Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe
Resource
win7-20240215-en
General
-
Target
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe
-
Size
288KB
-
MD5
e88da5d3f528d78eabc2de83797c2195
-
SHA1
7937c0b3fac48fa50aa74e80387a6ff6f463c978
-
SHA256
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300
-
SHA512
4dfb673cfab033d7d40ef383ef36841d3c8fd1a1f2c80bfd05c896aa3d9c38c08301d89e4543e9b300a44787c9a57a13e34654f5374d6788c1e56e37c69be9a9
-
SSDEEP
3072:OziRfFi3WzI2OfoyFIUVvBmAx0H3q0eJ5cLw5p0s0hQUxaIa2VM:/RfFDG3FJVvtyeJ5JKQUxaIh
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FD9A.exeUtsysc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation FD9A.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Utsysc.exe -
Deletes itself 1 IoCs
Processes:
pid process 3568 -
Executes dropped EXE 5 IoCs
Processes:
FD9A.exeUtsysc.exeUtsysc.exeUtsysc.exewgwdcjepid process 4516 FD9A.exe 4380 Utsysc.exe 2256 Utsysc.exe 4752 Utsysc.exe 3692 wgwdcje -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 3612 rundll32.exe 2512 rundll32.exe 2264 rundll32.exe 1508 rundll32.exe 3300 rundll32.exe 5080 rundll32.exe 4276 rundll32.exe 472 rundll32.exe 4968 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 35 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5096 4516 WerFault.exe FD9A.exe 5080 4516 WerFault.exe FD9A.exe 4500 4516 WerFault.exe FD9A.exe 4760 4516 WerFault.exe FD9A.exe 3472 4516 WerFault.exe FD9A.exe 2732 4516 WerFault.exe FD9A.exe 3796 4516 WerFault.exe FD9A.exe 3352 4516 WerFault.exe FD9A.exe 2072 4516 WerFault.exe FD9A.exe 4296 4516 WerFault.exe FD9A.exe 4424 4380 WerFault.exe Utsysc.exe 2248 4516 WerFault.exe FD9A.exe 3544 4380 WerFault.exe Utsysc.exe 4916 4380 WerFault.exe Utsysc.exe 2116 4380 WerFault.exe Utsysc.exe 4056 4380 WerFault.exe Utsysc.exe 4984 4380 WerFault.exe Utsysc.exe 5044 4380 WerFault.exe Utsysc.exe 4100 4380 WerFault.exe Utsysc.exe 2820 4380 WerFault.exe Utsysc.exe 2064 4380 WerFault.exe Utsysc.exe 4208 4380 WerFault.exe Utsysc.exe 2088 4380 WerFault.exe Utsysc.exe 1244 4380 WerFault.exe Utsysc.exe 1396 4380 WerFault.exe Utsysc.exe 1236 4380 WerFault.exe Utsysc.exe 928 4380 WerFault.exe Utsysc.exe 1460 4380 WerFault.exe Utsysc.exe 2272 4380 WerFault.exe Utsysc.exe 696 4380 WerFault.exe Utsysc.exe 4440 4380 WerFault.exe Utsysc.exe 3668 2256 WerFault.exe Utsysc.exe 3508 4380 WerFault.exe Utsysc.exe 4528 4752 WerFault.exe Utsysc.exe 4100 4380 WerFault.exe Utsysc.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exewgwdcjedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wgwdcje Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wgwdcje Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wgwdcje Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exepid process 460 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe 460 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exewgwdcjepid process 460 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe 3692 wgwdcje -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
FD9A.exepid process 4516 FD9A.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
FD9A.exeUtsysc.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 3568 wrote to memory of 4516 3568 FD9A.exe PID 3568 wrote to memory of 4516 3568 FD9A.exe PID 3568 wrote to memory of 4516 3568 FD9A.exe PID 4516 wrote to memory of 4380 4516 FD9A.exe Utsysc.exe PID 4516 wrote to memory of 4380 4516 FD9A.exe Utsysc.exe PID 4516 wrote to memory of 4380 4516 FD9A.exe Utsysc.exe PID 4380 wrote to memory of 4716 4380 Utsysc.exe schtasks.exe PID 4380 wrote to memory of 4716 4380 Utsysc.exe schtasks.exe PID 4380 wrote to memory of 4716 4380 Utsysc.exe schtasks.exe PID 4380 wrote to memory of 3612 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 3612 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 3612 4380 Utsysc.exe rundll32.exe PID 3612 wrote to memory of 2512 3612 rundll32.exe rundll32.exe PID 3612 wrote to memory of 2512 3612 rundll32.exe rundll32.exe PID 4380 wrote to memory of 2264 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 2264 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 2264 4380 Utsysc.exe rundll32.exe PID 2264 wrote to memory of 1508 2264 rundll32.exe rundll32.exe PID 2264 wrote to memory of 1508 2264 rundll32.exe rundll32.exe PID 4380 wrote to memory of 3300 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 3300 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 3300 4380 Utsysc.exe rundll32.exe PID 3300 wrote to memory of 5080 3300 rundll32.exe rundll32.exe PID 3300 wrote to memory of 5080 3300 rundll32.exe rundll32.exe PID 4380 wrote to memory of 4276 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 4276 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 4276 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 472 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 472 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 472 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 4968 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 4968 4380 Utsysc.exe rundll32.exe PID 4380 wrote to memory of 4968 4380 Utsysc.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:460
