d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2

Analysis

max time kernel
118s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe
Size

28KB
MD5

cfe4317f8ae082b11f49e0d9e00a3190
SHA1

153177ea1c157c149b7fa72e90a82b418dec66e5
SHA256

d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2
SHA512

0774edae4e53c4c8b755060b81ecc5f91691a1da546558338b7eb1506d4d1bd63f5209533180a184524538705a802263b243493e7c2b7386220ba4b8f2e79a8e
SSDEEP

384:2/mPAVyp+6srYYCk2gNPapIxcFpOQGR9zos2clAKLHRN74u56/R9zZwu9d:J4quFCk2LMcXOQ69zbjlAAX5e9zT

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BD3BCB5-FA54-4017-8954-FD983FF959CE}	d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}	{94245C44-705C-450b-A69D-73604ED8A5CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3120A110-3692-44aa-8288-31987A16FE4C}\stubpath = "C:\\Windows\\{3120A110-3692-44aa-8288-31987A16FE4C}.exe"	{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B898C5A5-6290-4551-AF71-9517CA28BAC4}\stubpath = "C:\\Windows\\{B898C5A5-6290-4551-AF71-9517CA28BAC4}.exe"	{18F99500-3BB1-4391-881C-3FA8A2143289}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3120A110-3692-44aa-8288-31987A16FE4C}	{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC988DFC-8553-4be4-A74B-5CF9F941C566}\stubpath = "C:\\Windows\\{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe"	{3120A110-3692-44aa-8288-31987A16FE4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BD3BCB5-FA54-4017-8954-FD983FF959CE}\stubpath = "C:\\Windows\\{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe"	d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89C1648-0B57-4e91-BA21-B6FB14D50A74}	{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B755BD31-D374-4475-AB79-5A343DE0EF3E}	{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}\stubpath = "C:\\Windows\\{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe"	{94245C44-705C-450b-A69D-73604ED8A5CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89C1648-0B57-4e91-BA21-B6FB14D50A74}\stubpath = "C:\\Windows\\{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe"	{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94245C44-705C-450b-A69D-73604ED8A5CB}\stubpath = "C:\\Windows\\{94245C44-705C-450b-A69D-73604ED8A5CB}.exe"	{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F99500-3BB1-4391-881C-3FA8A2143289}\stubpath = "C:\\Windows\\{18F99500-3BB1-4391-881C-3FA8A2143289}.exe"	{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B898C5A5-6290-4551-AF71-9517CA28BAC4}	{18F99500-3BB1-4391-881C-3FA8A2143289}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B755BD31-D374-4475-AB79-5A343DE0EF3E}\stubpath = "C:\\Windows\\{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe"	{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94245C44-705C-450b-A69D-73604ED8A5CB}	{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC988DFC-8553-4be4-A74B-5CF9F941C566}	{3120A110-3692-44aa-8288-31987A16FE4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F99500-3BB1-4391-881C-3FA8A2143289}	{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe

Executes dropped EXE 9 IoCs

pid	Process
3132	{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe
3440	{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe
3188	{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe
4716	{94245C44-705C-450b-A69D-73604ED8A5CB}.exe
4964	{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe
312	{3120A110-3692-44aa-8288-31987A16FE4C}.exe
1196	{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe
2952	{18F99500-3BB1-4391-881C-3FA8A2143289}.exe
4196	{B898C5A5-6290-4551-AF71-9517CA28BAC4}.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4528-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4528-1-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000200000001e747-4.dat	upx
behavioral2/memory/4528-6-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0009000000023ca6-10.dat	upx
behavioral2/memory/3132-12-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000300000001e742-14.dat	upx
behavioral2/memory/3440-18-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000b000000023cb9-22.dat	upx
behavioral2/memory/3188-24-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000c000000021a70-28.dat	upx
behavioral2/memory/4716-30-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000e000000021a75-34.dat	upx
behavioral2/memory/4964-36-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x00090000000221eb-40.dat	upx
behavioral2/memory/312-42-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0003000000000705-46.dat	upx
behavioral2/memory/1196-48-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0006000000000707-52.dat	upx
behavioral2/memory/2952-54-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe	d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe
File created	C:\Windows\{94245C44-705C-450b-A69D-73604ED8A5CB}.exe	{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe
File created	C:\Windows\{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe	{94245C44-705C-450b-A69D-73604ED8A5CB}.exe
File created	C:\Windows\{18F99500-3BB1-4391-881C-3FA8A2143289}.exe	{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe
File created	C:\Windows\{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe	{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe
File created	C:\Windows\{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe	{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe
File created	C:\Windows\{3120A110-3692-44aa-8288-31987A16FE4C}.exe	{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe
File created	C:\Windows\{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe	{3120A110-3692-44aa-8288-31987A16FE4C}.exe
File created	C:\Windows\{B898C5A5-6290-4551-AF71-9517CA28BAC4}.exe	{18F99500-3BB1-4391-881C-3FA8A2143289}.exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1500	4528	WerFault.exe	82
3524	3132	WerFault.exe	83
2916	3440	WerFault.exe	101
1732	3188	WerFault.exe	107
4296	4716	WerFault.exe	110
4552	4964	WerFault.exe	114
1500	312	WerFault.exe	117
1100	1196	WerFault.exe	120
3512	2952	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B898C5A5-6290-4551-AF71-9517CA28BAC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94245C44-705C-450b-A69D-73604ED8A5CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3120A110-3692-44aa-8288-31987A16FE4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18F99500-3BB1-4391-881C-3FA8A2143289}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3132	4528	d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe	83
PID 4528 wrote to memory of 3132	4528	d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe	83
PID 4528 wrote to memory of 3132	4528	d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe	83
PID 3132 wrote to memory of 3440	3132	{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe	101
PID 3132 wrote to memory of 3440	3132	{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe	101
PID 3132 wrote to memory of 3440	3132	{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe	101
PID 3440 wrote to memory of 3188	3440	{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe	107
PID 3440 wrote to memory of 3188	3440	{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe	107
PID 3440 wrote to memory of 3188	3440	{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe	107
PID 3188 wrote to memory of 4716	3188	{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe	110
PID 3188 wrote to memory of 4716	3188	{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe	110
PID 3188 wrote to memory of 4716	3188	{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe	110
PID 4716 wrote to memory of 4964	4716	{94245C44-705C-450b-A69D-73604ED8A5CB}.exe	114
PID 4716 wrote to memory of 4964	4716	{94245C44-705C-450b-A69D-73604ED8A5CB}.exe	114
PID 4716 wrote to memory of 4964	4716	{94245C44-705C-450b-A69D-73604ED8A5CB}.exe	114
PID 4964 wrote to memory of 312	4964	{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe	117
PID 4964 wrote to memory of 312	4964	{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe	117
PID 4964 wrote to memory of 312	4964	{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe	117
PID 312 wrote to memory of 1196	312	{3120A110-3692-44aa-8288-31987A16FE4C}.exe	120
PID 312 wrote to memory of 1196	312	{3120A110-3692-44aa-8288-31987A16FE4C}.exe	120
PID 312 wrote to memory of 1196	312	{3120A110-3692-44aa-8288-31987A16FE4C}.exe	120
PID 1196 wrote to memory of 2952	1196	{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe	123
PID 1196 wrote to memory of 2952	1196	{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe	123
PID 1196 wrote to memory of 2952	1196	{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe	123
PID 2952 wrote to memory of 4196	2952	{18F99500-3BB1-4391-881C-3FA8A2143289}.exe	126
PID 2952 wrote to memory of 4196	2952	{18F99500-3BB1-4391-881C-3FA8A2143289}.exe	126
PID 2952 wrote to memory of 4196	2952	{18F99500-3BB1-4391-881C-3FA8A2143289}.exe	126

C:\Users\Admin\AppData\Local\Temp\d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe
"C:\Users\Admin\AppData\Local\Temp\d557b98d200242aeaa676cbd497e39958cc53be176784cd0fa5ab3765cc13eb2N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe
  C:\Windows\{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe
    C:\Windows\{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe
      C:\Windows\{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\{94245C44-705C-450b-A69D-73604ED8A5CB}.exe
        
        C:\Windows\{94245C44-705C-450b-A69D-73604ED8A5CB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Windows\{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe
        
        C:\Windows\{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{3120A110-3692-44aa-8288-31987A16FE4C}.exe
        
        C:\Windows\{3120A110-3692-44aa-8288-31987A16FE4C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe
        
        C:\Windows\{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{18F99500-3BB1-4391-881C-3FA8A2143289}.exe
        
        C:\Windows\{18F99500-3BB1-4391-881C-3FA8A2143289}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{B898C5A5-6290-4551-AF71-9517CA28BAC4}.exe
        
        C:\Windows\{B898C5A5-6290-4551-AF71-9517CA28BAC4}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 764
        10⤵
        Program crash
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 756
        9⤵
        Program crash
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 552
        8⤵
        Program crash
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 764
        7⤵
        Program crash
        
        PID:4552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 768
        6⤵
        Program crash
        
        PID:4296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 780
        5⤵
        Program crash
        
        PID:1732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 816
      4⤵
      Program crash
      PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 736
    3⤵
    - Program crash
    PID:3524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 744
  2⤵
  - Program crash
  PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4528 -ip 4528
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3132 -ip 3132
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3440 -ip 3440
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3188 -ip 3188
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4716 -ip 4716
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4964 -ip 4964
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 312 -ip 312
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1196 -ip 1196
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2952 -ip 2952
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18F99500-3BB1-4391-881C-3FA8A2143289}.exe

Filesize
28KB

MD5
2dc41354de54a596daef61480605060d

SHA1
1dc5bfee367749d8763ee8b4693b51f3903d77d3

SHA256
b1bfb007c91a2ad4d99a73f371262223dd36a7d19c2897896ecbb820e0cb1da1

SHA512
941cca4b5f57d80b040c5d83b15dabd9efae8d29edcf53598c2a667d250beae4fd13286c3099433a7f362df06ebbb0e8c38079eee39e96a8a341bc3f725c4f22

