Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-04-2024 04:32
Static task
static1
Behavioral task
behavioral1
Sample
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
Resource
win10v2004-20240412-en
General
-
Target
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
-
Size
421KB
-
MD5
11dcd8e017b0e067e922cfb6507a8dde
-
SHA1
80c4e499c9666401a0f9099482c7fa9debe006d5
-
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
-
SHA512
52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
SSDEEP
6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
asyncrat
0.5.8
Default
94.228.162.82:6606
94.228.162.82:7707
94.228.162.82:8808
YBc01FE5mcOd
-
delay
3
-
install
true
-
install_file
appBroker.exe
-
install_folder
%AppData%
Signatures
-
Detect Vidar Stealer 4 IoCs
resource yara_rule behavioral2/memory/4684-59-0x00000000030A0000-0x00000000030D5000-memory.dmp family_vidar_v7 behavioral2/memory/4684-60-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral2/memory/4684-64-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral2/files/0x001d00000002aa4d-70.dat family_vidar_v7 -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/memory/3088-143-0x0000000006700000-0x000000000679C000-memory.dmp family_zgrat_v1 behavioral2/memory/3088-149-0x0000000006A70000-0x0000000006AD2000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000600000002aa56-99.dat family_asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 19 2368 rundll32.exe 21 2368 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 4396 Dctooux.exe 4612 Dctooux.exe 4684 vidar.exe 1972 AsyncClient.exe 1852 AsyncClient.exe 4516 Dctooux.exe 3088 appBroker.exe 4264 Dctooux.exe -
Loads dropped DLL 4 IoCs
pid Process 2696 rundll32.exe 2812 rundll32.exe 3692 rundll32.exe 2368 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 37 IoCs
pid pid_target Process procid_target 2012 436 WerFault.exe 79 2768 436 WerFault.exe 79 4492 436 WerFault.exe 79 2324 436 WerFault.exe 79 4684 436 WerFault.exe 79 4820 436 WerFault.exe 79 2264 436 WerFault.exe 79 1836 436 WerFault.exe 79 2740 436 WerFault.exe 79 4348 436 WerFault.exe 79 4896 436 WerFault.exe 79 4544 4396 WerFault.exe 102 676 4396 WerFault.exe 102 1648 4396 WerFault.exe 102 3192 4396 WerFault.exe 102 4176 4612 WerFault.exe 107 3464 4396 WerFault.exe 102 3856 4396 WerFault.exe 102 3744 4396 WerFault.exe 102 2920 4396 WerFault.exe 102 4496 4396 WerFault.exe 102 2500 4396 WerFault.exe 102 2604 4396 WerFault.exe 102 3844 4396 WerFault.exe 102 1568 4396 WerFault.exe 102 1876 4396 WerFault.exe 102 2324 4396 WerFault.exe 102 924 4396 WerFault.exe 102 2860 4684 WerFault.exe 138 4008 4396 WerFault.exe 102 4948 4396 WerFault.exe 102 3096 4396 WerFault.exe 102 3008 4396 WerFault.exe 102 5076 4516 WerFault.exe 157 4868 4396 WerFault.exe 102 2324 4396 WerFault.exe 102 1336 4264 WerFault.exe 177 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2000 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1860 timeout.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 1972 AsyncClient.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 3496 powershell.exe 3496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1972 AsyncClient.exe Token: SeDebugPrivilege 3088 appBroker.exe Token: SeDebugPrivilege 3496 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 436 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 436 wrote to memory of 4396 436 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe 102 PID 436 wrote to memory of 4396 436 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe 102 PID 436 wrote to memory of 4396 436 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe 102 PID 4396 wrote to memory of 4684 4396 Dctooux.exe 138 PID 4396 wrote to memory of 4684 4396 Dctooux.exe 138 PID 4396 wrote to memory of 4684 4396 Dctooux.exe 138 PID 4396 wrote to memory of 2696 4396 Dctooux.exe 144 PID 4396 wrote to memory of 2696 4396 Dctooux.exe 144 PID 4396 wrote to memory of 2696 4396 Dctooux.exe 144 PID 4396 wrote to memory of 4928 4396 Dctooux.exe 145 PID 4396 wrote to memory of 4928 4396 Dctooux.exe 145 PID 4396 wrote to memory of 4928 4396 Dctooux.exe 145 PID 4396 wrote to memory of 2812 4396 Dctooux.exe 148 PID 4396 wrote to memory of 2812 4396 Dctooux.exe 148 PID 4396 wrote to memory of 2812 4396 Dctooux.exe 148 PID 4396 wrote to memory of 1972 4396 Dctooux.exe 150 PID 4396 wrote to memory of 1972 4396 Dctooux.exe 150 PID 4396 wrote to memory of 1972 4396 Dctooux.exe 150 PID 4396 wrote to memory of 1852 4396 Dctooux.exe 153 PID 4396 wrote to memory of 1852 4396 Dctooux.exe 153 PID 4396 wrote to memory of 1852 4396 Dctooux.exe 153 PID 1972 wrote to memory of 3032 1972 AsyncClient.exe 160 PID 1972 wrote to memory of 3032 1972 AsyncClient.exe 160 PID 1972 wrote to memory of 3032 1972 AsyncClient.exe 160 PID 1972 wrote to memory of 4656 1972 AsyncClient.exe 162 PID 1972 wrote to memory of 4656 1972 AsyncClient.exe 