Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 04:29
Static task
static1
Behavioral task
behavioral1
Sample
11dcd8e017b0e067e922cfb6507a8dde.exe
Resource
win7-20240220-en
General
-
Target
11dcd8e017b0e067e922cfb6507a8dde.exe
-
Size
421KB
-
MD5
11dcd8e017b0e067e922cfb6507a8dde
-
SHA1
80c4e499c9666401a0f9099482c7fa9debe006d5
-
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
-
SHA512
52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
SSDEEP
6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
asyncrat
0.5.8
Default
94.228.162.82:6606
94.228.162.82:7707
94.228.162.82:8808
YBc01FE5mcOd
-
delay
3
-
install
true
-
install_file
appBroker.exe
-
install_folder
%AppData%
Signatures
-
Detect Vidar Stealer 7 IoCs
resource yara_rule behavioral2/memory/2052-54-0x0000000003020000-0x0000000003120000-memory.dmp family_vidar_v7 behavioral2/memory/2052-55-0x0000000002DA0000-0x0000000002DD5000-memory.dmp family_vidar_v7 behavioral2/memory/2052-56-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral2/memory/2052-58-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral2/files/0x001800000002340a-66.dat family_vidar_v7 behavioral2/memory/4420-91-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral2/memory/4420-123-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/memory/4724-142-0x0000000006500000-0x000000000659C000-memory.dmp family_zgrat_v1 behavioral2/memory/4724-154-0x0000000006720000-0x0000000006782000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000d000000023418-108.dat family_asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 11dcd8e017b0e067e922cfb6507a8dde.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation Dctooux.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 7 IoCs
pid Process 3120 Dctooux.exe 4404 Dctooux.exe 2052 vidar.exe 4420 vidar.exe 1524 AsyncClient.exe 4724 appBroker.exe 4852 Dctooux.exe -
Loads dropped DLL 2 IoCs
pid Process 3212 rundll32.exe 212 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job 11dcd8e017b0e067e922cfb6507a8dde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 36 IoCs
pid pid_target Process procid_target 4980 3076 WerFault.exe 83 1564 3076 WerFault.exe 83 3308 3076 WerFault.exe 83 5072 3076 WerFault.exe 83 1872 3076 WerFault.exe 83 3760 3076 WerFault.exe 83 3344 3076 WerFault.exe 83 4604 3076 WerFault.exe 83 748 3076 WerFault.exe 83 4332 3076 WerFault.exe 83 1468 3076 WerFault.exe 83 1864 3120 WerFault.exe 109 4016 3120 WerFault.exe 109 3468 3120 WerFault.exe 109 2848 3120 WerFault.exe 109 1420 3120 WerFault.exe 109 2408 3120 WerFault.exe 109 2440 3120 WerFault.exe 109 724 3120 WerFault.exe 109 3284 3120 WerFault.exe 109 3732 3120 WerFault.exe 109 4588 3120 WerFault.exe 109 4608 3120 WerFault.exe 109 2148 4404 WerFault.exe 139 2476 3120 WerFault.exe 109 4332 3120 WerFault.exe 109 2000 3120 WerFault.exe 109 4736 2052 WerFault.exe 146 752 3120 WerFault.exe 109 4556 3120 WerFault.exe 109 1376 3120 WerFault.exe 109 4692 3120 WerFault.exe 109 1992 4420 WerFault.exe 156 1312 4852 WerFault.exe 174 3624 3120 WerFault.exe 109 3484 3120 WerFault.exe 109 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4124 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4828 timeout.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe 1524 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1524 AsyncClient.exe Token: SeDebugPrivilege 4724 appBroker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3076 11dcd8e017b0e067e922cfb6507a8dde.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 3076 wrote to memory of 3120 3076 11dcd8e017b0e067e922cfb6507a8dde.exe 109 PID 3076 wrote to memory of 3120 3076 11dcd8e017b0e067e922cfb6507a8dde.exe 109 PID 3076 wrote to memory of 3120 3076 11dcd8e017b0e067e922cfb6507a8dde.exe 109 PID 3120 wrote to memory of 2052 3120 Dctooux.exe 146 PID 3120 wrote to memory of 2052 3120 Dctooux.exe 146 PID 3120 wrote to memory of 2052 3120 Dctooux.exe 146 PID 3120 wrote to memory of 3212 3120 Dctooux.exe 152 PID 3120 wrote to memory of 3212 3120 Dctooux.exe 152 PID 3120 wrote to memory of 3212 3120 Dctooux.exe 152 PID 3120 wrote to memory of 2492 3120 Dctooux.exe 153 PID 3120 wrote to memory of 2492 3120 Dctooux.exe 153 PID 3120 wrote to memory of 2492 3120 Dctooux.exe 153 PID 3120 wrote to memory of 4420 3120 Dctooux.exe 156 PID 3120 wrote to memory of 4420 3120 Dctooux.exe 156 PID 3120 wrote to memory of 4420 3120 Dctooux.exe 156 PID 3120 wrote to memory of 212 3120 Dctooux.exe 159 PID 3120 wrote to memory of 212 3120 Dctooux.exe 159 PID 3120 wrote to memory of 212 3120 Dctooux.exe 159 PID 3120 wrote to memory of 1524 3120 Dctooux.exe 162 PID 3120 wrote to memory of 1524 3120 Dctooux.exe 162 PID 3120 wrote to memory of 1524 3120 Dctooux.exe 162 PID 1524 wrote to memory of 3668 1524 AsyncClient.exe 167 PID 1524 wrote to memory of 3668 1524 AsyncClient.exe 167 PID 1524 wrote to memory of 3668 1524 AsyncClient.exe 167 PID 1524 wrote to memory of 4028 1524 AsyncClient.exe 169 PID 1524 wrote to memory of 4028 1524 AsyncClient.exe 169 PID 1524 wrote to memory of 4028 1524 AsyncClient.exe 169 PID 4028 wrote to memory of 4828 4028 cmd.exe 171 PID 4028 wrote to memory of 4828 4028 cmd.exe 171 PID 4028 wrote to memory of 4828 4028 cmd.exe 171 PID 3668 wrote to memory of 4124 3668 cmd.exe 172 PID 3668 wrote to memory of 4124 3668 cmd.exe 172 PID 3668 wrote to memory of 4124 3668 cmd.exe 172 PID 4028 wrote to memory of 4724 4028 cmd.exe 173 PID 4028 wrote to memory of 4724 4028 cmd.exe 173 PID 4028 wrote to memory of 4724 4028 cmd.exe 173 PID 3120 wrote to memory of 4864 3120 Dctooux.exe 181 PID 3120 wrote to memory of 4864 3120 Dctooux.exe 181 PID 3120 wrote to memory of 4864 3120 Dctooux.exe 181 PID 4864 wrote to memory of 2784 4864 rundll32.exe 182 PID 4864 wrote to memory of 2784 4864 rundll32.exe 182
Processes
-
C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7642⤵
- Program crash
PID:4980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7802⤵
- Program crash
PID:1564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 8562⤵
- Program crash
PID:3308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 9322⤵
- Program crash
PID:5072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 9362⤵
- Program crash
PID:1872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 9362⤵
- Program crash
PID:3760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 11322⤵
- Program crash
PID:3344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 11162⤵
- Program crash
PID:4604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 12402⤵
- Program crash
PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 5523⤵
- Program crash
PID:1864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 5723⤵
- Program crash
PID:4016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 5803⤵
- Program crash
PID:3468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 7163⤵
- Program crash
PID:2848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 8763⤵
- Program crash
PID:1420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 8843⤵
- Program crash
PID:2408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 9043⤵
- Program crash
PID:2440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 9163⤵
- Program crash
PID:724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 9683⤵
- Program crash
PID:3284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 9883⤵
- Program crash
PID:3732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 11483⤵
- Program crash
PID:4588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 13123⤵
- Program crash
PID:4608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 14363⤵
- Program crash
PID:2476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 16763⤵
- Program crash
PID:4332
-
-
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"3⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 20644⤵
- Program crash
PID:4736
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 16603⤵
- Program crash
PID:2000
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main3⤵
- Loads dropped DLL
PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"3⤵PID:2492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 13883⤵
- Program crash
PID:752
-
-
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"3⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 20644⤵
- Program crash
PID:1992
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 18203⤵
- Program crash
PID:4556
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main3⤵
- Loads dropped DLL
PID:212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 16523⤵
- Program crash
PID:1376
-
-
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'5⤵
- Creates scheduled task(s)
PID:4124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5251.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:4828
-
-
C:\Users\Admin\AppData\Roaming\appBroker.exe"C:\Users\Admin\AppData\Roaming\appBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 14403⤵
- Program crash
PID:4692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 16923⤵
- Program crash
PID:3624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 18243⤵
- Program crash
PID:3484
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵PID:2784
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 10082⤵
- Program crash
PID:4332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 16362⤵
- Program crash
