Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 04:32
Static task
static1
Behavioral task
behavioral1
Sample
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
Resource
win10v2004-20240412-en
General
-
Target
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
-
Size
421KB
-
MD5
11dcd8e017b0e067e922cfb6507a8dde
-
SHA1
80c4e499c9666401a0f9099482c7fa9debe006d5
-
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
-
SHA512
52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
SSDEEP
6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
asyncrat
0.5.8
Default
94.228.162.82:6606
94.228.162.82:7707
94.228.162.82:8808
YBc01FE5mcOd
-
delay
3
-
install
true
-
install_file
appBroker.exe
-
install_folder
%AppData%
Signatures
-
Detect Vidar Stealer 6 IoCs
resource yara_rule behavioral1/memory/4012-49-0x0000000002EF0000-0x0000000002F25000-memory.dmp family_vidar_v7 behavioral1/memory/4012-50-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/memory/4012-53-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/files/0x000700000002342e-64.dat family_vidar_v7 behavioral1/memory/3384-89-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/memory/3384-121-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral1/memory/1144-140-0x0000000006810000-0x00000000068AC000-memory.dmp family_zgrat_v1 behavioral1/memory/1144-145-0x0000000006B20000-0x0000000006B82000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000d000000023434-106.dat family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 74 1292 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation Dctooux.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 7 IoCs
pid Process 2408 Dctooux.exe 4012 vidar.exe 3000 Dctooux.exe 3384 vidar.exe 4348 AsyncClient.exe 1144 appBroker.exe 5044 Dctooux.exe -
Loads dropped DLL 4 IoCs
pid Process 4188 rundll32.exe 2764 rundll32.exe 2192 rundll32.exe 1292 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 36 IoCs
pid pid_target Process procid_target 3188 4928 WerFault.exe 89 1232 4928 WerFault.exe 89 3820 4928 WerFault.exe 89 4032 4928 WerFault.exe 89 3004 4928 WerFault.exe 89 1928 4928 WerFault.exe 89 3596 4928 WerFault.exe 89 4756 4928 WerFault.exe 89 3916 4928 WerFault.exe 89 3980 4928 WerFault.exe 89 1936 4928 WerFault.exe 89 2212 2408 WerFault.exe 114 4504 2408 WerFault.exe 114 3000 2408 WerFault.exe 114 3956 2408 WerFault.exe 114 2984 2408 WerFault.exe 114 4948 2408 WerFault.exe 114 2332 2408 WerFault.exe 114 1628 2408 WerFault.exe 114 1664 2408 WerFault.exe 114 3728 2408 WerFault.exe 114 4716 2408 WerFault.exe 114 2928 2408 WerFault.exe 114 2444 2408 WerFault.exe 114 3140 2408 WerFault.exe 114 3012 2408 WerFault.exe 114 2252 4012 WerFault.exe 148 804 3000 WerFault.exe 153 3556 2408 WerFault.exe 114 1768 2408 WerFault.exe 114 968 2408 WerFault.exe 114 528 2408 WerFault.exe 114 4804 3384 WerFault.exe 161 3804 2408 WerFault.exe 114 3828 5044 WerFault.exe 181 1408 2408 WerFault.exe 114 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3492 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2320 timeout.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 4348 AsyncClient.exe 1292 rundll32.exe 1292 rundll32.exe 1292 rundll32.exe 1292 rundll32.exe 1292 rundll32.exe 1292 rundll32.exe 1292 rundll32.exe 1292 rundll32.exe 1292 rundll32.exe 1292 rundll32.exe 4152 powershell.exe 4152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4348 AsyncClient.exe Token: SeDebugPrivilege 1144 appBroker.exe Token: SeDebugPrivilege 4152 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4928 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4928 wrote to memory of 2408 4928 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe 114 PID 4928 wrote to memory of 2408 4928 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe 114 PID 4928 wrote to memory of 2408 4928 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe 114 PID 2408 wrote to memory of 4012 2408 Dctooux.exe 148 PID 2408 wrote to memory of 4012 2408 Dctooux.exe 148 PID 2408 wrote to memory of 4012 2408 Dctooux.exe 148 PID 2408 wrote to memory of 4188 2408 Dctooux.exe 157 PID 2408 wrote to memory of 4188 2408 Dctooux.exe 157 PID 2408 wrote to memory of 4188 2408 Dctooux.exe 157 PID 2408 wrote to memory of 2372 2408 Dctooux.exe 158 PID 2408 wrote to memory of 2372 2408 Dctooux.exe 158 PID 2408 wrote to memory of 2372 2408 Dctooux.exe 158 PID 2408 wrote to memory of 3384 2408 Dctooux.exe 161 PID 2408 wrote to memory of 3384 2408 Dctooux.exe 161 PID 2408 wrote to memory of 3384 2408 Dctooux.exe 161 PID 2408 wrote to memory of 2764 2408 Dctooux.exe 164 PID 2408 wrote to memory of 2764 2408 Dctooux.exe 164 PID 2408 wrote to memory of 2764 2408 Dctooux.exe 164 PID 2408 wrote to memory of 4348 2408 