940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe
Size

28KB
MD5

2f2f29b1fdc23c208eef50e0d1d7d8da
SHA1

38aa1a47e500d98ac17ad711a9009bffb25ecfa4
SHA256

940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b
SHA512

f4c8cbc0476163a7de0a6156d2da15f649a2e786cca5b79e72d5c9c0ef105af3e90983f0353b800e5d4867059557f5df2f852988f524d6296aadb91980590e8c
SSDEEP

384:2/mPAVyp+6srYYCk2gNPapIzFpOQGR9zos2clAKLHRN74u56/R9zZwu9P:J4quFCk2LeXOQ69zbjlAAX5e9zh

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6BFC434-5B56-4ee1-B506-B6E878D6B892}	{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}	{9988F06B-8530-4fd7-884F-F52E09294733}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}\stubpath = "C:\\Windows\\{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe"	{9988F06B-8530-4fd7-884F-F52E09294733}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4647B200-CE8E-4d2b-9ED3-E885427406DF}\stubpath = "C:\\Windows\\{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe"	{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64921333-FA5E-4654-BCA4-15179A898D35}\stubpath = "C:\\Windows\\{64921333-FA5E-4654-BCA4-15179A898D35}.exe"	{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}	940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}	{54516DB3-9181-4434-9CF9-820BDFB38084}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}\stubpath = "C:\\Windows\\{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe"	{54516DB3-9181-4434-9CF9-820BDFB38084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{935736F6-2B52-42c7-A0E6-36DA1ABE2520}	{64921333-FA5E-4654-BCA4-15179A898D35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}\stubpath = "C:\\Windows\\{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe"	940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9988F06B-8530-4fd7-884F-F52E09294733}\stubpath = "C:\\Windows\\{9988F06B-8530-4fd7-884F-F52E09294733}.exe"	{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4647B200-CE8E-4d2b-9ED3-E885427406DF}	{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64921333-FA5E-4654-BCA4-15179A898D35}	{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6BFC434-5B56-4ee1-B506-B6E878D6B892}\stubpath = "C:\\Windows\\{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe"	{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54516DB3-9181-4434-9CF9-820BDFB38084}\stubpath = "C:\\Windows\\{54516DB3-9181-4434-9CF9-820BDFB38084}.exe"	{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9988F06B-8530-4fd7-884F-F52E09294733}	{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{935736F6-2B52-42c7-A0E6-36DA1ABE2520}\stubpath = "C:\\Windows\\{935736F6-2B52-42c7-A0E6-36DA1ABE2520}.exe"	{64921333-FA5E-4654-BCA4-15179A898D35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54516DB3-9181-4434-9CF9-820BDFB38084}	{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe

