fabookie | 7d50e22081955b574b989561277ce0e835117e716817736373ac8799774b6f03

Analysis

max time kernel
61s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8adc5d57a26fc6ad44338a47a1a45dcb.exe
Size

2.8MB
MD5

8adc5d57a26fc6ad44338a47a1a45dcb
SHA1

5160b9f42a52e2d9d7c286cef12499e53f34ac46
SHA256

7d50e22081955b574b989561277ce0e835117e716817736373ac8799774b6f03
SHA512

f00f2f1b6048fed465d1541c865f64ce14ab8a01b1c1dfdc209637f2a09edea81f6401fbe473795362b43443050a71af9ccb8d4a429e367f022bd6edc72f7a41
SSDEEP

49152:9g/PiVJuJNz0XqAbsC6QFC5vXIovwASRIyQkPXhmZUS6IspAdVnXC5yrzIKPVG5n:y/Pij4KqoPzPXgPsidQcnw9am

Score

10^/10

fabookie nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor dropper loader spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://sornx.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320c-77.dat	family_fabookie
behavioral2/files/0x000600000002320c-71.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/1376-153-0x0000000000400000-0x0000000001DCC000-memory.dmp	family_vidar
behavioral2/memory/1376-140-0x0000000003A90000-0x0000000003B2D000-memory.dmp	family_vidar
behavioral2/memory/1376-178-0x0000000000400000-0x0000000001DCC000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023202-48.dat	aspack_v212_v242
behavioral2/files/0x0006000000023205-54.dat	aspack_v212_v242
behavioral2/files/0x0006000000023203-50.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	8adc5d57a26fc6ad44338a47a1a45dcb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	setup_installer.exe

Executes dropped EXE 10 IoCs

pid	Process
3896	setup_installer.exe
2536	setup_install.exe
1376	Sat1439757f36bcd2d5.exe
2352	Sat14cd569dce36.exe
1700	Sat14af44d511d3.exe
1512	Sat14546eea434751d.exe
220	WerFault.exe
2680	Sat1400e35015ff26dd.exe
4344	Sat144adc22f2e612dc.exe
3716	Sat14ea52090698.tmp

Loads dropped DLL 7 IoCs

pid	Process
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
3716	Sat14ea52090698.tmp

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 18 IoCs

pid	pid_target	Process	procid_target
3132	2536	WerFault.exe	90
2868	1376	WerFault.exe	105
2400	1376	WerFault.exe	105
832	1376	WerFault.exe	105
4028	1376	WerFault.exe	105
440	1376	WerFault.exe	105
3860	1376	WerFault.exe	105
3592	1376	WerFault.exe	105
3432	1376	WerFault.exe	105
2096	1376	WerFault.exe	105
1548	1376	WerFault.exe	105
220	1376	WerFault.exe	105
4408	1376	WerFault.exe	105
2564	1376	WerFault.exe	105
2532	1376	WerFault.exe	105
1672	2680	WerFault.exe	97
1420	1376	WerFault.exe	105
3668	1376	WerFault.exe	105

