matiex | d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324

General

Target

d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
Size

269KB
MD5

9496bc692308860f1808a6b141eb7df7
SHA1

80b84b08547382757898af00968f34ff5bfec31b
SHA256

d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324
SHA512

731dbc22b4691de0d686598cea6ccdf1d1911d1f0349eda69a5627b4d709377a6669f3969f61ba5b75fcafb366d920d1dcac35ac722a2efb9eb1f9e241b5e004
SSDEEP

6144:ibXGFYBiXBE1py3uDjvrTRQgy8xwm7DVK:bOBiXBIiuXvHigy8xwmPVK

Score

10^/10

matiex keylogger stealer

Malware Config

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1064-83-0x0000000000400000-0x0000000000426000-memory.dmp	family_matiex
behavioral1/memory/1064-84-0x0000000000400000-0x0000000000426000-memory.dmp	family_matiex
behavioral1/memory/1064-85-0x0000000000400000-0x0000000000426000-memory.dmp	family_matiex
behavioral1/memory/1064-86-0x00000000004219FA-mapping.dmp	family_matiex
behavioral1/memory/1064-88-0x0000000000400000-0x0000000000426000-memory.dmp	family_matiex
behavioral1/memory/1064-90-0x0000000000400000-0x0000000000426000-memory.dmp	family_matiex

Drops startup file 4 IoCs

Processes:

pOwERsHeLl.exePowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sym.exe	pOwERsHeLl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sym.exe	pOwERsHeLl.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe	Powershell.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 freegeoip.app
4 checkip.dyndns.org
8 freegeoip.app

flow	ioc
9	freegeoip.app
4	checkip.dyndns.org
8	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exed256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

description	pid	process	target process
PID 1012 set thread context of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 set thread context of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1612 1064 WerFault.exe d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

pid	pid_target	process	target process
1612	1064	WerFault.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

pOwERsHeLl.exePowershell.exed256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

pid process

1532 pOwERsHeLl.exe
868 Powershell.exe
1248 d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

pid	process
1532	pOwERsHeLl.exe
868	Powershell.exe
1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pOwERsHeLl.exePowershell.exed256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exed256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

description	pid	process
Token: SeDebugPrivilege	1532	pOwERsHeLl.exe
Token: SeDebugPrivilege	868	Powershell.exe
Token: SeDebugPrivilege	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
Token: SeDebugPrivilege	1064	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exed256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exed256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe

C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
"C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
"C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe'
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
"C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe"
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
"C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe"
3⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1736
4⤵
- Program crash
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe
"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sym.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
609200470595a65a890bf7bc89e1bcfc

SHA1
88bfc9b16a867bdbde1efbb79e04c6f07858a054

SHA256
4ce573e900485a8910b54f28d149cf231254b80658c5b3f502264d07d9d7fd15

SHA512
bb2040b7e1e45297548d0467ed2345ef1f20b4007541b0dcdadbb217e79794d64773e1f066f50b5b99fa1bc5ee074eb33217c8843325805772ee1fc3c7b2234e

Download Submit
memory/868-78-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/868-75-0x0000000000000000-mapping.dmp

Download
memory/1012-71-0x0000000000645000-0x0000000000656000-memory.dmp

Filesize
68KB

Download
memory/1012-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1012-56-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/1012-54-0x00000000002A0000-0x00000000002EA000-memory.dmp

Filesize
296KB

Download
memory/1012-62-0x0000000000645000-0x0000000000656000-memory.dmp

Filesize
68KB

Download
memory/1064-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-80-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-90-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-88-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-86-0x00000000004219FA-mapping.dmp

Download
memory/1064-85-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-84-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-83-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-79-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/1248-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-64-0x0000000000430E4E-mapping.dmp

Download
memory/1248-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1532-73-0x0000000070570000-0x0000000070B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-72-0x0000000070570000-0x0000000070B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-68-0x0000000000000000-mapping.dmp

Download
memory/1612-92-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1248	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1012 wrote to memory of 1532	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	pOwERsHeLl.exe
PID 1012 wrote to memory of 1532	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	pOwERsHeLl.exe
PID 1012 wrote to memory of 1532	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	pOwERsHeLl.exe
PID 1012 wrote to memory of 1532	1012	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	pOwERsHeLl.exe
PID 1248 wrote to memory of 868	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	Powershell.exe
PID 1248 wrote to memory of 868	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	Powershell.exe
PID 1248 wrote to memory of 868	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	Powershell.exe
PID 1248 wrote to memory of 868	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	Powershell.exe
PID 1248 wrote to memory of 1160	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1160	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1160	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1160	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1248 wrote to memory of 1064	1248	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe
PID 1064 wrote to memory of 1612	1064	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	WerFault.exe
PID 1064 wrote to memory of 1612	1064	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	WerFault.exe
PID 1064 wrote to memory of 1612	1064	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	WerFault.exe
PID 1064 wrote to memory of 1612	1064	d256e544c1dbe5a7d111af512e899bf0f81208bc2cc8ca5fba8c701ac7691324.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads