Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe
Resource
win7-20231215-en
General
-
Target
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe
-
Size
240KB
-
MD5
a05efaf63385624a9a6f4cb71e3034f2
-
SHA1
00921d3aa2c3cb750b0b2799001eaee1023c6e97
-
SHA256
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f
-
SHA512
c181aedf600a55843aaaacbefc585b9f7b0bad26e87bdc7b00c63d1c908f7d5994f89ef116847a201ec91a89fe869523ac5bcbe331203ccf85923e9ff44281e5
-
SSDEEP
3072:i0omm42dpvxmiFdS4wgtKO48l2Bq3PWdkkooNymbkgeJt3hxfdU5fl6Mud:FVmvvMiptwE3PWdkk1wg2tbfo
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
D0CD.exeUtsysc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation D0CD.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation Utsysc.exe -
Deletes itself 1 IoCs
Processes:
pid process 2976 -
Executes dropped EXE 4 IoCs
Processes:
D0CD.exeUtsysc.exeUtsysc.exeUtsysc.exepid process 1108 D0CD.exe 2524 Utsysc.exe 2912 Utsysc.exe 1872 Utsysc.exe -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 1396 rundll32.exe 4080 rundll32.exe 2184 rundll32.exe 4508 rundll32.exe 4928 rundll32.exe 1624 rundll32.exe 4812 rundll32.exe 4700 rundll32.exe 4684 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 34 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1508 1108 WerFault.exe D0CD.exe 384 1108 WerFault.exe D0CD.exe 1232 1108 WerFault.exe D0CD.exe 3176 1108 WerFault.exe D0CD.exe 4484 1108 WerFault.exe D0CD.exe 2688 1108 WerFault.exe D0CD.exe 1756 1108 WerFault.exe D0CD.exe 3964 1108 WerFault.exe D0CD.exe 1980 1108 WerFault.exe D0CD.exe 4540 1108 WerFault.exe D0CD.exe 3144 2524 WerFault.exe Utsysc.exe 2700 2524 WerFault.exe Utsysc.exe 3848 2524 WerFault.exe Utsysc.exe 2576 2524 WerFault.exe Utsysc.exe 208 2524 WerFault.exe Utsysc.exe 3716 2524 WerFault.exe Utsysc.exe 4044 2524 WerFault.exe Utsysc.exe 3772 2524 WerFault.exe Utsysc.exe 1816 2524 WerFault.exe Utsysc.exe 2692 2524 WerFault.exe Utsysc.exe 540 2524 WerFault.exe Utsysc.exe 724 2524 WerFault.exe Utsysc.exe 1912 2524 WerFault.exe Utsysc.exe 4724 2524 WerFault.exe Utsysc.exe 2324 2524 WerFault.exe Utsysc.exe 2000 2524 WerFault.exe Utsysc.exe 60 2524 WerFault.exe Utsysc.exe 1048 2524 WerFault.exe Utsysc.exe 2396 2524 WerFault.exe Utsysc.exe 3820 2912 WerFault.exe Utsysc.exe 2668 2524 WerFault.exe Utsysc.exe 4912 2524 WerFault.exe Utsysc.exe 4892 1872 WerFault.exe Utsysc.exe 2964 2524 WerFault.exe Utsysc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exepid process 4656 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe 4656 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exepid process 4656 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 Token: SeShutdownPrivilege 2976 Token: SeCreatePagefilePrivilege 2976 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
D0CD.exepid process 1108 D0CD.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
D0CD.exeUtsysc.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2976 wrote to memory of 1108 2976 D0CD.exe PID 2976 wrote to memory of 1108 2976 D0CD.exe PID 2976 wrote to memory of 1108 2976 D0CD.exe PID 1108 wrote to memory of 2524 1108 D0CD.exe Utsysc.exe PID 1108 wrote to memory of 2524 1108 D0CD.exe Utsysc.exe PID 1108 wrote to memory of 2524 1108 D0CD.exe Utsysc.exe PID 2524 wrote to memory of 4464 2524 Utsysc.exe schtasks.exe PID 2524 wrote to memory of 4464 2524 Utsysc.exe schtasks.exe PID 2524 wrote to memory of 4464 2524 Utsysc.exe schtasks.exe PID 2524 wrote to memory of 1396 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 1396 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 1396 2524 Utsysc.exe rundll32.exe PID 1396 wrote to memory of 4080 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 4080 1396 rundll32.exe rundll32.exe PID 2524 wrote to memory of 2184 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 2184 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 2184 2524 Utsysc.exe rundll32.exe PID 2184 wrote to memory of 4508 2184 rundll32.exe rundll32.exe PID 2184 wrote to memory of 4508 2184 rundll32.exe rundll32.exe PID 2524 wrote to memory of 4928 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4928 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4928 2524 Utsysc.exe rundll32.exe PID 4928 wrote to memory of 1624 4928 rundll32.exe rundll32.exe PID 4928 wrote to memory of 1624 4928 rundll32.exe rundll32.exe PID 2524 wrote to memory of 4812 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4812 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4812 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4700 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4700 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4700 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4684 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4684 2524 Utsysc.exe rundll32.exe PID 2524 wrote to memory of 4684 2524 Utsysc.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe"C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4656
-
C:\Users\Admin\AppData\Local\Temp\D0CD.exeC:\Users\Admin\AppData\Local\Temp\D0CD.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 5802⤵
- Program crash
PID:1508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6482⤵
- Program crash
PID:384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6922⤵
- Program crash
PID:1232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 8282⤵
- Program crash
PID:3176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 8282⤵
- Program crash
PID:4484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 8482⤵
- Program crash
PID:2688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 11002⤵
- Program crash
PID:1756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 11562⤵
- Program crash
PID:3964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 12162⤵
