0000000003F60000-0x00000000040A0000-memory.dmp

Filesize
1.2MB

Download
memory/4320-222-0x0000000003F60000-0x00000000040A0000-memory.dmp

Filesize
1.2MB

Download
memory/4320-218-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/4420-133-0x0000000002290000-0x0000000002299000-memory.dmp

Filesize
36KB

Download
memory/4420-131-0x00000000008FE000-0x000000000090E000-memory.dmp

Filesize
64KB

Download
memory/4420-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4420-132-0x00000000008FE000-0x000000000090E000-memory.dmp

Filesize
64KB

Download
memory/4600-184-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-212-0x0000000003D9E000-0x0000000003D9F000-memory.dmp

Filesize
4KB

Download
memory/4600-180-0x0000000077C52000-0x0000000077C53000-memory.dmp

Filesize
4KB

Download
memory/4600-185-0x00000000030C0000-0x0000000003B0B000-memory.dmp

Filesize
10.3MB

Download
memory/4600-186-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/4600-187-0x0000000003C90000-0x0000000003DD0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-188-0x0000000003C90000-0x0000000003DD0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-190-0x0000000003C90000-0x0000000003DD0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-189-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/4600-191-0x0000000003C90000-0x0000000003DD0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-192-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/4600-193-0x0000000003C90000-0x0000000003DD0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-194-0x0000000003C90000-0x0000000003DD0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-195-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4600-196-0x0000000003C90000-0x0000000003DD0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-197-0x0000000003C90000-0x0000000003DD0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-179-0x00000000030C0000-0x0000000003B0B000-memory.dmp

Filesize
10.3MB

Download
memory/4600-147-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download
memory/4600-148-0x00000000024A0000-0x0000000002580000-memory.dmp

Filesize
896KB

Download
memory/4600-202-0x0000000077C52000-0x0000000077C53000-memory.dmp

Filesize
4KB

Download
memory/4600-149-0x0000000002580000-0x00000000027A9000-memory.dmp

Filesize
2.2MB

Download
memory/4600-150-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download
memory/4600-151-0x00000000005E9000-0x00000000005F2000-memory.dmp

Filesize
36KB

Download
memory/4600-152-0x0000000077C52000-0x0000000077C53000-memory.dmp

Filesize
4KB

Download
memory/4600-181-0x00000000030C1000-0x0000000003B0B000-memory.dmp

Filesize
10.3MB

Download
memory/4600-214-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4600-211-0x0000000003D2F000-0x0000000003D30000-memory.dmp

Filesize
4KB

Download
memory/4720-156-0x0000000077C54000-0x0000000077C55000-memory.dmp

Filesize
4KB

Download
memory/4720-155-0x0000000000B00000-0x0000000000B04000-memory.dmp

Filesize
16KB

Download
memory/4720-165-0x0000000000B70000-0x0000000000B74000-memory.dmp

Filesize
16KB

Download
memory/4720-161-0x0000000000B30000-0x0000000000B34000-memory.dmp

Filesize
16KB

Download
memory/4720-166-0x0000000000B80000-0x0000000000B84000-memory.dmp

Filesize
16KB

Download
memory/4720-160-0x0000000000B20000-0x0000000000B24000-memory.dmp

Filesize
16KB

Download
memory/4720-163-0x0000000000B50000-0x0000000000B54000-memory.dmp

Filesize
16KB

Download
memory/4720-157-0x0000000075C14000-0x0000000075C15000-memory.dmp

Filesize
4KB

Download
memory/4720-162-0x0000000000B40000-0x0000000000B44000-memory.dmp

Filesize
16KB

Download
memory/4720-164-0x0000000000B60000-0x0000000000B64000-memory.dmp

Filesize
16KB

Download
memory/4720-167-0x0000000000B90000-0x0000000000B94000-memory.dmp

Filesize
16KB

Download
memory/4720-159-0x0000000000B10000-0x0000000000B14000-memory.dmp

Filesize
16KB

Download
memory/4720-169-0x0000000000BB0000-0x0000000000BB4000-memory.dmp

Filesize
16KB

Download
memory/4720-168-0x0000000000BA0000-0x0000000000BA4000-memory.dmp

Filesize
16KB

Download
memory/4720-170-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

Filesize
16KB

Download