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat1400e35015ff26dd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat1400e35015ff26dd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat1400e35015ff26dd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
2680	Sat1400e35015ff26dd.exe
2680	Sat1400e35015ff26dd.exe
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2680	Sat1400e35015ff26dd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	Sat14546eea434751d.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3896	1060	8adc5d57a26fc6ad44338a47a1a45dcb.exe	89
PID 1060 wrote to memory of 3896	1060	8adc5d57a26fc6ad44338a47a1a45dcb.exe	89
PID 1060 wrote to memory of 3896	1060	8adc5d57a26fc6ad44338a47a1a45dcb.exe	89
PID 3896 wrote to memory of 2536	3896	setup_installer.exe	90
PID 3896 wrote to memory of 2536	3896	setup_installer.exe	90
PID 3896 wrote to memory of 2536	3896	setup_installer.exe	90
PID 2536 wrote to memory of 3600	2536	setup_install.exe	112
PID 2536 wrote to memory of 3600	2536	setup_install.exe	112
PID 2536 wrote to memory of 3600	2536	setup_install.exe	112
PID 2536 wrote to memory of 2824	2536	setup_install.exe	111
PID 2536 wrote to memory of 2824	2536	setup_install.exe	111
PID 2536 wrote to memory of 2824	2536	setup_install.exe	111
PID 2536 wrote to memory of 556	2536	setup_install.exe	110
PID 2536 wrote to memory of 556	2536	setup_install.exe	110
PID 2536 wrote to memory of 556	2536	setup_install.exe	110
PID 2536 wrote to memory of 2404	2536	setup_install.exe	109
PID 2536 wrote to memory of 2404	2536	setup_install.exe	109
PID 2536 wrote to memory of 2404	2536	setup_install.exe	109
PID 2536 wrote to memory of 1392	2536	setup_install.exe	108
PID 2536 wrote to memory of 1392	2536	setup_install.exe	108
PID 2536 wrote to memory of 1392	2536	setup_install.exe	108
PID 2536 wrote to memory of 1292	2536	setup_install.exe	135
PID 2536 wrote to memory of 1292	2536	setup_install.exe	135
PID 2536 wrote to memory of 1292	2536	setup_install.exe	135
PID 2536 wrote to memory of 3776	2536	setup_install.exe	106
PID 2536 wrote to memory of 3776	2536	setup_install.exe	106
PID 2536 wrote to memory of 3776	2536	setup_install.exe	106
PID 2536 wrote to memory of 4556	2536	setup_install.exe	93
PID 2536 wrote to memory of 4556	2536	setup_install.exe	93
PID 2536 wrote to memory of 4556	2536	setup_install.exe	93
PID 1392 wrote to memory of 1376	1392	cmd.exe	105
PID 1392 wrote to memory of 1376	1392	cmd.exe	105
PID 1392 wrote to memory of 1376	1392	cmd.exe	105
PID 2404 wrote to memory of 2352	2404	cmd.exe	94
PID 2404 wrote to memory of 2352	2404	cmd.exe	94
PID 3600 wrote to memory of 3648	3600	cmd.exe	104
PID 3600 wrote to memory of 3648	3600	cmd.exe	104
PID 3600 wrote to memory of 3648	3600	cmd.exe	104
PID 2824 wrote to memory of 1700	2824	cmd.exe	103
PID 2824 wrote to memory of 1700	2824	cmd.exe	103
PID 2824 wrote to memory of 1700	2824	cmd.exe	103
PID 4556 wrote to memory of 1512	4556	cmd.exe	102
PID 4556 wrote to memory of 1512	4556	cmd.exe	102
PID 1292 wrote to memory of 220	1292	WerFault.exe	133
PID 1292 wrote to memory of 220	1292	WerFault.exe	133
PID 1292 wrote to memory of 220	1292	WerFault.exe	133
PID 556 wrote to memory of 2680	556	cmd.exe	97
PID 556 wrote to memory of 2680	556	cmd.exe	97
PID 556 wrote to memory of 2680	556	cmd.exe	97
PID 3776 wrote to memory of 4344	3776	cmd.exe	100
PID 3776 wrote to memory of 4344	3776	cmd.exe	100
PID 3776 wrote to memory of 4344	3776	cmd.exe	100
PID 220 wrote to memory of 3716	220	WerFault.exe	98
PID 220 wrote to memory of 3716	220	WerFault.exe	98
PID 220 wrote to memory of 3716	220	WerFault.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8adc5d57a26fc6ad44338a47a1a45dcb.exe
"C:\Users\Admin\AppData\Local\Temp\8adc5d57a26fc6ad44338a47a1a45dcb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\7zS83F34977\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS83F34977\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14546eea434751d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14546eea434751d.exe
        
        Sat14546eea434751d.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 560
      4⤵
      Program crash
      PID:3132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat144adc22f2e612dc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14ea52090698.exe
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1439757f36bcd2d5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14cd569dce36.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1400e35015ff26dd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14af44d511d3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3600

C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14cd569dce36.exe
Sat14cd569dce36.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14ea52090698.exe
Sat14ea52090698.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\is-5CABS.tmp\Sat14ea52090698.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5CABS.tmp\Sat14ea52090698.tmp" /SL5="$C0044,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14ea52090698.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3716

C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat1400e35015ff26dd.exe
Sat1400e35015ff26dd.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 372
  2⤵
  - Program crash
  PID:1672

