Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
11dcd8e017b0e067e922cfb6507a8dde.exe
Resource
win7-20240215-en
General
-
Target
11dcd8e017b0e067e922cfb6507a8dde.exe
-
Size
421KB
-
MD5
11dcd8e017b0e067e922cfb6507a8dde
-
SHA1
80c4e499c9666401a0f9099482c7fa9debe006d5
-
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
-
SHA512
52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
SSDEEP
6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
asyncrat
0.5.8
Default
94.228.162.82:6606
94.228.162.82:7707
94.228.162.82:8808
YBc01FE5mcOd
-
delay
3
-
install
true
-
install_file
appBroker.exe
-
install_folder
%AppData%
Signatures
-
Detect Vidar Stealer 6 IoCs
resource yara_rule behavioral2/memory/4888-49-0x0000000002DD0000-0x0000000002E05000-memory.dmp family_vidar_v7 behavioral2/memory/4888-50-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral2/memory/4888-52-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral2/files/0x0040000000023413-59.dat family_vidar_v7 behavioral2/memory/5080-92-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral2/memory/5080-119-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/memory/2060-140-0x0000000006510000-0x00000000065AC000-memory.dmp family_zgrat_v1 behavioral2/memory/2060-146-0x0000000006720000-0x0000000006782000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023427-100.dat family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 76 4416 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 11dcd8e017b0e067e922cfb6507a8dde.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation Dctooux.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 7 IoCs
pid Process 4860 Dctooux.exe 4888 vidar.exe 5080 vidar.exe 2732 AsyncClient.exe 680 Dctooux.exe 2060 appBroker.exe 856 Dctooux.exe -
Loads dropped DLL 4 IoCs
pid Process 3928 rundll32.exe 4344 rundll32.exe 3592 rundll32.exe 4416 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job 11dcd8e017b0e067e922cfb6507a8dde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 36 IoCs
pid pid_target Process procid_target 5004 3016 WerFault.exe 82 4816 3016 WerFault.exe 82 4552 3016 WerFault.exe 82 392 3016 WerFault.exe 82 4836 3016 WerFault.exe 82 3872 3016 WerFault.exe 82 4572 3016 WerFault.exe 82 748 3016 WerFault.exe 82 1700 3016 WerFault.exe 82 2768 3016 WerFault.exe 82 3744 3016 WerFault.exe 82 856 4860 WerFault.exe 108 3932 4860 WerFault.exe 108 1392 4860 WerFault.exe 108 2500 4860 WerFault.exe 108 4604 4860 WerFault.exe 108 2164 4860 WerFault.exe 108 952 4860 WerFault.exe 108 4668 4860 WerFault.exe 108 860 4860 WerFault.exe 108 3500 4860 WerFault.exe 108 4920 4860 WerFault.exe 108 2956 4860 WerFault.exe 108 4732 4860 WerFault.exe 108 2640 4860 WerFault.exe 108 2548 4860 WerFault.exe 108 4248 4888 WerFault.exe 140 4984 4860 WerFault.exe 108 4076 4860 WerFault.exe 108 1572 4860 WerFault.exe 108 4920 4860 WerFault.exe 108 3228 5080 WerFault.exe 152 912 680 WerFault.exe 161 3276 4860 WerFault.exe 108 1848 856 WerFault.exe 175 2672 4860 WerFault.exe 108 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4580 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4572 timeout.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 2732 AsyncClient.exe 4416 rundll32.exe 4416 rundll32.exe 4416 rundll32.exe 4416 rundll32.exe 4416 rundll32.exe 4416 rundll32.exe 4416 rundll32.exe 4416 rundll32.exe 4416 rundll32.exe 4416 rundll32.exe 4172 powershell.exe 4172 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2732 AsyncClient.exe Token: SeDebugPrivilege 2060 appBroker.exe Token: SeDebugPrivilege 4172 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3016 11dcd8e017b0e067e922cfb6507a8dde.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3016 wrote to memory of 4860 3016 11dcd8e017b0e067e922cfb6507a8dde.exe 108 PID 3016 wrote to memory of 4860 3016 11dcd8e017b0e067e922cfb6507a8dde.exe 108 PID 3016 wrote to memory of 4860 3016 11dcd8e017b0e067e922cfb6507a8dde.exe 108 PID 4860 wrote to memory of 4888 4860 Dctooux.exe 140 PID 4860 wrote to memory of 4888 4860 Dctooux.exe 140 PID 4860 wrote to memory of 4888 4860 Dctooux.exe 140 PID 4860 wrote to memory of 3928 4860 Dctooux.exe 148 PID 4860 wrote to memory of 3928 4860 Dctooux.exe 148 PID 4860 wrote to memory of 3928 4860 Dctooux.exe 148 PID 4860 wrote to memory of 1408 4860 Dctooux.exe 149 PID 4860 wrote to memory of 1408 4860 Dctooux.exe 149 PID 4860 wrote to memory of 1408 4860 Dctooux.exe 149 PID 4860 wrote to memory of 5080 4860 Dctooux.exe 152 PID 4860 wrote to memory of 5080 4860 Dctooux.exe 152 PID 4860 wrote to memory of 5080 4860 Dctooux.exe 152 PID 4860 wrote to memory of 4344 4860 Dctooux.exe 155 PID 4860 wrote to memory of 4344 4860 Dctooux.exe 155 PID 4860 wrote to memory of 4344 4860 Dctooux.exe 155 PID 4860 wrote to memory of 2732 4860 Dctooux.exe 158 PID 4860 wrote to memory of 2732 4860 Dctooux.exe 158 PID 4860 wrote to memory of 2732 4860 Dctooux.exe 158 PID 2732 wrote to memory of 4492 2732 AsyncClient.exe 166 PID 2732 wrote to memory of 4492 2732 AsyncClient.exe 166 PID 2732 wrote to memory of 4492 2732 AsyncClient.exe 166 PID 2732 wrote to memory of 4124 2732 AsyncClient.exe 168 PID 2732 wrote to memory of 4124 2732 AsyncClient.exe 168 PID 2732 wrote to memory of 4124 2732 AsyncClient.exe 168 PID 4124 wrote to memory of 4572 4124 cmd.exe 170 PID 4124 wrote to memory of 4572 4124 cmd.exe 170 PID 4124 wrote to memory of 4572 4124 cmd.exe 170 PID 4492 wrote to memory of 4580 4492 cmd.exe 171 PID 4492 wrote to memory of 4580 4492 cmd.exe 171 PID 4492 wrote to memory of 4580 4492 cmd.exe 171 PID 4124 wrote to memory of 2060 4124 cmd.exe 172 PID 4124 wrote to memory of 2060 4124 cmd.exe 172 PID 4124 wrote to memory of 2060 4124 cmd.exe 172 PID 4860 wrote to memory of 3592 4860 Dctooux.exe 180 PID 4860 wrote to memory of 3592 4860 Dctooux.exe 180 PID 4860 wrote to memory of 3592 4860 Dctooux.exe 180 PID 3592 wrote to memory of 4416 3592 rundll32.exe 181 PID 3592 wrote to memory of 4416 3592 rundll32.exe 181 PID 4416 wrote to memory of 4364 4416 rundll32.exe 182 PID 4416 wrote to memory of 4364 4416 rundll32.exe 182 PID 4416 wrote to memory of 4172 4416 rundll32.exe 184 PID 4416 wrote to memory of 4172 4416 rundll32.exe 184
Processes
-
C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 7442⤵
- Program crash
PID:5004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8202⤵
- Program crash
PID:4816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8562⤵
- Program crash
PID:4552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 9042⤵
- Program crash
PID:392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 9122⤵
- Program crash
PID:4836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8602⤵
- Program crash
PID:3872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 11362⤵
- Program crash
PID:4572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 11562⤵
- Program crash
PID:748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 12402⤵
- Program crash
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 5523⤵
- Program crash
PID:856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 5603⤵
- Program crash
PID:3932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 5683⤵
- Program crash
PID:1392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 7123⤵
- Program crash
PID:2500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 8803⤵
- Program crash
PID:4604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 9163⤵
- Program crash
PID:2164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 8803⤵
- Program crash
PID:952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 9163⤵
- Program crash
PID:4668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 9043⤵
- Program crash
PID:860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 9683⤵
- Program crash
PID:3500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 11403⤵
- Program crash
PID:4920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 13283⤵
- Program crash
PID:2956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 10923⤵
- Program crash
PID:4732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 16563⤵
- Program crash
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"3⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 20644⤵
- Program crash
PID:4248
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 16763⤵
- Program crash
PID:2548
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main3⤵
- Loads dropped DLL
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"3⤵PID:1408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 18003⤵
- Program crash
PID:4984
-
-
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"3⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 20724⤵
- Program crash
PID:3228
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 17923⤵
- Program crash
PID:4076
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main3⤵
- Loads dropped DLL
PID:4344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 16403⤵
- Program crash
PID:1572
-
-
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'5⤵
- Creates scheduled task(s)
PID:4580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp146D.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:4572
-
-
C:\Users\Admin\AppData\Roaming\appBroker.exe"C:\Users\Admin\AppData\Roaming\appBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 16323⤵
- Program crash
PID:4920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 16563⤵
- Program crash
PID:3276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 18083⤵
- Program crash
PID:2672
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:4364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\556644402199_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 16162⤵
- Program crash
PID:2768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 12562⤵
- Program crash
PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3016 -ip 30161⤵PID:4140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3016 -ip 30161⤵PID:3300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3016 -ip 30161⤵PID:2608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 30161⤵PID:2864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3016 -ip 30161⤵PID:3732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3016 -ip 30161⤵PID:3116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3016 -ip 30161⤵PID:4608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3016 -ip 30161⤵PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 30161⤵PID:1000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 30161⤵PID:1708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3016 -ip 30161⤵PID:4248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 48601⤵PID:640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4860 -ip 48601⤵PID:1364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 48601⤵PID:464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 48601⤵PID:216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4860 -ip 48601⤵PID:1952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4860 -ip 48601⤵PID:1796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 48601⤵PID:2588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4860 -ip 48601⤵PID:4408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4860 -ip 48601⤵PID:4364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 48601⤵PID:2952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4860 -ip 48601⤵PID:3220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4860 -ip 48601⤵PID:3784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4860 -ip 48601⤵PID:3368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 48601⤵PID:4124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 48601⤵PID:4852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4888 -ip 48881⤵PID:4360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4860 -ip 48601⤵PID:4536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4860 -ip 48601⤵PID:1952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4860 -ip 48601⤵PID:4020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 48601⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 4482⤵
- Program crash
PID:912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5080 -ip 50801⤵PID:2328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 680 -ip 6801⤵PID:2552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 48601⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 4402⤵
- Program crash
PID:1848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 856 -ip 8561⤵PID:3268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 48601⤵PID:1964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD50f211e72e08c4d3630c15b76c6a7e63a
SHA1287f558b1ddd01c782ffefa6f33a9e20c26feb8e
SHA256370736e438efa48dc2a5751a7a5d1e55c40aa8e0bcb6cc26d8c42d8b072af253
SHA512221359240c9720efafd4ff45f80c75cdab4c4ff506f7b95a5ff7bf412e543bfef32aca5c1a4ff077c9e54220185fa1b9f7ffb2bed74a763cc6905df6fde0af2f
-
Filesize
300KB
MD5b099ea0b80ecf49caa0d7003e0c95071
SHA1228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029
-
Filesize
243KB
MD537976db9d0e6f8bf9db5ae4b56006d9d
SHA1dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA2562570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47
-
Filesize
421KB
MD511dcd8e017b0e067e922cfb6507a8dde
SHA180c4e499c9666401a0f9099482c7fa9debe006d5
SHA2562809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA51252b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
Filesize
84KB
MD561c6759b7d1ab0dfcfbccbb328d3108b
SHA1b1c6cea6b6edc3d496ac4c8dae3b57a38ef58977
SHA2568f74a77e8e7cc3fcc2c36864aa9a6be195becfa1de3ea989b2ebe74fd2ae25c7
SHA5125a39fce9387f05ef72b71916dcc560d77abf9c824c8d6ebb4a8e166a5d2cf16b66537a77fa5e4e3682f422ba72c7e0cd106ee4c765c49569d3951b048af20184
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
153B
MD52de12864e056681a7aac7ea1c0de88f6
SHA18b3b3fcb9a2fc1d10a4a6aa5c0f8832e3a8a7cf0
SHA25621d7f784e4b9990683377a96ddbacc0788b6459f16263c60ec289f79de6d0f2b
SHA51280a656c50090aafbd2532c797e96f8e6a14d92f3aae024902c534e7b8ca380bdfea009af6a7118010460ccbeb32209c0942e673b6e982e90b6c0ea8c9205eee7
-
Filesize
48KB
MD57fd8581748cdf137023ef96f1286ce0f
SHA1c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA2560b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282
-
Filesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9