Dctooux.exe 167 PID 2408 wrote to memory of 4348 2408 Dctooux.exe 167 PID 2408 wrote to memory of 4348 2408 Dctooux.exe 167 PID 4348 wrote to memory of 3284 4348 AsyncClient.exe 172 PID 4348 wrote to memory of 3284 4348 AsyncClient.exe 172 PID 4348 wrote to memory of 3284 4348 AsyncClient.exe 172 PID 4348 wrote to memory of 2360 4348 AsyncClient.exe 174 PID 4348 wrote to memory of 2360 4348 AsyncClient.exe 174 PID 4348 wrote to memory of 2360 4348 AsyncClient.exe 174 PID 3284 wrote to memory of 3492 3284 cmd.exe 176 PID 3284 wrote to memory of 3492 3284 cmd.exe 176 PID 3284 wrote to memory of 3492 3284 cmd.exe 176 PID 2360 wrote to memory of 2320 2360 cmd.exe 177 PID 2360 wrote to memory of 2320 2360 cmd.exe 177 PID 2360 wrote to memory of 2320 2360 cmd.exe 177 PID 2360 wrote to memory of 1144 2360 cmd.exe 178 PID 2360 wrote to memory of 1144 2360 cmd.exe 178 PID 2360 wrote to memory of 1144 2360 cmd.exe 178 PID 2408 wrote to memory of 2192 2408 Dctooux.exe 186 PID 2408 wrote to memory of 2192 2408 Dctooux.exe 186 PID 2408 wrote to memory of 2192 2408 Dctooux.exe 186 PID 2192 wrote to memory of 1292 2192 rundll32.exe 187 PID 2192 wrote to memory of 1292 2192 rundll32.exe 187 PID 1292 wrote to memory of 2488 1292 rundll32.exe 188 PID 1292 wrote to memory of 2488 1292 rundll32.exe 188 PID 1292 wrote to memory of 4152 1292 rundll32.exe 190 PID 1292 wrote to memory of 4152 1292 rundll32.exe 190
Processes
-
C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 7442⤵
- Program crash
PID:3188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 8042⤵
- Program crash
PID:1232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 8602⤵
- Program crash
PID:3820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 8962⤵
- Program crash
PID:4032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 8962⤵
- Program crash
PID:3004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 9522⤵
- Program crash
PID:1928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 11402⤵
- Program crash
PID:3596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 11602⤵
- Program crash
PID:4756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 12402⤵
- Program crash
PID:3916
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 5523⤵
- Program crash
PID:2212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 5723⤵
- Program crash
PID:4504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 5803⤵
- Program crash
PID:3000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 7203⤵
- Program crash
PID:3956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 8883⤵
- Program crash
PID:2984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 8883⤵
- Program crash
PID:4948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 6203⤵
- Program crash
PID:2332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 8883⤵
- Program crash
PID:1628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 7243⤵
- Program crash
PID:1664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 10203⤵
- Program crash
PID:3728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 11523⤵
- Program crash
PID:4716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 13123⤵
- Program crash
PID:2928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 14083⤵
- Program crash
PID:2444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 16723⤵
- Program crash
PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"3⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 21044⤵
- Program crash
PID:2252
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 16523⤵
- Program crash
PID:3012
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main3⤵
- Loads dropped DLL
PID:4188
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"3⤵PID:2372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 17723⤵
- Program crash
PID:3556
-
-
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"3⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 20524⤵
- Program crash
PID:4804
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 16363⤵
- Program crash
PID:1768
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main3⤵
- Loads dropped DLL
PID:2764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 15083⤵
- Program crash
PID:968
-
-
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'5⤵
- Creates scheduled task(s)
PID:3492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D9E.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:2320
-
-
C:\Users\Admin\AppData\Roaming\appBroker.exe"C:\Users\Admin\AppData\Roaming\appBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 14203⤵
- Program crash
PID:528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 16643⤵
- Program crash
PID:3804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 17043⤵
- Program crash
PID:1408
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084619521222_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 8522⤵
- Program crash
PID:3980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 8122⤵
- Program crash
PID:1936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4928 -ip 49281⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4928 -ip 49281⤵PID:4152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4928 -ip 49281⤵PID:1468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4928 -ip 49281⤵PID:1500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4928 -ip 49281⤵PID:1292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4928 -ip 49281⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 49281⤵PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4928 -ip 49281⤵PID:3212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4928 -ip 49281⤵PID:5072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4928 -ip 49281⤵PID:2736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4928 -ip 49281⤵PID:3420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 24081⤵PID:4884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 24081⤵PID:3452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2408 -ip 24081⤵PID:2252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2408 -ip 24081⤵PID:864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 24081⤵PID:4052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 24081⤵PID:3628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2408 -ip 24081⤵PID:4740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2408 -ip 24081⤵PID:3948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 24081⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 24081⤵PID:3060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2408 -ip 24081⤵PID:1596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2408 -ip 24081⤵PID:3292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2408 -ip 24081⤵PID:4608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 24081⤵PID:3884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 24081⤵PID:2720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 40121⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 4442⤵
- Program crash
PID:804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3000 -ip 30001⤵PID:3468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2408 -ip 24081⤵PID:2376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2408 -ip 24081⤵PID:1092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2408 -ip 24081⤵PID:3680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2408 -ip 24081⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3384 -ip 33841⤵PID:3396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2408 -ip 24081⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 4482⤵
- Program crash
PID:3828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5044 -ip 50441⤵PID:4960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2408 -ip 24081⤵PID:4464
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD591743118bdf874eb686609a23dff2474
SHA1e8c358db98fc54897d14e8f830b2febf521c6b54
SHA256d6f29928c04e39d5c9fb69bdaf4fe9f79c521e77140e3c7565954bfb57f60b7c
SHA512260dc393c39bc7ba587a76dbcce3a0d401014c88b0dc6c97e4aa9be9ba6159c16d8a7229eaad07a8ad0baf97c33ce081ea1b224ef31c1bc0e00f8ed85eaf13d2
-
Filesize
83KB
MD5afe85149c9e70a1c571891de76ba8f22
SHA17f37756058e649f47f9b078c741a02df6c3a3ec6
SHA256b18a909a9bc3c0e7f66d72fee4f3ee09b61fcc804d14461a691e956797c31446
SHA512bf049ca4d7c9230d43ab85e6d25b02ae4d70b161ad383190c480eb21ec05459ff5f8d438c82444f878b74e364d9f06318928ff1397f3f6061f811fdad2026b35
-
Filesize
300KB
MD5b099ea0b80ecf49caa0d7003e0c95071
SHA1228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029
-
Filesize
243KB
MD537976db9d0e6f8bf9db5ae4b56006d9d
SHA1dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA2562570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47
-
Filesize
421KB
MD511dcd8e017b0e067e922cfb6507a8dde
SHA180c4e499c9666401a0f9099482c7fa9debe006d5
SHA2562809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA51252b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
153B
MD5a07278971d6ba8fc3d4a320185f7e129
SHA1284ff25c910d2c9830f7e4fa45137a01e1dd1f21
SHA256570ad432376f7e4ca05c82d198b901fbe3e90388e4b7909c68a90c5491b89e18
SHA5126a4774739c2aee27e8b5ae2275850937c1d7b29f35b7ac567ce1cc372aff172e9c178b92d946d4582f9b8f98b2ef23c117377d8482a8cd9104b2c50c23ef0b47
-
Filesize
48KB
MD57fd8581748cdf137023ef96f1286ce0f
SHA1c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA2560b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282
-
Filesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9