C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat144adc22f2e612dc.exe
Sat144adc22f2e612dc.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2536 -ip 2536
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14af44d511d3.exe
Sat14af44d511d3.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat1439757f36bcd2d5.exe
Sat1439757f36bcd2d5.exe
1⤵
- Executes dropped EXE
PID:1376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 832
  2⤵
  - Program crash
  PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 840
  2⤵
  - Program crash
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 856
  2⤵
  - Program crash
  PID:832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 896
  2⤵
  - Program crash
  PID:4028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1040
  2⤵
  - Program crash
  PID:440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1084
  2⤵
  - Program crash
  PID:3860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1520
  2⤵
  - Program crash
  PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1532
  2⤵
  - Program crash
  PID:3432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1780
  2⤵
  - Program crash
  PID:2096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1572
  2⤵
  - Program crash
  PID:1548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1528
  2⤵
  - Executes dropped EXE
  - Program crash
  - Suspicious use of WriteProcessMemory
  PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1632
  2⤵
  - Program crash
  PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1528
  2⤵
  - Program crash
  PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1524
  2⤵
  - Program crash
  PID:2532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1616
  2⤵
  - Program crash
  PID:1420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1028
  2⤵
  - Program crash
  PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1376 -ip 1376
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1376 -ip 1376
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1376 -ip 1376
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1376 -ip 1376
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1376 -ip 1376
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1376 -ip 1376
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1376 -ip 1376
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1376 -ip 1376
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1376 -ip 1376
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1376 -ip 1376
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1376 -ip 1376
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1376 -ip 1376
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1376 -ip 1376
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1376 -ip 1376
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2680 -ip 2680
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1376 -ip 1376
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1376 -ip 1376
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat1400e35015ff26dd.exe

Filesize
138KB

MD5
d43c9f60c9c54a4cb7d75f3f465671b8

SHA1
2c70cf24dc0d90e363633f4f125d3a8f4d8a7c94

SHA256
371a75b3d5e3325add69c4cbf6b4183a4f317de194b40b7e7f941d356b0a5ef1

SHA512
03c830aef525722ddab51c47dc4721b3acf356a08b41367d6f78daffcd78f27e9a8745d3fb1e3e28bce9a6efb08ee741d40bbf45b2a3c98aa397a9b8dfd92dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat1439757f36bcd2d5.exe

Filesize
505KB

MD5
156091ee046a517b3cc8269cdc229e85

SHA1
d93ab7b74a7d5cd61ff08223c6d12653d280bf49

SHA256
86cb3cfdec6e94d23c7dfb3e23b3a295fe469ba5e6548ce6fa6001bcc168c718

SHA512
1ae674745630faf3c11ef278af064ffefaa48af60c17d6366eba2ae4a8cda39e5310f91442647d828833ab997f103b85026fcaaefeed391212b34fd7f8f81754

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat144adc22f2e612dc.exe

Filesize
1002KB

MD5
e91bdc249d4f24908b1dad6443a28254

SHA1
88860c52b7a1d1583e250d1bc873375c98b175af

SHA256
4d16db4c996b9dc58dee48797d557ca63472157d2ee253f19eb186987aad7fe7

SHA512
1f98b44a64e80799b8728177d74acf083cf3c97d772facc5889b44ac888eb79c2fef8b4fcff315ca267df8754fb239721242930098159d276a58e3c0c12604c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat144adc22f2e612dc.exe

Filesize
178KB

MD5
d766d54daafb0f9b251a1df0d4372214

SHA1
ef9a953b5aaf6c0eb2cb102769b59ed5e33d5979

SHA256
5d0325ad67b5f7f25d2f10c8ac222e477b21c2ce4a2f84c998f1e77ba492fafd

SHA512
2ed0b300fe1668db1efa8f4d36a3348962a6b67ae0158979b5c1d44d0bd225ae25afd0453ba3c8ec61f9fba48173f210e0e7384ad194f0467958069babe699eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14546eea434751d.exe

Filesize
145KB

MD5
ce38ad6931c0a063866aee6710987109

SHA1
e13b663e89fd95aa48908499c294f3e19feed8ac

SHA256
471bc015fe2eeb2be798bb875a2ca1820bd44108551137b4626f5436bd93261e

SHA512
fad20753313d20c6bce1223958790adf4d4bbb39a201ac04aa1977b30ee4d3bf0b89154876acb67123e1581413e82d602e165053d676af3e4ea84459b4e9b902

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14af44d511d3.exe

Filesize
100KB

MD5
cf2b379b7679f073235655b22227c9db

SHA1
80283c3f00883f2545f3d2a248b0e3e597a43122

SHA256
332da9b154a954db8047fe4b5ba352bbac3b1e959e7c8a5aba751bdb127cbacd

SHA512
1d1b16314124e342fa98f3799e632253e3fd42e1950c5e656ca66bd6aa6170dfce65b7e33255cf67c45740741e91db73b234dd792e0e6550b751afe58f5e8d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14cd569dce36.exe

