Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 18:35
Static task
static1
Behavioral task
behavioral1
Sample
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
Resource
win7-20231215-en
General
-
Target
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
-
Size
217KB
-
MD5
d722704eff46ac5ca68723e9d35e9c81
-
SHA1
c08f9166337b98a774fd43b771c652bead0b57af
-
SHA256
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387
-
SHA512
80f2c9d8e5f630e1b2b511a7460a31c4b98ff8e628fecba33546205a00c11b5638a484c559b7c466cb7d2f2bc9f92b791fa7ab4e7d15cc55c4a0ff65de7a0e9b
-
SSDEEP
6144:DHfZ8S+RSDnm9WwgFyzE9P08R5HYjWjm:TfZ8S+ILm9PgFyzO08R5f
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
C20.exeUtsysc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C20.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation Utsysc.exe -
Deletes itself 1 IoCs
Processes:
pid process 3520 -
Executes dropped EXE 3 IoCs
Processes:
C20.exeUtsysc.exeUtsysc.exepid process 3900 C20.exe 324 Utsysc.exe 3048 Utsysc.exe -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 2000 rundll32.exe 2972 rundll32.exe 3516 rundll32.exe 1532 rundll32.exe 3588 rundll32.exe 3392 rundll32.exe 3488 rundll32.exe 1860 rundll32.exe 1356 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 31 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3720 3900 WerFault.exe C20.exe 4780 3900 WerFault.exe C20.exe 4772 3900 WerFault.exe C20.exe 2952 3900 WerFault.exe C20.exe 2908 3900 WerFault.exe C20.exe 3800 3900 WerFault.exe C20.exe 3616 3900 WerFault.exe C20.exe 5032 3900 WerFault.exe C20.exe 820 3900 WerFault.exe C20.exe 4816 3900 WerFault.exe C20.exe 4332 324 WerFault.exe Utsysc.exe 4536 324 WerFault.exe Utsysc.exe 208 324 WerFault.exe Utsysc.exe 1392 324 WerFault.exe Utsysc.exe 2384 324 WerFault.exe Utsysc.exe 3436 324 WerFault.exe Utsysc.exe 236 324 WerFault.exe Utsysc.exe 3696 324 WerFault.exe Utsysc.exe 1076 324 WerFault.exe Utsysc.exe 2612 324 WerFault.exe Utsysc.exe 5028 324 WerFault.exe Utsysc.exe 4068 324 WerFault.exe Utsysc.exe 2948 324 WerFault.exe Utsysc.exe 5056 324 WerFault.exe Utsysc.exe 2780 324 WerFault.exe Utsysc.exe 4464 324 WerFault.exe Utsysc.exe 1880 324 WerFault.exe Utsysc.exe 4264 324 WerFault.exe Utsysc.exe 2920 324 WerFault.exe Utsysc.exe 2816 3048 WerFault.exe Utsysc.exe 4600 324 WerFault.exe Utsysc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exepid process 208 ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe 208 ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exepid process 208 ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
C20.exepid process 3900 C20.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
C20.exeUtsysc.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 3520 wrote to memory of 3900 3520 C20.exe PID 3520 wrote to memory of 3900 3520 C20.exe PID 3520 wrote to memory of 3900 3520 C20.exe PID 3900 wrote to memory of 324 3900 C20.exe Utsysc.exe PID 3900 wrote to memory of 324 3900 C20.exe Utsysc.exe PID 3900 wrote to memory of 324 3900 C20.exe Utsysc.exe PID 324 wrote to memory of 4032 324 Utsysc.exe schtasks.exe PID 324 wrote to memory of 4032 324 Utsysc.exe schtasks.exe PID 324 wrote to memory of 4032 324 Utsysc.exe schtasks.exe PID 324 wrote to memory of 2000 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 2000 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 2000 324 Utsysc.exe rundll32.exe PID 2000 wrote to memory of 2972 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 2972 2000 rundll32.exe rundll32.exe PID 324 wrote to memory of 3516 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 3516 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 3516 324 Utsysc.exe rundll32.exe PID 3516 wrote to memory of 1532 3516 rundll32.exe rundll32.exe PID 3516 wrote to memory of 1532 3516 rundll32.exe rundll32.exe PID 324 wrote to memory of 3588 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 3588 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 3588 324 Utsysc.exe rundll32.exe PID 3588 wrote to memory of 3392 3588 rundll32.exe rundll32.exe PID 3588 wrote to memory of 3392 3588 rundll32.exe rundll32.exe PID 324 wrote to memory of 3488 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 3488 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 3488 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 1860 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 1860 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 1860 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 1356 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 1356 324 Utsysc.exe rundll32.exe PID 324 wrote to memory of 1356 324 Utsysc.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe"C:\Users\Admin\AppData\Local\Temp\ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:208
-
C:\Users\Admin\AppData\Local\Temp\C20.exeC:\Users\Admin\AppData\Local\Temp\C20.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 5842⤵
- Program crash
PID:3720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 6642⤵
- Program crash
PID:4780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 7322⤵
- Program crash
PID:4772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 8602⤵
- Program crash
PID:2952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 8682⤵
- Program crash
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 8682⤵
- Program crash
PID:3800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 10562⤵
- Program crash
PID:3616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 11602⤵