162 PID 1972 wrote to memory of 4656 1972 AsyncClient.exe 162 PID 3032 wrote to memory of 2000 3032 cmd.exe 164 PID 3032 wrote to memory of 2000 3032 cmd.exe 164 PID 3032 wrote to memory of 2000 3032 cmd.exe 164 PID 4656 wrote to memory of 1860 4656 cmd.exe 165 PID 4656 wrote to memory of 1860 4656 cmd.exe 165 PID 4656 wrote to memory of 1860 4656 cmd.exe 165 PID 4656 wrote to memory of 3088 4656 cmd.exe 166 PID 4656 wrote to memory of 3088 4656 cmd.exe 166 PID 4656 wrote to memory of 3088 4656 cmd.exe 166 PID 4396 wrote to memory of 3692 4396 Dctooux.exe 171 PID 4396 wrote to memory of 3692 4396 Dctooux.exe 171 PID 4396 wrote to memory of 3692 4396 Dctooux.exe 171 PID 3692 wrote to memory of 2368 3692 rundll32.exe 172 PID 3692 wrote to memory of 2368 3692 rundll32.exe 172 PID 2368 wrote to memory of 1212 2368 rundll32.exe 173 PID 2368 wrote to memory of 1212 2368 rundll32.exe 173 PID 2368 wrote to memory of 3496 2368 rundll32.exe 175 PID 2368 wrote to memory of 3496 2368 rundll32.exe 175
Processes
-
C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 7722⤵
- Program crash
PID:2012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 8202⤵
- Program crash
PID:2768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 8762⤵
- Program crash
PID:4492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 8842⤵
- Program crash
PID:2324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 9482⤵
- Program crash
PID:4684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 9482⤵
- Program crash
PID:4820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 10162⤵
- Program crash
PID:2264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 10442⤵
- Program crash
PID:1836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 10322⤵
- Program crash
PID:2740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 11162⤵
- Program crash
PID:4348
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 5803⤵
- Program crash
PID:4544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 6243⤵
- Program crash
PID:676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 6443⤵
- Program crash
PID:1648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 8643⤵
- Program crash
PID:3192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 8643⤵
- Program crash
PID:3464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 8963⤵
- Program crash
PID:3856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 9123⤵
- Program crash
PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 9323⤵
- Program crash
PID:2920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 8603⤵
- Program crash
PID:4496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 10363⤵
- Program crash
PID:2500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 11683⤵
- Program crash
PID:2604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 11683⤵
- Program crash
PID:3844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 12683⤵
- Program crash
PID:1568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 11363⤵
- Program crash
PID:1876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 17683⤵
- Program crash
PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"3⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 21564⤵
- Program crash
PID:2860
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 17403⤵
- Program crash
PID:924
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main3⤵
- Loads dropped DLL
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"3⤵PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 15923⤵
- Program crash
PID:4008
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main3⤵
- Loads dropped DLL
PID:2812
-
-
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'5⤵
- Creates scheduled task(s)
PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE2E9.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\appBroker.exe"C:\Users\Admin\AppData\Roaming\appBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 19403⤵
- Program crash
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"3⤵
- Executes dropped EXE
PID:1852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 18883⤵
- Program crash
PID:3096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 17203⤵
- Program crash
PID:3008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 17923⤵
- Program crash
PID:4868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 19163⤵
- Program crash
PID:2324
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\258603162493_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 11762⤵
- Program crash
