Analysis
-
max time kernel
115s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2023, 23:11
Behavioral task
behavioral1
Sample
Win64Sys.exe
Resource
win7-20220901-en
General
-
Target
Win64Sys.exe
-
Size
378KB
-
MD5
361ee66ffa93eda7d78eb4a5d14bfd57
-
SHA1
e8157e8283a3f8eb7390d45b98ae4d32c53ce273
-
SHA256
8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
-
SHA512
19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
SSDEEP
6144:+KMJx4pweP7kJS3irzPchzCSfj654xCbjj0P4MkV45M9TP:+KoSckh9765EAj0NHM9TP
Malware Config
Extracted
quasar
1.3.0.0
Office04
stuhowe.ddns.net:4782
QSR_MUTEX_X4mfjPTkLaQEdjHzYF
-
encryption_key
9FBvOmlVpI0GOzCn9KhI
-
install_name
Win64Sys.exe
-
log_directory
Keys
-
reconnect_delay
3000
-
startup_key
Windows x64 System Client
-
subdirectory
Micosoft
Signatures
-
flow ioc pid Process 3500 schtasks.exe 1 ip-api.com Process not Found 23 ip-api.com Process not Found 70 ip-api.com Process not Found 81 ip-api.com Process not Found -
Quasar payload 12 IoCs
resource yara_rule behavioral2/memory/2732-132-0x0000000000FB0000-0x0000000001014000-memory.dmp family_quasar behavioral2/files/0x0009000000022f41-140.dat family_quasar behavioral2/files/0x0009000000022f41-141.dat family_quasar behavioral2/files/0x0009000000022f41-149.dat family_quasar behavioral2/files/0x0009000000022f41-158.dat family_quasar behavioral2/files/0x0009000000022f41-166.dat family_quasar behavioral2/files/0x0009000000022f41-174.dat family_quasar behavioral2/files/0x0009000000022f41-182.dat family_quasar behavioral2/files/0x0009000000022f41-190.dat family_quasar behavioral2/files/0x0009000000022f41-198.dat family_quasar behavioral2/files/0x0009000000022f41-206.dat family_quasar behavioral2/files/0x0009000000022f41-214.dat family_quasar -
Executes dropped EXE 10 IoCs
pid Process 3660 Win64Sys.exe 112 Win64Sys.exe 4568 Win64Sys.exe 2188 Win64Sys.exe 2992 Win64Sys.exe 2008 Win64Sys.exe 1396 Win64Sys.exe 4452 Win64Sys.exe 3880 Win64Sys.exe 1512 Win64Sys.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Win64Sys.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com 23 ip-api.com 70 ip-api.com 81 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
pid pid_target Process procid_target 4084 3660 WerFault.exe 79 1952 112 WerFault.exe 93 3940 4568 WerFault.exe 105 3368 2188 WerFault.exe 118 4524 2992 WerFault.exe 128 3248 2008 WerFault.exe 138 2216 1396 WerFault.exe 147 4492 4452 WerFault.exe 156 4168 3880 WerFault.exe 168 2268 1512 WerFault.exe 177 -
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1664 schtasks.exe 4896 schtasks.exe 4796 schtasks.exe 2492 schtasks.exe 3200 schtasks.exe 3044 schtasks.exe 2932 schtasks.exe 2732 schtasks.exe 4564 schtasks.exe 3500 schtasks.exe 3816 schtasks.exe -
Runs ping.exe 1 TTPs 10 IoCs
pid Process 4748 PING.EXE 2160 PING.EXE 5080 PING.EXE 2984 PING.EXE 5096 PING.EXE 4512 PING.EXE 2516 PING.EXE 1836 PING.EXE 4504 PING.EXE 1612 PING.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2732 Win64Sys.exe Token: SeDebugPrivilege 3660 Win64Sys.exe Token: SeDebugPrivilege 112 Win64Sys.exe Token: SeDebugPrivilege 4568 Win64Sys.exe Token: SeDebugPrivilege 2188 Win64Sys.exe Token: SeDebugPrivilege 2992 Win64Sys.exe Token: SeDebugPrivilege 2008 Win64Sys.exe Token: SeDebugPrivilege 1396 Win64Sys.exe Token: SeDebugPrivilege 4452 Win64Sys.exe Token: SeDebugPrivilege 3880 Win64Sys.exe Token: SeDebugPrivilege 1512 Win64Sys.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3660 Win64Sys.exe 112 Win64Sys.exe 4568 Win64Sys.exe 2188 Win64Sys.exe 2992 Win64Sys.exe 2008 Win64Sys.exe 1396 Win64Sys.exe 4452 Win64Sys.exe 3880 Win64Sys.exe 1512 Win64Sys.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 3500 2732 Win64Sys.exe 77 PID 2732 wrote to memory of 3500 2732 Win64Sys.exe 77 PID 2732 wrote to memory of 3500 2732 Win64Sys.exe 77 PID 2732 wrote to memory of 3660 2732 Win64Sys.exe 79 PID 2732 wrote to memory of 3660 2732 Win64Sys.exe 79 PID 2732 wrote to memory of 3660 2732 Win64Sys.exe 79 PID 3660 wrote to memory of 4796 3660 Win64Sys.exe 80 PID 3660 wrote to memory of 4796 3660 Win64Sys.exe 80 PID 3660 wrote to memory of 4796 3660 Win64Sys.exe 80 PID 3660 wrote to memory of 2192 3660 Win64Sys.exe 82 PID 3660 wrote to memory of 2192 3660 Win64Sys.exe 82 PID 3660 wrote to memory of 2192 3660 Win64Sys.exe 82 PID 2192 wrote to memory of 680 2192 cmd.exe 84 PID 2192 wrote to memory of 680 2192 cmd.exe 84 PID 2192 wrote to memory of 680 2192 cmd.exe 84 PID 2192 wrote to memory of 4504 2192 cmd.exe 86 PID 2192 wrote to memory of 4504 2192 cmd.exe 86 PID 2192 wrote to memory of 4504 2192 cmd.exe 86 PID 2192 wrote to memory of 112 2192 cmd.exe 93 PID 2192 wrote to memory of 112 2192 cmd.exe 93 PID 2192 wrote to memory of 112 2192 cmd.exe 93 PID 112 wrote to memory of 2492 112 Win64Sys.exe 94 PID 112 wrote to memory of 2492 112 Win64Sys.exe 94 PID 112 wrote to memory of 2492 112 Win64Sys.exe 94 PID 112 wrote to memory of 5080 112 Win64Sys.exe 96 PID 112 wrote to memory of 5080 112 Win64Sys.exe 96 PID 112 wrote to memory of 5080 112 Win64Sys.exe 96 PID 5080 wrote to memory of 2768 5080 cmd.exe 99 PID 5080 wrote to memory of 2768 5080 cmd.exe 99 PID 5080 wrote to memory of 2768 5080 cmd.exe 99 PID 5080 wrote to memory of 1612 5080 cmd.exe 101 PID 5080 wrote to memory of 1612 5080 cmd.exe 101 PID 5080 wrote to memory of 1612 5080 cmd.exe 101 PID 5080 wrote to memory of 4568 5080 cmd.exe 105 PID 5080 wrote to memory of 4568 5080 cmd.exe 105 PID 5080 wrote to memory of 4568 5080 cmd.exe 105 PID 4568 wrote to memory of 1664 4568 Win64Sys.exe 106 PID 4568 wrote to memory of 1664 4568 Win64Sys.exe 106 PID 4568 wrote to memory of 1664 4568 Win64Sys.exe 106 PID 4568 wrote to memory of 1996 4568 Win64Sys.exe 108 PID 4568 wrote to memory of 1996 4568 Win64Sys.exe 108 PID 4568 wrote to memory of 1996 4568 Win64Sys.exe 108 PID 1996 wrote to memory of 1184 1996 cmd.exe 112 PID 1996 wrote to memory of 1184 1996 cmd.exe 112 PID 1996 wrote to memory of 1184 1996 cmd.exe 112 PID 1996 wrote to memory of 2984 1996 cmd.exe 113 PID 1996 wrote to memory of 2984 1996 cmd.exe 113 PID 1996 wrote to memory of 2984 1996 cmd.exe 113 PID 1996 wrote to memory of 2188 1996 cmd.exe 118 PID 1996 wrote to memory of 2188 1996 cmd.exe 118 PID 1996 wrote to memory of 2188 1996 cmd.exe 118 PID 2188 wrote to memory of 3816 2188 Win64Sys.exe 120 PID 2188 wrote to memory of 3816 2188 Win64Sys.exe 120 PID 2188 wrote to memory of 3816 2188 Win64Sys.exe 120 PID 2188 wrote to memory of 1228 2188 Win64Sys.exe 122 PID 2188 wrote to memory of 1228 2188 Win64Sys.exe 122 PID 2188 wrote to memory of 1228 2188 Win64Sys.exe 122 PID 1228 wrote to memory of 312 1228 cmd.exe 125 PID 1228 wrote to memory of 312 1228 cmd.exe 125 PID 1228 wrote to memory of 312 1228 cmd.exe 125 PID 1228 wrote to memory of 5096 1228 cmd.exe 127 PID 1228 wrote to memory of 5096 1228 cmd.exe 127 PID 1228 wrote to memory of 5096 1228 cmd.exe 127 PID 1228 wrote to memory of 2992 1228 cmd.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe" /rl HIGHEST /f2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:3500
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PxQoVBJfPmZ6.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:680
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:4504
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:2492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i4xkL2sRqDAs.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵PID:2768
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:1612
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:1664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqjJIQRmLTbT.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵PID:1184
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:2984
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:3816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9cKc2Z9RMXiy.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵PID:312
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:5096
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:3200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PBxEC1lMg7lG.bat" "11⤵PID:2508
-
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵PID:4188
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
PID:4748
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"12⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2008 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
PID:3044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S5pcWkhDZE7l.bat" "13⤵PID:1884
-
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵PID:4568
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
PID:4512
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"14⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1396 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
