Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe
-
Size
227KB
-
MD5
ff1eaf52cc5220bbc3f2155afab853ce
-
SHA1
eaac3f018469268acfc86d8bd3161571cc275c1d
-
SHA256
a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008
-
SHA512
2c9d3d5aa97f58348c02ddec931db2431630c01c26590eab190740cd6d43e3f712f2f482d6ec5a2308a7c96fc1d81c034ebdd8fa7db1271aab13a6442901c997
-
SSDEEP
3072:rpRaay9OIlO9jLp7WKI5we0LxWmzMkJvmFS8bz:rpCwJLp7L/zvg
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/3304-133-0x00000000047A0000-0x00000000047A9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 42 1368 rundll32.exe 45 1368 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2056 DF0A.exe -
Loads dropped DLL 2 IoCs
pid Process 1368 rundll32.exe 1368 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1368 set thread context of 4700 1368 rundll32.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4052 2056 WerFault.exe 87 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe -
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Modifies registry class 30 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000042562e15100054656d7000003a0009000400efbe6b558a6c425634152e000000000000000000000000000000000000000000000000002b5c3300540065006d007000000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2600 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3304 a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe 3304 a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2600 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3304 a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeDebugPrivilege 1368 rundll32.exe Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found Token: SeShutdownPrivilege 2600 Process not Found Token: SeCreatePagefilePrivilege 2600 Process not Found -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 4700 rundll32.exe 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found 1368 rundll32.exe 2600 Process not Found 2600 Process not Found 2600 Process not Found 2600 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2600 Process not Found 2600 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2056 2600 Process not Found 87 PID 2600 wrote to memory of 2056 2600 Process not Found 87 PID 2600 wrote to memory of 2056 2600 Process not Found 87 PID 2056 wrote to memory of 1368 2056 DF0A.exe 90 PID 2056 wrote to memory of 1368 2056 DF0A.exe 90 PID 2056 wrote to memory of 1368 2056 DF0A.exe 90 PID 1368 wrote to memory of 4700 1368 rundll32.exe 93 PID 1368 wrote to memory of 4700 1368 rundll32.exe 93 PID 1368 wrote to memory of 4700 1368 rundll32.exe 93 PID 1368 wrote to memory of 4756 1368 rundll32.exe 95 PID 1368 wrote to memory of 4756 1368 rundll32.exe 95 PID 1368 wrote to memory of 4756 1368 rundll32.exe 95 PID 1368 wrote to memory of 2484 1368 rundll32.exe 97 PID 1368 wrote to memory of 2484 1368 rundll32.exe 97 PID 1368 wrote to memory of 2484 1368 rundll32.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe"C:\Users\Admin\AppData\Local\Temp\a4ec22bcfe6b8aef8e52550999e2651c9d396604e9b966a3ab54832cb6e5d008.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3304
-
C:\Users\Admin\AppData\Local\Temp\DF0A.exeC:\Users\Admin\AppData\Local\Temp\DF0A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll,start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1368 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141003⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4700
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4756
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2484
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 5362⤵
- Program crash
PID:4052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2056 -ip 20561⤵PID:1732
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5e2aafe982145ec8ac01deb5c8da2b30c
SHA1f9aa9f29466dd038503ab66896148024d05e2b64
SHA2568143388d5e63f3e2b3927c8819e9164fbc355f9f27da10f88ec1b6e12709cf9c
SHA51248661cfecb2854d6d426975abce175d599a8272b513611bb8388f51252b56e325666835d7f8b102d596dacd66c97c037ada52c2826bf944466d21b4eae05a97f
-
Filesize
3.2MB
MD5e2aafe982145ec8ac01deb5c8da2b30c
SHA1f9aa9f29466dd038503ab66896148024d05e2b64
SHA2568143388d5e63f3e2b3927c8819e9164fbc355f9f27da10f88ec1b6e12709cf9c
SHA51248661cfecb2854d6d426975abce175d599a8272b513611bb8388f51252b56e325666835d7f8b102d596dacd66c97c037ada52c2826bf944466d21b4eae05a97f
-
Filesize
4.3MB
MD5e8720a108ab06a718139ead59450621e
SHA1d23f2e8a20798530fe570909e55374195b7838bb
SHA2564b3dcbd0f0e08a3e4f7c5b0318588ebc4d118d9ce669edb0c10c8fe27649c799
SHA5125d25e41520abcb68f5c0c9722cf9db9b2d6e808616c566979f858b2fcda0e43409dba15a19e59f05559b09f8f527abee971d4dc644cc852e21fad29e6202c3e4
-
Filesize
4.3MB
MD5e8720a108ab06a718139ead59450621e
SHA1d23f2e8a20798530fe570909e55374195b7838bb
SHA2564b3dcbd0f0e08a3e4f7c5b0318588ebc4d118d9ce669edb0c10c8fe27649c799
SHA5125d25e41520abcb68f5c0c9722cf9db9b2d6e808616c566979f858b2fcda0e43409dba15a19e59f05559b09f8f527abee971d4dc644cc852e21fad29e6202c3e4
-
Filesize
4.3MB
MD5e8720a108ab06a718139ead59450621e
SHA1d23f2e8a20798530fe570909e55374195b7838bb
SHA2564b3dcbd0f0e08a3e4f7c5b0318588ebc4d118d9ce669edb0c10c8fe27649c799
SHA5125d25e41520abcb68f5c0c9722cf9db9b2d6e808616c566979f858b2fcda0e43409dba15a19e59f05559b09f8f527abee971d4dc644cc852e21fad29e6202c3e4