- Program crash
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 6043⤵
- Program crash
PID:3144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 8443⤵
- Program crash
PID:2700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 8403⤵
- Program crash
PID:3848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 9763⤵
- Program crash
PID:2576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 10123⤵
- Program crash
PID:208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 10083⤵
- Program crash
PID:3716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 10203⤵
- Program crash
PID:4044 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:4464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 9243⤵
- Program crash
PID:3772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 6763⤵
- Program crash
PID:1816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 6403⤵
- Program crash
PID:2692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 7843⤵
- Program crash
PID:540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 11803⤵
- Program crash
PID:724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 6403⤵
- Program crash
PID:1912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 12163⤵
- Program crash
PID:4724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 12523⤵
- Program crash
PID:2324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 14323⤵
- Program crash
PID:2000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 14323⤵
- Program crash
PID:60 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 14483⤵
- Program crash
PID:1048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 16643⤵
- Program crash
PID:2396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 10523⤵
- Program crash
PID:2668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 17443⤵
- Program crash
PID:4912 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:4080 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:4508 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:4812 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:4700 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:4684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 13203⤵
- Program crash
PID:2964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 10842⤵
- Program crash
PID:4540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1108 -ip 11081⤵PID:3248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1108 -ip 11081⤵PID:2000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1108 -ip 11081⤵PID:756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1108 -ip 11081⤵PID:2964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1108 -ip 11081⤵PID:5104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1108 -ip 11081⤵PID:2512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1108 -ip 11081⤵PID:4264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1108 -ip 11081⤵PID:1688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1108 -ip 11081⤵PID:784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1108 -ip 11081⤵PID:2684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2524 -ip 25241⤵PID:3780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2524 -ip 25241⤵PID:884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2524 -ip 25241⤵PID:4436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2524 -ip 25241⤵PID:4360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2524 -ip 25241⤵PID:624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2524 -ip 25241⤵PID:3312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2524 -ip 25241⤵PID:3520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2524 -ip 25241⤵PID:468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2524 -ip 25241⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2524 -ip 25241⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2524 -ip 25241⤵PID:2944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2524 -ip 25241⤵PID:4712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2524 -ip 25241⤵PID:1712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2524 -ip 25241⤵PID:3612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2524 -ip 25241⤵PID:4160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2524 -ip 25241⤵PID:2040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2524 -ip 25241⤵PID:2180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2524 -ip 25241⤵PID:2964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2524 -ip 25241⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 4282⤵
- Program crash
PID:3820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2912 -ip 29121⤵PID:3060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2524 -ip 25241⤵PID:4576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2524 -ip 25241⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 4282⤵
- Program crash
PID:4892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1872 -ip 18721⤵PID:1028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2524 -ip 25241⤵PID:1232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5b017bc8192850a0787966507a08d7424
SHA14adb2e91f8dee87fcfa96778e7ae4428fe8330ff
SHA256a1bfb6e77615fd1a4aeaa6936cd8de122871f51f4c840cb593bb4e1a9552f1ea
SHA512bbfb792c5123f1c8df886fa9330657ce1555b32ea794676e33e96788fec8a55c891e8dea1644609a407c566c6acdd9d54c2db751760a8625fff0726e61b25efc
-
Filesize
388KB
MD54bb6852748ac936523f68322f1bae54a
SHA1846ee2c620e655903aaa8e3f4ee0f9f27aec18f7
SHA256f77d971f56a9101640c5fffc0121ba5f2f3c33e6f074e9d2b91c9af10da9c43d
SHA512c13fe3c437d26caf9d4504f624d8e3ff7f5e370c476a047040d2f57a6e7905bbbd5c8023d304b2165fea2bb5ac24c5261c050a7dce39d4e79c8c2d360ddef74e
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63