- Program crash
PID:5032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 11362⤵
- Program crash
PID:820 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 6043⤵
- Program crash
PID:4332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 7923⤵
- Program crash
PID:4536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 9283⤵
- Program crash
PID:208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 10123⤵
- Program crash
PID:1392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 9363⤵
- Program crash
PID:2384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 9363⤵
- Program crash
PID:3436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 9963⤵
- Program crash
PID:236 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:4032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 9163⤵
- Program crash
PID:3696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 11843⤵
- Program crash
PID:1076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 6403⤵
- Program crash
PID:2612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 6923⤵
- Program crash
PID:5028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 12003⤵
- Program crash
PID:4068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 6883⤵
- Program crash
PID:2948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 6843⤵
- Program crash
PID:5056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 11923⤵
- Program crash
PID:2780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 14523⤵
- Program crash
PID:4464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 16563⤵
- Program crash
PID:1880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 16563⤵
- Program crash
PID:4264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 14643⤵
- Program crash
PID:2920 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:3392 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:3488 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 15603⤵
- Program crash
PID:4600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 5962⤵
- Program crash
PID:4816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3900 -ip 39001⤵PID:4248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3900 -ip 39001⤵PID:4192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3900 -ip 39001⤵PID:1260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3900 -ip 39001⤵PID:1808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3900 -ip 39001⤵PID:3764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3900 -ip 39001⤵PID:4768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3900 -ip 39001⤵PID:1992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3900 -ip 39001⤵PID:2920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3900 -ip 39001⤵PID:3332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3900 -ip 39001⤵PID:492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 324 -ip 3241⤵PID:848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 324 -ip 3241⤵PID:1592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 324 -ip 3241⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 324 -ip 3241⤵PID:3588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 324 -ip 3241⤵PID:3384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 324 -ip 3241⤵PID:3232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 324 -ip 3241⤵PID:3176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 324 -ip 3241⤵PID:4872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 324 -ip 3241⤵PID:4456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 324 -ip 3241⤵PID:4064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 324 -ip 3241⤵PID:2260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 324 -ip 3241⤵PID:1852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 324 -ip 3241⤵PID:4664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 324 -ip 3241⤵PID:1780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 324 -ip 3241⤵PID:1556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 324 -ip 3241⤵PID:1708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 324 -ip 3241⤵PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 324 -ip 3241⤵PID:3800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 324 -ip 3241⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 4322⤵
- Program crash
PID:2816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3048 -ip 30481⤵PID:2884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 324 -ip 3241⤵PID:3740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD5eecaa1b7b28d733354b5518fea6b1a11
SHA1ad53f4767453062d801363ec086e9bad19336013
SHA25643f2d9a4bc567711f81756a59c7d9c867afad72779a8392fc9f8080360440503
SHA5121c27f19445eedb93523da76982dc24aa5cb372039b08cc8aa1408b3629487ecd3c1012c5d4b639a1a245bead6b825956e94819f4d576af742cf69323bc44a6e4
-
Filesize
156KB
MD5193c317b333b536d081e9a2952c1bbc5
SHA146468dfae59a2640de78a7cecb18a24303ffdaad
SHA256feffdd8bbaba7155fd5c595247bc528e25fe0f2fa0625d718550f349bace0576
SHA512f69aa886fe3811cc9e0a7c7362a4860c8ee766e5d21c80ac020309cdcd7cde47abe420f1b7c0794b377389e5282df6e7055db5c502911bbd8a5a46ea5823c804
-
Filesize
395KB
MD51e42a52c9909dd21636bba1b0f00f8e8
SHA193f8c29dd3b615a97ef35b5bb3d5523bfe21d613
SHA2560747f384a5cf12ae118c194c48a59dc7dcbb23c75b9d7d43b1cb03be8c711719
SHA512400451711cf3ce5f756f63008a4461271f86faeeaa0dcfbc24caacb98f5aef7c61d897038f38f58b770d95ffc420da2fb686b8934eb573c13ce11910c6f7cf40
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63