Download Submit
C:\Windows\{1BD3BCB5-FA54-4017-8954-FD983FF959CE}.exe

Filesize
28KB

MD5
adf6239e0ed16654ecd5156903dd3dd1

SHA1
c137036833a6f10ade2c97faa886e0a3e5d596cb

SHA256
6c5d904cce92446baf24dd3a38234602846156aa00be6cc494d0221279f59457

SHA512
208d73a0a5594aa8575ba5f43234ea19efcbb1dc05de5c7f1400cc75f293c1d5d7327e5db1643ab43a019226ef40a6f2b8db954f1fc492ed99cacb1caeb1fe21

Download Submit
C:\Windows\{3120A110-3692-44aa-8288-31987A16FE4C}.exe

Filesize
28KB

MD5
7cddeed1970518a19469ce118e029f0d

SHA1
f38f5a5873c3f9734d19311bd3abf7e2a6b58530

SHA256
2adef6d67bb087dad8f4984acb6928f411d0c1dbf81dba0d0d37bca749cd3385

SHA512
b3de618e89070590179aa0b472c0147ddb3e54d1424a00f26c5017ac82e811f321d74e93f0c2988de262a8fbf3d839d32d2cb1613c8958102dfa0a717fe20c9e

Download Submit
C:\Windows\{63E39E22-AC3E-4fc6-A8CF-15AF1E8EDABF}.exe

Filesize
28KB

MD5
21159691e214003c762e9a79eb4eca59

SHA1
96eef4262a76ce018b615400c86fa59e7e3d6cf5

SHA256
3ae983fe5fcd4255dadd265c60e8351182fd879aefac2947eee923995600ca7c

SHA512
b50f3cc6e9aa2afcf3eb9c0e60ff0c4a243c640c6b34de1f6254eec57d5d0a1d54f746c4cb1f757153fa2e14154c233c7f570f628bb2b2b218af04a18ec8619e

Download Submit
C:\Windows\{94245C44-705C-450b-A69D-73604ED8A5CB}.exe

Filesize
28KB

MD5
e3b5939f32d5cc3188c0ccf944c292f7

SHA1
47023eee3b650df87b2812816e96b5d1c08ec814

SHA256
246a69efc38e761ecb3bf3b29f37f7af49007812287b8def8a299b356cf98a2e

SHA512
78cfac8e8162b4da10344ef8230e2aaa78178eda605f948079af05e8db0a8c2474cff9b80f60fa103e0328b8e8cb5276d575f89293ec0e99fc44ad6fa5073881

Download Submit
C:\Windows\{B755BD31-D374-4475-AB79-5A343DE0EF3E}.exe

Filesize
28KB

MD5
f09bec0beedceb6e3213025926cd2cc1

SHA1
2f9b7a5bccd10601183875f1b6ac41badd2cf671

SHA256
ab63154fbd74612acceb9c16a2cf5c6ef327802f30b7126a9839029f6adb7a3a

SHA512
470282908769b216a243f4ce7967b5640471aaae22b014b80da2a1cce5c09fce5b7efd25f66abc51c5fa2a1f94932cf4eeeddd0588f0cec9972f5ef0e5765afd

Download Submit
C:\Windows\{B898C5A5-6290-4551-AF71-9517CA28BAC4}.exe

Filesize
28KB

MD5
d8687eeb9a9409462076e099da2ea369

SHA1
9760ed5766adef39cd8d11b075afe1647bbaab89

SHA256
d0f37d676c8b145aa943b4588b16e4d9b14c639bf074c6d3dce5018b6595a9b3

SHA512
1f6116c51fea3309c4a62bc357cd0857d5ca3350d0ea5314c01ce7edece1ed9a47387d374859aad03a20260b171ffa34a8ebc276905be9457b2cbcf26a7e9027

Download Submit
C:\Windows\{C89C1648-0B57-4e91-BA21-B6FB14D50A74}.exe

Filesize
28KB

MD5
ce4ff042b260424106852a65052b686d

SHA1
3f90d9f285d5f1567f59bd32a9a5a76f61f3106d

SHA256
726c5bd1f6663873081e834a7658847b6e10aa3352516130b86ab1919c32eb93

SHA512
c905c1c2330028a293e0ddcf1720561b4249f189d75aff29ed088cb3167038a8f9914a9d5fcba029a7c5f7fd9d3826a52790daa0948ec91d4957ccd6fde8fbf5

Download Submit
C:\Windows\{DC988DFC-8553-4be4-A74B-5CF9F941C566}.exe

Filesize
28KB

MD5
29de2131c370bf322d5df05c1f4de470

SHA1
3765bd5fb3bfb7a3f800b3a1b6f2150811dcb23e

SHA256
258beb07ad06dc702ac212a104ef8829ab2d3005bdfc49c62ed73806950a5425

SHA512
d40add143285e647d87cbc5a2b0be354385a1b19c303cc48411daa24a8f0b13cef09e614a01e3dd902b0b9ace634336a061d5d376df11a1249ae4aeabbfe1825

Download Submit
memory/312-42-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1196-48-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3132-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3188-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3440-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4528-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4528-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4528-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4716-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4964-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads