Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
Resource
win10v2004-20220901-en
General
-
Target
6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
-
Size
520KB
-
MD5
2e1b2aaeaef46f92436616cf7912f931
-
SHA1
db8e74884c960d1bc297a6ae15f1aa30d958e3ce
-
SHA256
6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
-
SHA512
0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1
-
SSDEEP
12288:RWXClV2A9GguHZ3+IuuD+nij6XENkjHMmQR79DaU:RZIHh/sij6XENkyR79WU
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
pid Process 5004 appinit.exe 1032 appinit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4252 set thread context of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 5004 set thread context of 1032 5004 appinit.exe 119 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\{9043-8547-9771-90}\ 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe File opened for modification C:\Windows\{9043-8547-9771-90}\appinit.exe 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe File created C:\Windows\{9043-8547-9771-90}\appinit.exe 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4188 1032 WerFault.exe 119 3816 1032 WerFault.exe 119 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4252 wrote to memory of 4336 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 82 PID 4252 wrote to memory of 4336 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 82 PID 4252 wrote to memory of 4336 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 82 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 4252 wrote to memory of 3968 4252 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 83 PID 3968 wrote to memory of 3656 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 84 PID 3968 wrote to memory of 3656 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 84 PID 3968 wrote to memory of 3128 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 85 PID 3968 wrote to memory of 3128 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 85 PID 3968 wrote to memory of 3128 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 85 PID 3968 wrote to memory of 2996 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 86 PID 3968 wrote to memory of 2996 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 86 PID 3968 wrote to memory of 3524 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 87 PID 3968 wrote to memory of 3524 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 87 PID 3968 wrote to memory of 3524 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 87 PID 3968 wrote to memory of 4468 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 88 PID 3968 wrote to memory of 4468 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 88 PID 3968 wrote to memory of 1352 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 89 PID 3968 wrote to memory of 1352 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 89 PID 3968 wrote to memory of 1352 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 89 PID 3968 wrote to memory of 3740 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 90 PID 3968 wrote to memory of 3740 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 90 PID 3968 wrote to memory of 4048 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 91 PID 3968 wrote to memory of 4048 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 91 PID 3968 wrote to memory of 4048 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 91 PID 3968 wrote to memory of 4456 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 92 PID 3968 wrote to memory of 4456 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 92 PID 3968 wrote to memory of 3792 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 93 PID 3968 wrote to memory of 3792 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 93 PID 3968 wrote to memory of 3792 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 93 PID 3968 wrote to memory of 2600 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 94 PID 3968 wrote to memory of 2600 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 94 PID 3968 wrote to memory of 3676 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 95 PID 3968 wrote to memory of 3676 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 95 PID 3968 wrote to memory of 3676 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 95 PID 3968 wrote to memory of 4348 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 96 PID 3968 wrote to memory of 4348 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 96 PID 3968 wrote to memory of 3264 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 97 PID 3968 wrote to memory of 3264 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 97 PID 3968 wrote to memory of 3264 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 97 PID 3968 wrote to memory of 2840 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 98 PID 3968 wrote to memory of 2840 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 98 PID 3968 wrote to memory of 3784 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 99 PID 3968 wrote to memory of 3784 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 99 PID 3968 wrote to memory of 3784 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 99 PID 3968 wrote to memory of 2848 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 100 PID 3968 wrote to memory of 2848 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 100 PID 3968 wrote to memory of 5032 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 101 PID 3968 wrote to memory of 5032 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 101 PID 3968 wrote to memory of 5032 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 101 PID 3968 wrote to memory of 5024 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 102 PID 3968 wrote to memory of 5024 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 102 PID 3968 wrote to memory of 4052 3968 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"2⤵PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3656
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2996
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4468
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3740
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4456
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2600
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4348
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2840
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2848
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:5024
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2788
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2816
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3620
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:972
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2224
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1144
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:432
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:848
-
-
C:\Windows\{9043-8547-9771-90}\appinit.exe"C:\Windows\{9043-8547-9771-90}\appinit.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5004 -
C:\Windows\{9043-8547-9771-90}\appinit.exe"C:\Windows\{9043-8547-9771-90}\appinit.exe"4⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 125⤵
- Program crash
PID:4188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 565⤵
- Program crash
PID:3816
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1032 -ip 10321⤵PID:3724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1032 -ip 10321⤵PID:3696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD52e1b2aaeaef46f92436616cf7912f931
SHA1db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA2566c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA5120290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1
-
Filesize
520KB
MD52e1b2aaeaef46f92436616cf7912f931
SHA1db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA2566c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA5120290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1
-
Filesize
520KB
MD52e1b2aaeaef46f92436616cf7912f931
SHA1db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA2566c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA5120290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1