Executes dropped EXE 9 IoCs

pid	Process
4664	{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe
4088	{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe
1480	{54516DB3-9181-4434-9CF9-820BDFB38084}.exe
1716	{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe
3132	{9988F06B-8530-4fd7-884F-F52E09294733}.exe
2628	{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe
2156	{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe
2932	{64921333-FA5E-4654-BCA4-15179A898D35}.exe
1936	{935736F6-2B52-42c7-A0E6-36DA1ABE2520}.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4636-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4636-1-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0008000000023c56-3.dat	upx
behavioral2/memory/4636-6-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0007000000023c6f-11.dat	upx
behavioral2/memory/4664-12-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000300000001e0c9-14.dat	upx
behavioral2/memory/4088-18-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000d000000023c77-22.dat	upx
behavioral2/memory/1480-24-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000800000001e786-28.dat	upx
behavioral2/memory/1716-30-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000f0000000216ea-34.dat	upx
behavioral2/memory/3132-36-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0009000000021ee0-40.dat	upx
behavioral2/memory/2628-42-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0003000000000709-46.dat	upx
behavioral2/memory/2156-48-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000600000000070b-52.dat	upx
behavioral2/memory/2932-54-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe	{54516DB3-9181-4434-9CF9-820BDFB38084}.exe
File created	C:\Windows\{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe	{9988F06B-8530-4fd7-884F-F52E09294733}.exe
File created	C:\Windows\{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe	940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe
File created	C:\Windows\{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe	{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe
File created	C:\Windows\{54516DB3-9181-4434-9CF9-820BDFB38084}.exe	{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe
File created	C:\Windows\{935736F6-2B52-42c7-A0E6-36DA1ABE2520}.exe	{64921333-FA5E-4654-BCA4-15179A898D35}.exe
File created	C:\Windows\{9988F06B-8530-4fd7-884F-F52E09294733}.exe	{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe
File created	C:\Windows\{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe	{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe
File created	C:\Windows\{64921333-FA5E-4654-BCA4-15179A898D35}.exe	{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1924	4636	WerFault.exe	82
4032	4664	WerFault.exe	84
776	4088	WerFault.exe	101
2592	1480	WerFault.exe	107
2180	1716	WerFault.exe	110
2212	3132	WerFault.exe	113
3184	2628	WerFault.exe	116
3720	2156	WerFault.exe	119
4168	2932	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54516DB3-9181-4434-9CF9-820BDFB38084}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9988F06B-8530-4fd7-884F-F52E09294733}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64921333-FA5E-4654-BCA4-15179A898D35}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{935736F6-2B52-42c7-A0E6-36DA1ABE2520}.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4664	4636	940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe	84
PID 4636 wrote to memory of 4664	4636	940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe	84
PID 4636 wrote to memory of 4664	4636	940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe	84
PID 4664 wrote to memory of 4088	4664	{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe	101
PID 4664 wrote to memory of 4088	4664	{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe	101
PID 4664 wrote to memory of 4088	4664	{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe	101
PID 4088 wrote to memory of 1480	4088	{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe	107
PID 4088 wrote to memory of 1480	4088	{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe	107
PID 4088 wrote to memory of 1480	4088	{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe	107
PID 1480 wrote to memory of 1716	1480	{54516DB3-9181-4434-9CF9-820BDFB38084}.exe	110
PID 1480 wrote to memory of 1716	1480	{54516DB3-9181-4434-9CF9-820BDFB38084}.exe	110
PID 1480 wrote to memory of 1716	1480	{54516DB3-9181-4434-9CF9-820BDFB38084}.exe	110
PID 1716 wrote to memory of 3132	1716	{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe	113
PID 1716 wrote to memory of 3132	1716	{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe	113
PID 1716 wrote to memory of 3132	1716	{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe	113
PID 3132 wrote to memory of 2628	3132	{9988F06B-8530-4fd7-884F-F52E09294733}.exe	116
PID 3132 wrote to memory of 2628	3132	{9988F06B-8530-4fd7-884F-F52E09294733}.exe	116
PID 3132 wrote to memory of 2628	3132	{9988F06B-8530-4fd7-884F-F52E09294733}.exe	116
PID 2628 wrote to memory of 2156	2628	{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe	119
PID 2628 wrote to memory of 2156	2628	{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe	119
PID 2628 wrote to memory of 2156	2628	{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe	119
PID 2156 wrote to memory of 2932	2156	{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe	122
PID 2156 wrote to memory of 2932	2156	{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe	122
PID 2156 wrote to memory of 2932	2156	{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe	122
PID 2932 wrote to memory of 1936	2932	{64921333-FA5E-4654-BCA4-15179A898D35}.exe	125
PID 2932 wrote to memory of 1936	2932	{64921333-FA5E-4654-BCA4-15179A898D35}.exe	125
PID 2932 wrote to memory of 1936	2932	{64921333-FA5E-4654-BCA4-15179A898D35}.exe	125

C:\Users\Admin\AppData\Local\Temp\940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe
"C:\Users\Admin\AppData\Local\Temp\940ed3f46346ea79a3401ae81dd70e513d00c9ab79e9a87e9ac20baedcef659b.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe
  C:\Windows\{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe
    C:\Windows\{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\{54516DB3-9181-4434-9CF9-820BDFB38084}.exe
      C:\Windows\{54516DB3-9181-4434-9CF9-820BDFB38084}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe
        
        C:\Windows\{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\{9988F06B-8530-4fd7-884F-F52E09294733}.exe
        
        C:\Windows\{9988F06B-8530-4fd7-884F-F52E09294733}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe
        
        C:\Windows\{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe
        
        C:\Windows\{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{64921333-FA5E-4654-BCA4-15179A898D35}.exe
        
        C:\Windows\{64921333-FA5E-4654-BCA4-15179A898D35}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{935736F6-2B52-42c7-A0E6-36DA1ABE2520}.exe
        
        C:\Windows\{935736F6-2B52-42c7-A0E6-36DA1ABE2520}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 756
        10⤵
        Program crash
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 784
        9⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 764
        8⤵
        Program crash
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 784
        7⤵
        Program crash
        
        PID:2212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 764
        6⤵
        Program crash
        
        PID:2180
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 740
        5⤵
        Program crash
        
        PID:2592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 812
      4⤵
      Program crash
      PID:776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 804
    3⤵
    - Program crash
    PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 764
  2⤵
  - Program crash
  PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4636 -ip 4636
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4664 -ip 4664
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4088 -ip 4088
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1480 -ip 1480
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1716 -ip 1716
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3132 -ip 3132
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2628 -ip 2628
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2156 -ip 2156
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2932 -ip 2932
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4647B200-CE8E-4d2b-9ED3-E885427406DF}.exe

Filesize
28KB

MD5
f80f5f5cf5d7759182945d1ddcee1179

SHA1
3aa6ba8783e0a528c502ea2d5b0095be8272e7dd

SHA256
a44aca8130642077785e9078befaa91c939210d3c1b31ecc369eb607bd022045

SHA512
b9bb6704c07648fd50ec0e7a8aec85838b650c86410d6280aecd58b7d90730a28b9de911ece8f0da6b198ff8f479733738e5913ff786d7eb96bc0819b9a1fb7c

Download Submit
C:\Windows\{54516DB3-9181-4434-9CF9-820BDFB38084}.exe

Filesize
28KB

MD5
6276e145a8f5aa86a0d11685afe9fb9d

SHA1
2abe3c2be7541e3fddcad1de181895acb1b85fe5

SHA256
4cf788ffd1baa1c13c56cfe735b4cc34d43cf14d6d20ed65956402873047adb6

SHA512
c5dc22ad331bbdca813f624777585e6023851d0922b42269fbe7431e775012a4543166be5fe7fc4e3efb1d21ecaeba7cbe3c42118301712e325983b495aa74b2

Download Submit
C:\Windows\{64921333-FA5E-4654-BCA4-15179A898D35}.exe

Filesize
28KB

MD5
6571029790ae296142cc0a45884c99bc

SHA1
802baf94cd7b9d55e5cb0e182fc93dd685961057

SHA256
2ae92a1c1fcac87092c759f4f83b774b5eb5b7e6b739677bd933e094e54e7f7c

SHA512
34f33bf5bd4aba13729fbf1c25989f68e85d03262b78f79e73772bf7e3aa7b0066b8c385c6031c9933e88c3134d3b2a5f379d595824427dbb48919fa1670e814

Download Submit
C:\Windows\{673AA455-D93F-4daf-A7EC-1B3AF2A3806B}.exe

Filesize
28KB

MD5
b7c261e79b9de71f6c04eb4f8f901654

SHA1
e2d23392b2e23e328e0290f589b50f8121a239e1

SHA256
cd6746164dc6c57b30c0f9d851a4e052152ce01f6e8beef7bfc2cdaf24b6a0a3

SHA512
66b6b4fa0dc609dd075de501b3a389688b2af747b5035dce8112dc1bae7f7d50dfc14656ae1d0d84e67b43d56200b0965bc49a87b96f5081eb5f1a1a10fc4875

Download Submit
C:\Windows\{6CA9F038-77D2-4d3a-A0C9-CED0928EC197}.exe

Filesize
28KB

MD5
88c1097e25106fb6f029d9df6ac17606

SHA1
55ba54205f556d9d8f45014f813037003b2b9291

SHA256
b1e670a545da6c31384e242d8dee48a6eaacab1ff0611d6f9e6681a33e1379ea

SHA512
f2a52e0d03970d44ff65e9412ee834289374cf5150e36f9563eaac7983e9ee950a5f2a098275101e4db73edf1b3b88c57968d4139086138ff08b72ae8411e547

Download Submit
C:\Windows\{935736F6-2B52-42c7-A0E6-36DA1ABE2520}.exe

Filesize
28KB

MD5
2fbba7d0a784f6601d9a7ee98860933d

SHA1
f755b28490acdaf59da33f0f5fcff706ab63e927

SHA256
4d879b4849a1c3c25ceb3866ff16684b182fce331230d19ba79e2bac2234c679

SHA512
80c0557a5509a61128a99e6a0b2422320948321a7493fac213517f33d69649037b897a61bafcd72dd9849b79fbd0d2baf524fd2d5d8028e607d24ef50a24206f

Download Submit
C:\Windows\{9988F06B-8530-4fd7-884F-F52E09294733}.exe

Filesize
28KB

MD5
84a334f23878acab799e684a3edc5784

SHA1
ffdcf48210acc4d6fa271b50d0fea855a9d116b9

SHA256
57d670215d5be70e4eede8b23007e719c7bcb208604ffaa7ac87bd57a334fbfd

SHA512
a49838be8facfa58039afbf81c856077281b6b32708cc5e9890cdeffa35babbecf863d5c926ec846ebf52a116cfafb66eceff54e0fa455c590f6a0bcbec88c0a

Download Submit
C:\Windows\{DB0B590A-B438-4a08-AC10-4A9F56F83EB8}.exe

Filesize
28KB

MD5
2d25ba089532d01eddf82bcc5aa1aed1

SHA1
17ee1d7a554a081522b5b32176e615e119925737

SHA256
16a7509e98c44312148fbfbd2cabf6addd05f79b315690a0053dbde85c9c2260

SHA512
b2a619aefc0e37d5a105404dad0bd7a0dce92f061d60b8cb12594787d7a3f67327f66bc385b1dc80dc9a813d954ef6ca518c9b3e16da7c9ff1f111c7a6f9b571

Download Submit
C:\Windows\{F6BFC434-5B56-4ee1-B506-B6E878D6B892}.exe

Filesize
28KB

MD5
b403283dc721bc581e82c048bb821a71

SHA1
8f3ff5cec441f82a750553f10e0106ee6d1772c4

SHA256
e69e8ac82e78b50489bdd585e07eb790726a3989733d9461d39494fd68a46cf9

SHA512
6a962b828221cd4d8a28793b52ee21f5875ebde3c65f3742f3ba3d9658d4a0cb477b9cb00eb1ae47bb8d853503c2ad4b0c82b646d8a23127ba1ee037c1cf026a

Download Submit
memory/1480-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2156-48-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2628-42-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2932-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3132-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4088-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4636-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4636-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4636-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4664-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads