Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2024 18:38
Static task
static1
Behavioral task
behavioral1
Sample
RnnWoAEP9mUhOXN_9mNdOzaP.exe
Resource
win7-20231215-en
General
-
Target
RnnWoAEP9mUhOXN_9mNdOzaP.exe
-
Size
211KB
-
MD5
28c17350f0da6941f68bbea0eb5af380
-
SHA1
42d3ea0b53b6f76b729a9cef45341fae29933d88
-
SHA256
c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b
-
SHA512
b1bd4d2d1787575b7d5155926aa248203b317f33e13eb237ecb1d33353c3146e6ed67da239f0e96ff98adf8aa7309e6f37f666107176bb6461621d7287fb750f
-
SSDEEP
3072:BIVw4zCuQGezasu4/2z6EuQ/yu0ZsBMRpSQDB8mm3CmO:BIm4GudBsukQ5o8NR
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EB3B.exeUtsysc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation EB3B.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation Utsysc.exe -
Deletes itself 1 IoCs
Processes:
pid process 3416 -
Executes dropped EXE 5 IoCs
Processes:
EB3B.exeUtsysc.exeUtsysc.exeUtsysc.exejggbgtdpid process 3216 EB3B.exe 5076 Utsysc.exe 1888 Utsysc.exe 2580 Utsysc.exe 4812 jggbgtd -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 4656 rundll32.exe 4720 rundll32.exe 4676 rundll32.exe 5028 rundll32.exe 1056 rundll32.exe 1884 rundll32.exe 3596 rundll32.exe 4336 rundll32.exe 1728 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 34 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2456 3216 WerFault.exe EB3B.exe 3756 3216 WerFault.exe EB3B.exe 2412 3216 WerFault.exe EB3B.exe 4284 3216 WerFault.exe EB3B.exe 3404 3216 WerFault.exe EB3B.exe 5068 3216 WerFault.exe EB3B.exe 4076 3216 WerFault.exe EB3B.exe 960 3216 WerFault.exe EB3B.exe 1936 3216 WerFault.exe EB3B.exe 4928 3216 WerFault.exe EB3B.exe 4460 5076 WerFault.exe Utsysc.exe 944 5076 WerFault.exe Utsysc.exe 4088 5076 WerFault.exe Utsysc.exe 832 5076 WerFault.exe Utsysc.exe 1472 5076 WerFault.exe Utsysc.exe 2024 5076 WerFault.exe Utsysc.exe 1432 5076 WerFault.exe Utsysc.exe 5104 5076 WerFault.exe Utsysc.exe 3108 5076 WerFault.exe Utsysc.exe 2328 5076 WerFault.exe Utsysc.exe 4760 5076 WerFault.exe Utsysc.exe 212 5076 WerFault.exe Utsysc.exe 1536 5076 WerFault.exe Utsysc.exe 4872 5076 WerFault.exe Utsysc.exe 3052 5076 WerFault.exe Utsysc.exe 2920 5076 WerFault.exe Utsysc.exe 4148 5076 WerFault.exe Utsysc.exe 4164 1888 WerFault.exe Utsysc.exe 5096 5076 WerFault.exe Utsysc.exe 2260 5076 WerFault.exe Utsysc.exe 4788 5076 WerFault.exe Utsysc.exe 4632 2580 WerFault.exe Utsysc.exe 2768 5076 WerFault.exe Utsysc.exe 2480 5076 WerFault.exe Utsysc.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
RnnWoAEP9mUhOXN_9mNdOzaP.exejggbgtddescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RnnWoAEP9mUhOXN_9mNdOzaP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RnnWoAEP9mUhOXN_9mNdOzaP.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RnnWoAEP9mUhOXN_9mNdOzaP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jggbgtd Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jggbgtd Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jggbgtd -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RnnWoAEP9mUhOXN_9mNdOzaP.exepid process 5112 RnnWoAEP9mUhOXN_9mNdOzaP.exe 5112 RnnWoAEP9mUhOXN_9mNdOzaP.exe 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
RnnWoAEP9mUhOXN_9mNdOzaP.exejggbgtdpid process 5112 RnnWoAEP9mUhOXN_9mNdOzaP.exe 4812 jggbgtd -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 Token: SeShutdownPrivilege 3416 Token: SeCreatePagefilePrivilege 3416 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
EB3B.exepid process 3216 EB3B.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
EB3B.exeUtsysc.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 3416 wrote to memory of 3216 3416 EB3B.exe PID 3416 wrote to memory of 3216 3416 EB3B.exe PID 3416 wrote to memory of 3216 3416 EB3B.exe PID 3216 wrote to memory of 5076 3216 EB3B.exe Utsysc.exe PID 3216 wrote to memory of 5076 3216 EB3B.exe Utsysc.exe PID 3216 wrote to memory of 5076 3216 EB3B.exe Utsysc.exe PID 5076 wrote to memory of 1540 5076 Utsysc.exe schtasks.exe PID 5076 wrote to memory of 1540 5076 Utsysc.exe schtasks.exe PID 5076 wrote to memory of 1540 5076 Utsysc.exe schtasks.exe PID 5076 wrote to memory of 4656 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 4656 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 4656 5076 Utsysc.exe rundll32.exe PID 4656 wrote to memory of 4720 4656 rundll32.exe rundll32.exe PID 4656 wrote to memory of 4720 4656 rundll32.exe rundll32.exe PID 5076 wrote to memory of 4676 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 4676 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 4676 5076 Utsysc.exe rundll32.exe PID 4676 wrote to memory of 5028 4676 rundll32.exe rundll32.exe PID 4676 wrote to memory of 5028 4676 rundll32.exe rundll32.exe PID 5076 wrote to memory of 1056 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 1056 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 1056 5076 Utsysc.exe rundll32.exe PID 1056 wrote to memory of 1884 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 1884 1056 rundll32.exe rundll32.exe PID 5076 wrote to memory of 3596 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 3596 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 3596 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 4336 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 4336 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 4336 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 1728 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 1728 5076 Utsysc.exe rundll32.exe PID 5076 wrote to memory of 1728 5076 Utsysc.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe"C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5112
-
C:\Users\Admin\AppData\Local\Temp\EB3B.exeC:\Users\Admin\AppData\Local\Temp\EB3B.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 5922⤵
- Program crash
PID:2456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 6762⤵
- Program crash
PID:3756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 7322⤵
- Program crash
PID:2412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 8362⤵
- Program crash
PID:4284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 8402⤵
- Program crash
PID:3404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 8402⤵
- Program crash
PID:5068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 11162⤵
- Program crash
PID:4076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 11162⤵
- Program crash
PID:960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 12122⤵
- Program crash
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 6163⤵
- Program crash
PID:4460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 7803⤵
- Program crash
PID:944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 7923⤵
- Program crash
PID:4088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 9643⤵
- Program crash
PID:832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 9723⤵
- Program crash
PID:1472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 9723⤵
- Program crash
PID:2024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 10123⤵
- Program crash
PID:1432 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:1540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 9083⤵
- Program crash
PID:5104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 11163⤵
- Program crash
PID:3108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 8323⤵
- Program crash
PID:2328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 12083⤵
- Program crash
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 6643⤵
- Program crash
PID:212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 6203⤵
- Program crash
PID:1536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 12323⤵
- Program crash
PID:4872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 13203⤵
- Program crash
PID:3052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 13323⤵
- Program crash
PID:2920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 13203⤵
- Program crash
PID:4148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 15523⤵
- Program crash
PID:5096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 16323⤵
- Program crash
PID:2260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 16683⤵
- Program crash
PID:4788 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:4720 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:5028 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:3596 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:4336 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 13763⤵
- Program crash
PID:2768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 9963⤵
- Program crash
PID:2480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 12522⤵
- Program crash
PID:4928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3216 -ip 32161⤵PID:324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3216 -ip 32161⤵PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3216 -ip 32161⤵PID:2780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3216 -ip 32161⤵PID:5056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3216 -ip 32161⤵PID:5036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3216 -ip 32161⤵PID:2688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3216 -ip 32161⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3216 -ip 32161⤵PID:3184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3216 -ip 32161⤵PID:3588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3216 -ip 32161⤵PID:3232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5076 -ip 50761⤵PID:4324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5076 -ip 50761⤵PID:2240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5076 -ip 50761⤵PID:3168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5076 -ip 50761⤵PID:4492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5076 -ip 50761⤵PID:3056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5076 -ip 50761⤵PID:1996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5076 -ip 50761⤵PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5076 -ip 50761⤵PID:1664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5076 -ip 50761⤵PID:2320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5076 -ip 50761⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 3562⤵
- Program crash
PID:4164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5076 -ip 50761⤵PID:2356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5076 -ip 50761⤵PID:4524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5076 -ip 50761⤵PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5076 -ip 50761⤵PID:4776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5076 -ip 50761⤵PID:4624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5076 -ip 50761⤵PID:3032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5076 -ip 50761⤵PID:2396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1888 -ip 18881⤵PID:2964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5076 -ip 50761⤵PID:2656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5076 -ip 50761⤵PID:3836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5076 -ip 50761⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 4442⤵
- Program crash
PID:4632
-
C:\Users\Admin\AppData\Roaming\jggbgtdC:\Users\Admin\AppData\Roaming\jggbgtd1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2580 -ip 25801⤵PID:3852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5076 -ip 50761⤵PID:2816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5076 -ip 50761⤵PID:3404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5727482b1fc22a027c032c7bc91dbf31c
SHA1f6fb8fb073e1a5c7b8d3628442b8f434ba9b2697
SHA2564a5e0fe80f35a41d93aeb6a289e27840cb14449479bc6a162a27991e3c695d80
SHA512214df1563bddf47e2fe2354adeb799568211172d48dd18033b432b8743e771c1dc3a59e321caa6d3e100c0035970326d24014bc0f2d6ba511bd79c3bf5233ab7
-
Filesize
390KB
MD5de9eed60d051b20487c956a514adbed4
SHA12c4c6363c3be184b507265764c1e9765022e6a1b
SHA256ec2cfa28611f55c9901f26e90774e266854a34ef33d58565e574e0f76284d510
SHA51286f3efb5dee8c01490a3c2b46996512ca041d463e2a5cbd17d672fdf5b398dfae6a0a3d63b35b003937ae8dddecd7c3c2b3c5c7895cb754975a2fa63d293dc51
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63
-
Filesize
211KB
MD528c17350f0da6941f68bbea0eb5af380
SHA142d3ea0b53b6f76b729a9cef45341fae29933d88
SHA256c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b
SHA512b1bd4d2d1787575b7d5155926aa248203b317f33e13eb237ecb1d33353c3146e6ed67da239f0e96ff98adf8aa7309e6f37f666107176bb6461621d7287fb750f