Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 10:26
Static task
static1
Behavioral task
behavioral1
Sample
cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe
-
Size
231KB
-
MD5
863a4e0dfafeb5d8c5e339485f001d91
-
SHA1
5a0af906dae62411c187f2b9c1d4d65c37bda2eb
-
SHA256
cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48
-
SHA512
8871d115825c0fcb194befdc09667df8c55368050e97aca2598bffd1de4878490be4f16588856fa34ce2d0870a2c78fecb71f53a34f1a3499a8732061d153b9b
-
SSDEEP
3072:WuI/bLt4ZX5PJ2GIVD3O6wv7fbSyGVQ+3V8zkzlS1g/tK8AFsk7LrcSb54VIcVTk:iLt4ZlJ2leRv7GPVX8zCtK8qskXbIr
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1180-133-0x00000000006B0000-0x00000000006B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 45 1184 rundll32.exe 48 1184 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2060 A103.exe -
Loads dropped DLL 1 IoCs
pid Process 1184 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1184 set thread context of 536 1184 rundll32.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4676 2060 WerFault.exe 87 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009a55835b100054656d7000003a0009000400efbe0c551d9c9a55885b2e000000000000000000000000000000000000000000000000008e8d6b00540065006d007000000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3032 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1180 cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe 1180 cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3032 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1180 cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeDebugPrivilege 1184 rundll32.exe Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found Token: SeShutdownPrivilege 3032 Process not Found Token: SeCreatePagefilePrivilege 3032 Process not Found -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 536 rundll32.exe 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 1184 rundll32.exe 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3032 Process not Found 3032 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2060 3032 Process not Found 87 PID 3032 wrote to memory of 2060 3032 Process not Found 87 PID 3032 wrote to memory of 2060 3032 Process not Found 87 PID 2060 wrote to memory of 1184 2060 A103.exe 88 PID 2060 wrote to memory of 1184 2060 A103.exe 88 PID 2060 wrote to memory of 1184 2060 A103.exe 88 PID 1184 wrote to memory of 536 1184 rundll32.exe 92 PID 1184 wrote to memory of 536 1184 rundll32.exe 92 PID 1184 wrote to memory of 536 1184 rundll32.exe 92 PID 1184 wrote to memory of 2320 1184 rundll32.exe 93 PID 1184 wrote to memory of 2320 1184 rundll32.exe 93 PID 1184 wrote to memory of 2320 1184 rundll32.exe 93 PID 1184 wrote to memory of 1388 1184 rundll32.exe 95 PID 1184 wrote to memory of 1388 1184 rundll32.exe 95 PID 1184 wrote to memory of 1388 1184 rundll32.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe"C:\Users\Admin\AppData\Local\Temp\cb910537eef3d2844095f2934bc16f00f602ac6efe384cc18a0f7667f2538d48.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1180
-
C:\Users\Admin\AppData\Local\Temp\A103.exeC:\Users\Admin\AppData\Local\Temp\A103.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1184 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 140333⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:536
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 5282⤵
- Program crash
PID:4676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2060 -ip 20601⤵PID:2608
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1022KB
MD58e1fa9f186fde8e12741505d3a4bc629
SHA1230996e3245dfa7a3352a1003defee1f096bf889
SHA25688dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970
SHA51242762e72cdd4e694468166df618d82a9cc7212382b7718291142b3d6dc394faceb881287a7a0fe0aeeeb6972f611f47a627eee7b938df2086838ede740a9b423
-
Filesize
1022KB
MD58e1fa9f186fde8e12741505d3a4bc629
SHA1230996e3245dfa7a3352a1003defee1f096bf889
SHA25688dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970
SHA51242762e72cdd4e694468166df618d82a9cc7212382b7718291142b3d6dc394faceb881287a7a0fe0aeeeb6972f611f47a627eee7b938df2086838ede740a9b423
-
Filesize
792KB
MD5822d3ead416a1a85cb96e65f65cd5ae2
SHA1af32b69e2835d1cacdadb97ae6dfafccc32d1837
SHA25672bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d
SHA51248d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260
-
Filesize
792KB
MD5822d3ead416a1a85cb96e65f65cd5ae2
SHA1af32b69e2835d1cacdadb97ae6dfafccc32d1837
SHA25672bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d
SHA51248d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260