PID:1468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3076 -ip 30761⤵PID:4372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3076 -ip 30761⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3076 -ip 30761⤵PID:4420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3076 -ip 30761⤵PID:3080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 30761⤵PID:2088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3076 -ip 30761⤵PID:1512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3076 -ip 30761⤵PID:4520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3076 -ip 30761⤵PID:4348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3076 -ip 30761⤵PID:3668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 30761⤵PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3076 -ip 30761⤵PID:2232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3120 -ip 31201⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3120 -ip 31201⤵PID:4100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3120 -ip 31201⤵PID:3972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3120 -ip 31201⤵PID:2276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3120 -ip 31201⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3120 -ip 31201⤵PID:2156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3120 -ip 31201⤵PID:3248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3120 -ip 31201⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3120 -ip 31201⤵PID:4344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3120 -ip 31201⤵PID:772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3120 -ip 31201⤵PID:4424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3120 -ip 31201⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 4402⤵
- Program crash
PID:2148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4404 -ip 44041⤵PID:4632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3120 -ip 31201⤵PID:1272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3120 -ip 31201⤵PID:1380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3120 -ip 31201⤵PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2052 -ip 20521⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 31201⤵PID:1704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 31201⤵PID:4444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3120 -ip 31201⤵PID:2584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 31201⤵PID:876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4420 -ip 44201⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 4402⤵
- Program crash
PID:1312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4852 -ip 48521⤵PID:1812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3120 -ip 31201⤵PID:1064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3120 -ip 31201⤵PID:4588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD545754877126e2fdd6c153d56f2dffbcf
SHA1eb461e1d29ac00c58500f6b2b0670f131facf17d
SHA2566e9396ba63aaf6c813d8b83b58f6a73e49c047050201abc8594a1a4d26779a7b
SHA512f256cb20b91b455dd5f24cc826b77f10040401ba6fed8a5510ed3c213d972ca2dbaa12f91578b3c0fb7005191e497f94893c5c7481a36c9cae6116a86c734e77
-
Filesize
300KB
MD5b099ea0b80ecf49caa0d7003e0c95071
SHA1228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029
-
Filesize
243KB
MD537976db9d0e6f8bf9db5ae4b56006d9d
SHA1dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA2562570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47
-
Filesize
421KB
MD511dcd8e017b0e067e922cfb6507a8dde
SHA180c4e499c9666401a0f9099482c7fa9debe006d5
SHA2562809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA51252b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
Filesize
78KB
MD52460504450c5ee02aa3d0641c72203db
SHA1b77efb515ffbf393bb2264b4710a00730cd02af9
SHA25678c05f2239223da7c3b4832aabb8fb7fa933d028aded1c797c9561ae61367d3c
SHA512576b8c74dd827fee2713c418f00d6b2de73139ec8258f4a656258c887e6affd67507db7e167716d84347a370026bcd419b5124c69073616ac0f7a0cb86ce23f7
-
Filesize
153B
MD5e7921ed96e652a36a3f3b21da4bd1bb7
SHA19b205ef0235f18015cb672f05993e016aadd9514
SHA256283d97d7b80495871c6b6fed624f9e03835a3b326ff8518c9cb02283b7bec1c7
SHA512d9fd9afe11da066440c78cc804a69a0f4777b85be59b5a0daaf7179ec861019028923d8d8677393e05175f35b54799aaf469edbd6d37ada30865f259cbfdd931
-
Filesize
48KB
MD57fd8581748cdf137023ef96f1286ce0f
SHA1c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA2560b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282
-
Filesize
1.2MB
MD5e9d7e93d329a2d504598ce563bf90039
SHA1c25a8cf0489ce39e9ef43ab4fad2acd6432e277e
SHA256c2123dc6c525f0326e1d5e1a0f9eb3d2f26ca2f3678627a9f33aea766d2a035f
SHA5126daa052fdd2f76d734cf300a22d57503337f65c751efceeea8e7383170dfd5cf8d5d77fd4639f1b1db3289d0cee53dcf6afda3e71aae260a73ba65b413880d2a