-
C:\Users\Admin\AppData\Local\Temp\FD9A.exeC:\Users\Admin\AppData\Local\Temp\FD9A.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 5802⤵
- Program crash
PID:5096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 6642⤵
- Program crash
PID:5080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 7122⤵
- Program crash
PID:4500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 8322⤵
- Program crash
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 8402⤵
- Program crash
PID:3472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 8402⤵
- Program crash
PID:2732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 11082⤵
- Program crash
PID:3796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 11682⤵
- Program crash
PID:3352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 12402⤵
- Program crash
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 6043⤵
- Program crash
PID:4424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 7403⤵
- Program crash
PID:3544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 9803⤵
- Program crash
PID:4916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 9203⤵
- Program crash
PID:2116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 10043⤵
- Program crash
PID:4056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 9803⤵
- Program crash
PID:4984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 10163⤵
- Program crash
PID:5044 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:4716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 9123⤵
- Program crash
PID:4100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 6923⤵
- Program crash
PID:2820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 12443⤵
- Program crash
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 12523⤵
- Program crash
PID:4208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 13083⤵
- Program crash
PID:2088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 13523⤵
- Program crash
PID:1244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 13603⤵
- Program crash
PID:1396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 13083⤵
- Program crash
PID:1236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 12563⤵
- Program crash
PID:928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 12483⤵
- Program crash
PID:1460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 15083⤵
- Program crash
PID:2272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 15083⤵
- Program crash
PID:696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 16563⤵
- Program crash
PID:4440 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:5080 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:4276 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:4968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 17083⤵
- Program crash
PID:3508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 9803⤵
- Program crash
PID:4100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 9722⤵
- Program crash
PID:4296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 5922⤵
- Program crash
PID:2248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4516 -ip 45161⤵PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 45161⤵PID:676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4516 -ip 45161⤵PID:1064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4516 -ip 45161⤵PID:3148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 45161⤵PID:2328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 45161⤵PID:456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 45161⤵PID:1268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 45161⤵PID:2852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4516 -ip 45161⤵PID:224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 45161⤵PID:640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4380 -ip 43801⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4516 -ip 45161⤵PID:3144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4380 -ip 43801⤵PID:4964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 43801⤵PID:2092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 43801⤵PID:2324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4380 -ip 43801⤵PID:4728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 43801⤵PID:4048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4380 -ip 43801⤵PID:2316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4380 -ip 43801⤵PID:2256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4380 -ip 43801⤵PID:5096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4380 -ip 43801⤵PID:4548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 43801⤵PID:3824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 43801⤵PID:396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 43801⤵PID:448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4380 -ip 43801⤵PID:3748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 43801⤵PID:2756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 43801⤵PID:1196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 43801⤵PID:4092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 43801⤵PID:4192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4380 -ip 43801⤵PID:3168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4380 -ip 43801⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 4362⤵
- Program crash
PID:3668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2256 -ip 22561⤵PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4380 -ip 43801⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 4282⤵
- Program crash
PID:4528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4752 -ip 47521⤵PID:2884
-
C:\Users\Admin\AppData\Roaming\wgwdcjeC:\Users\Admin\AppData\Roaming\wgwdcje1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 43801⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5c14992cb22fef908fc497df941d768e6
SHA1881298165b701256d59836666f265a2e4c88e12a
SHA2562f03cf4c908d7e5a04e07f5f1d62c230712c86845cbb9bdceac96d67b216cd99
SHA5124fa823bff2eae4ed2dd4b2f7d3a2cd44d13853269c0a2dc57047516fcf17058fcbc135518d84e206aa3dcc54aeba51359ef3b2d991a2dd8e90b733b6f84bf8c1
-
Filesize
384KB
MD5e1dc6f36bc9f047f33b58c8c0fc2da89
SHA1cf6dfe8eaa32971eb53f02d0dc7c8ac299968880
SHA2566f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767
SHA5126387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
690KB
MD521162a10cfbe28a6dddec62b295e7a0c
SHA16d558e3e98ca57a4023c5399e6ff487b19d0929b
SHA2568a04438efe870069b1e76901fc45d488407960fc0ced4d65a0ade1e4547c0bd4
SHA51299b3abaa54d1beca5d4ad57cd015e5ebb761e3cb93e8dd6d710f315e3801eec2c433d3d27ebfec0bb8e7e4efbd5ab7666a8356eef574c1e83e238746673a79b1
-
Filesize
622KB
MD5aa5eaea51f4d7d8c2266caddc66209d1
SHA1a329a90a9fa629a00dddfd5f38630a09bbdd3e3b
SHA256f801137022a6cdc6be2051e1eaf6b6c5e625d9c5dcf4eb3f2b1cfde2813487a7
SHA51271f963107461bc825be2789f865e2dea60d85edc82c8172b65443cb852c4bccce42eb2b1d04255d9388ac02d0549b766fc78b1ce6280d8e730f438201bf919d2
-
Filesize
779KB
MD510f46f631441fafceebe3f50adf3483a
SHA171a4db8677564916987c9decdf700d7cf6c03382
SHA25629e37e287e327f5091e17470bdd8649e6988ae12e45e363d40bebfd8aebd31bf
SHA512f9532dab7e45e0092a795e8ac5d6d85bd49de1eaaba4463442f81f4287ac669a9bbf62db7213ebf7abc11be083793242edbecbf8261d7da97af2e88a73a8a567
-
Filesize
446KB
MD5a8193603af313c5d7398117d1ed7a79b
SHA15bc3f12c5bd68f8ac7fa44046c03f57f38ba0097
SHA2566d36855190d24614294d487f04e998df81c6f51f4004bdcf9c7613e63bf276e1
SHA512b078e1123339f53396fb59b55b3c8d34fefb6fadb558349e41721b73923997ee4f605d86a0d2be8cc7674effaae0853e96644b66155f56b80133671bf0ab0b49
-
Filesize
1.1MB
MD5fca02dd2d6de2c1e8d657f57fbb342bc
SHA122901e002420f9a68ad8986bfdda0eebdcfd392e
SHA25627aadc733207e0c5f22e6582e08815d36418d723986353b5925654514e305fa0
SHA512bf047daddaa4bb177aa60b7c60e7a00096545c19656633027e70cadaeaeed3bd1f3d3312ec928ba366260ded9b5106faeffe333928db78f6d1c3ff5e5423e635
-
Filesize
964KB
MD51423eaf8ec15936e9b5ce5839da6ea5d
SHA18ff8b0caccf59b4870f4ccf1ed79d2bb20583c63
SHA2567ecd3999f782ab8692b1a8ae78ba6809866ba0d9ec040bc4017c7336b8387b29
SHA51225a4a9c75c58a843d84d4092897279d4e320ddb5860d252e0a6037ec29c952d07dfd98074716ff5f407e70112f82d91b5524b49aedd1e7c9c3eb5d476b5b2358
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63
-
Filesize
288KB
MD5e88da5d3f528d78eabc2de83797c2195
SHA17937c0b3fac48fa50aa74e80387a6ff6f463c978
SHA2564b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300
SHA5124dfb673cfab033d7d40ef383ef36841d3c8fd1a1f2c80bfd05c896aa3d9c38c08301d89e4543e9b300a44787c9a57a13e34654f5374d6788c1e56e37c69be9a9