Filesize
1.0MB

MD5
15d6c25623af8f5a8d576ab25326c1f2

SHA1
23cfbd0ae28735a6e6d46f446d6ffb4eec5bf548

SHA256
d0698dcf82855b8c84ec7987cb2e92ba95b86224441fba59300fe412da5b1e44

SHA512
143a96b44614a7ba66aa2d0f0da0054e7608105230e2c7d448e569853a02e9a236255257cc6aaa827a5cb61051871bc5c49084125af78c85f075776a32ca355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14cd569dce36.exe

Filesize
1.1MB

MD5
4a4f0567feaaab907518998621e520d1

SHA1
3e2f2a2c72c2ea5ff16b0d8df1adaab503fcf836

SHA256
fe07a0d1b4db97538b7dde119f52fed46c4c60102160fa5e9a0a1dc82642c8f2

SHA512
36eb871ebfd08ea28698953e3585eeb9be9f964bf422ce57a8c05f83f89e0989a371cead54cce1efe7dc2233c2a6dd28251c3e6a944028950d212ec080e4a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\Sat14ea52090698.exe

Filesize
757KB

MD5
8887a710e57cf4b3fe841116e9a0dfdd

SHA1
8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4

SHA256
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4

SHA512
1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\setup_install.exe

Filesize
424KB

MD5
d423b33cd60268b68b631a5f157479de

SHA1
38dce452441dc3bbc47d387ddb234681b6b68a05

SHA256
fed622b83b295a2771c3d9c6da3cbe8cbfd3a243181239e29d4b41d02fbca35c

SHA512
4d0eff4c8459a1c0ad521990babdc9b54c9151790c47793a8315ad1f8027a3917596044fa86b6553d3bfeb7fa53605a38489b68007e3b555d1fec806c4732ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\setup_install.exe

Filesize
227KB

MD5
2db54ea505ee18907e50303b491e9bf4

SHA1
c7b3597f0322c3e32aff8a4a6a888774f9fb0919

SHA256
e809599e2a156970168c3af8e8c105939061f5982b5bb292465aa03d9fce047f

SHA512
b758eb219208fa478c6c30e7fc154f3a12ba54a706672b7da63fb364b69e67ff2fa641d00d37fb8c7be31cb65d638768b46b8940239f1e2a52f440b43725be7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83F34977\setup_install.exe

Filesize
200KB

MD5
5271045c52337b0746a52a69aace8e51

SHA1
0e1090ba7a0408d3c02410ebb6a55613b6dad98e

SHA256
53e8c93766a83eb7a73fd3d1e32564c546770df9e619362ed438fb77a844b609

SHA512
6646bb0ad69618dac0b98e118f84ea506cef4514e46320c37466c53d2eceb8959281768075b0fb1286b944d9c67fdc46385715ad88a8188605946a0989f17093

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xapsc5hb.nio.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5CABS.tmp\Sat14ea52090698.tmp

Filesize
64KB

MD5
175df15b8c3f1e5538aa9dd910571b40

SHA1
93036969fe3b229c23058f26c134485eae5b8ccd

SHA256
48528f395d9fe69c91498ec43bb4f825bcc66d85980fa6a5a08db831f2e40183

SHA512
94dfd62c02081b2fb9c086fabc2d388e48a20f0397342f0582290fd997dacb454596ea85190cc484469b4b862173257468cd765a28b9ccdd3f6ac5068584e223

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6I7SA.tmp\idp.dll

Filesize
1KB

MD5
899fdd10efed2e4cd8ae7289ee862616

SHA1
19b2a144cf48595de90bfa444e3796eb00ce5338

SHA256
16b9220837c2d6f7abba228e1afad7c0d39e5a5399a6b2702723e0b44bbf4587

SHA512
d9cd8b71db6c5bf51bb0c0dc5af331faed8753011649e91a0f30c1ba724437a142ff15f5ef1248bc1328cfa5c0abf390827a297edd26bdb78655698576c84402

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
871KB

MD5
910bd80d5740ee3f41ce1fb314d8e81b

SHA1
19b9fcceb4af4864b2bc38c0f3ad20187c0a51a9

SHA256
1d5f485fc7b7c07673fddebf7899a932349cb3755dd8ea08e752f15feb76cae7

SHA512
9fd4e9a3d912e528cf7b3d27f4db077bc859e5280ab2586d3909204a83b3a0568e289f5df4ecfbd2eeb1994262e87c256abcfe1dce336978c955be0eb0341502

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
1.2MB

MD5
57aa60f6671a85cca57cb16a644bbb1a

SHA1
03d84d0702c256e61ca2035bf4651a76a2aa3857

SHA256
b26a12e668b56e8566a57b23122c36099a1ba526f520a9f797c81876e037c8e0

SHA512
148749ddf5dbfd54d8d98a4a423b6a461e4455ab04f7a5af15ca15e7c01b6f4eb5b6cacddf6a80aee9259171bd366efce290cf1db7a07b45f6756ac0addf2195

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
2.4MB

MD5
c2369d1057b0b5475f4c37b7b6fe972b

SHA1
58d603983fbcf47ac84fd2a9a789156bb5237e2b

SHA256
c5240ebebd13404e430cc39909b319aee8e304d351fe77af04a57b35762bf757

SHA512
a5f54b2e326b15c3f01d56f80afe6a6ece5769206e59d1ad4d76397514aab59c9388e3a45db886f9ab8377fdbf9fceceb4322a5e50c9ef0ec100a96a614af403

Download Submit
memory/220-130-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-83-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1376-140-0x0000000003A90000-0x0000000003B2D000-memory.dmp

Filesize
628KB

Download
memory/1376-178-0x0000000000400000-0x0000000001DCC000-memory.dmp

Filesize
25.8MB

Download
memory/1376-153-0x0000000000400000-0x0000000001DCC000-memory.dmp

Filesize
25.8MB

Download
memory/1376-137-0x00000000020F0000-0x00000000021F0000-memory.dmp

Filesize
1024KB

Download
memory/1512-90-0x0000000000D40000-0x0000000000D6C000-memory.dmp

Filesize
176KB

Download
memory/1512-136-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/1512-97-0x00007FF913BB0000-0x00007FF914671000-memory.dmp

Filesize
10.8MB

Download
memory/1512-94-0x0000000002DC0000-0x0000000002DE0000-memory.dmp

Filesize
128KB

Download
memory/2536-64-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2536-128-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2536-124-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2536-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2536-126-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2536-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-127-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2536-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2536-133-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2536-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2680-179-0x0000000000400000-0x0000000001D70000-memory.dmp

Filesize
25.4MB

Download
memory/2680-154-0x0000000001DB0000-0x0000000001DB9000-memory.dmp

Filesize
36KB

Download
memory/2680-155-0x0000000001E80000-0x0000000001F80000-memory.dmp

Filesize
1024KB

Download
memory/2680-158-0x0000000000400000-0x0000000001D70000-memory.dmp

Filesize
25.4MB

Download
memory/3476-175-0x0000000002B10000-0x0000000002B25000-memory.dmp

Filesize
84KB

Download
memory/3648-95-0x00000000050F0000-0x0000000005718000-memory.dmp

Filesize
6.2MB

Download
memory/3648-157-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

Filesize
104KB

Download
memory/3648-134-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

Filesize
304KB

Download
memory/3648-159-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/3648-138-0x0000000006D00000-0x0000000006D32000-memory.dmp

Filesize
200KB

Download
memory/3648-139-0x0000000071C10000-0x0000000071C5C000-memory.dmp

Filesize
304KB

Download
memory/3648-151-0x000000007FA40000-0x000000007FA50000-memory.dmp

Filesize
64KB

Download
memory/3648-152-0x0000000006DE0000-0x0000000006E83000-memory.dmp

Filesize
652KB

Download
memory/3648-150-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/3648-120-0x00000000058E0000-0x0000000005C34000-memory.dmp

Filesize
3.3MB

Download
memory/3648-119-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/3648-118-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/3648-91-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/3648-131-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/3648-84-0x0000000002400000-0x0000000002436000-memory.dmp

Filesize
216KB

Download
memory/3648-156-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/3648-92-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/3648-100-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/3648-160-0x00000000072E0000-0x0000000007376000-memory.dmp

Filesize
600KB

Download
memory/3648-161-0x0000000007270000-0x0000000007281000-memory.dmp

Filesize
68KB

Download
memory/3648-162-0x00000000072A0000-0x00000000072AE000-memory.dmp

Filesize
56KB

Download
memory/3648-164-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/3648-163-0x00000000072B0000-0x00000000072C4000-memory.dmp

Filesize
80KB

Download
memory/3648-165-0x0000000007390000-0x0000000007398000-memory.dmp

Filesize
32KB

Download
memory/3648-168-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/3648-98-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/3716-125-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3716-99-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download