PID:4896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 4361⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 436 -ip 4361⤵PID:4336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 436 -ip 4361⤵PID:876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 436 -ip 4361⤵PID:4076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 436 -ip 4361⤵PID:4536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 436 -ip 4361⤵PID:3080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 436 -ip 4361⤵PID:1628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 436 -ip 4361⤵PID:2360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 436 -ip 4361⤵PID:1232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 436 -ip 4361⤵PID:3268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 436 -ip 4361⤵PID:2004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4396 -ip 43961⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 4722⤵
- Program crash
PID:4176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4396 -ip 43961⤵PID:4960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4396 -ip 43961⤵PID:4696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4396 -ip 43961⤵PID:1088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4612 -ip 46121⤵PID:5028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4396 -ip 43961⤵PID:1980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4396 -ip 43961⤵PID:3008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4396 -ip 43961⤵PID:448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4396 -ip 43961⤵PID:3304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 43961⤵PID:1708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4396 -ip 43961⤵PID:2236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4396 -ip 43961⤵PID:3088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4396 -ip 43961⤵PID:3668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4396 -ip 43961⤵PID:2544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 43961⤵PID:2504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 43961⤵PID:2144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4396 -ip 43961⤵PID:3080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4684 -ip 46841⤵PID:2844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4396 -ip 43961⤵PID:2520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 43961⤵PID:3012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4396 -ip 43961⤵PID:3760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4396 -ip 43961⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 4762⤵
- Program crash
PID:5076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4516 -ip 45161⤵PID:4528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4396 -ip 43961⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4396 -ip 43961⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 4762⤵
- Program crash
PID:1336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4264 -ip 42641⤵PID:2056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5bb27934be8860266d478c13f2d65f45e
SHA1a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA25685ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA51287dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb
-
Filesize
300KB
MD5b099ea0b80ecf49caa0d7003e0c95071
SHA1228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029
-
Filesize
243KB
MD537976db9d0e6f8bf9db5ae4b56006d9d
SHA1dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA2562570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47
-
Filesize
421KB
MD511dcd8e017b0e067e922cfb6507a8dde
SHA180c4e499c9666401a0f9099482c7fa9debe006d5
SHA2562809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA51252b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
Filesize
82KB
MD57d74fd00faa07ab82bf844e66f8adfeb
SHA18076a9f3e766f2b1d01f53ea7fa20363ac115775
SHA256eca62539e9f14cd9e31568694b697a76676a132a1c43b9f9e0cd76853238d1de
SHA5123ebb204e3d03443f3fd6ed28ce627e3a48da9b37e0ff61f59c2f3cbb97d30d6c9765df197b1876ce0b4a9ebf92c34d0e1e2f73f6a864102092ffaa6d5dbc96ff
-
Filesize
160KB
MD5888109621445b833b7a421884fa630d2
SHA114aded356b697a143e35099467cc4f283672fd09
SHA25688d0a3a21ad28a90e082a4cb3874006c0fcc35ab07476c802ecc63ff8117a1a0
SHA5120736eefc0aaa440b3c6619f55f94d5e9eeb9fb8cb379cd1fbfa31fcb27558acb22c44b8427219a943ced3c6da9635a27bdb509339e0bb59ddf58119f5cd8cd99
-
Filesize
160KB
MD56bcbcbd38a160f31a983baf685317119
SHA1bdcd302c4a9b2f498a210b33c5289352d10135bc
SHA256b7412915875632d11fefc9271a7a2c95a1e130d84886d057f02d2b44f5106132
SHA5129fc1ff8e677078b888cc26a1801bb3969b337931ce1ee3381a41cd2411fff053fdd66a1717b0eefdc94729bceac91279089d17cfe5bfe75f859c7aa214d4cca3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
153B
MD582550e030f42f5e7bacb54af59cedb52
SHA13eaa16bbf3c4207411d88869b0ed46b81f278642
SHA256e23fe0fc8594dbec0849207a8370adc2bb924ec6cac83c01de019dba46db1d90
SHA5120d76afe564417ef4314b983036fee5801b2f5246c4db95c4e164ee7d7d8178cb10567e934dc765c5d8ace04632b9fb0dd90e39de977a020396ff2c4f5292e60e
-
Filesize
48KB
MD57fd8581748cdf137023ef96f1286ce0f
SHA1c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA2560b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282
-
Filesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9