PID:2932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zi0nNaBYLyjU.bat" "15⤵PID:1748
-
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵PID:1760
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:2160
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"16⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4452 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
PID:2732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMoRpvzX8Jj1.bat" "17⤵PID:3564
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵PID:3744
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
PID:2516
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"18⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3880 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
PID:4564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4T148ohUgIlw.bat" "19⤵PID:3804
-
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵PID:2100
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
PID:5080
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"20⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
PID:4896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymNfDeLqQvA9.bat" "21⤵PID:4704
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵PID:4740
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
PID:1836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 166021⤵
- Program crash
PID:2268
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 166419⤵
- Program crash
PID:4168
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 222017⤵
- Program crash
PID:4492
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 167215⤵
- Program crash
PID:2216
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 166413⤵
- Program crash
PID:3248
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 166411⤵
- Program crash
PID:4524
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 16409⤵
- Program crash
PID:3368
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 22167⤵
- Program crash
PID:3940
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 22245⤵
- Program crash
PID:1952
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 16963⤵
- Program crash
PID:4084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3660 -ip 36601⤵PID:3848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 112 -ip 1121⤵PID:4988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4568 -ip 45681⤵PID:3244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2188 -ip 21881⤵PID:4372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2992 -ip 29921⤵PID:2368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2008 -ip 20081⤵PID:1644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1396 -ip 13961⤵PID:2400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4452 -ip 44521⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3880 -ip 38801⤵PID:5060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1512 -ip 15121⤵PID:3004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
211B
MD5699d73adfd3a854ba40cc50bde1dc2e9
SHA15c15a079480256c0983df2c994bd81f352fc6334
SHA2563fb29a6c16e23b0647c22ffb18d7212c4c9b278ce9f92d40979d105608d65957
SHA512b01ef46f14319930897a21ab9d82a3ab7650451a5dcea01ddc65c8565b841592dd93a7ed5c88e336d8ac21c94c84c073a8ff997071faefe634ce23e56a4a8dce
-
Filesize
211B
MD50a00b3246c9c46aa5a87b2301325e779
SHA1f5998b332194d41540d18e4a7d0d779848edd062
SHA2561ed945a28234133e3c68ca9a621a8e4e54bf0ce295656eab45eb164eb709b21b
SHA51283290e8ab848dfc2f9fe4b33d7275ef8bf8a5f0e5431c487c48192679343b451b66443c7904fb8519f77ecbd17ed41c8fd96ae2904a261941a3b7ab4e26e9252
-
Filesize
211B
MD5f5b7e4c58ede92627b4d4826dc296503
SHA1f13025c96079d647aaea585c618a62ade44e2dd5
SHA256c51627842277fc7bf2e08150c0279cec8f12e0622adff636a3f57564ff38144b
SHA512911b93d9b308e56c9c9bf70f4dcb1ebc3e44df553091f32170667c0a0012a5cc1d793cb2601b6e31a7b3b84e7eef023d9c373ad91e9fd76360005385753baf19
-
Filesize
211B
MD5ac4c21a3f6517d9f4e6b4ed9fc74df22
SHA182776a4977065db8fb70e32fe16fc5eca43208df
SHA25605c5355ef5c8f88ca6c3ff6b7e74a300a1e799332d8969c9f8f4ccd96f584f96
SHA5127ef4e50bc8122df642f5ed1049438cfda02a43b401c7eba9fc1facfff80850b773d69ac9a1c7b2c8afabd78c192d48b42e324d93b9a63d035474b65e0402246a
-
Filesize
211B
MD5bf7cfdcf412fca3c62c24f6756141c0b
SHA141816156589406cd365d49f94055563090bd4662
SHA256f6dba0b8323d3c8b02f1c35f4212821dd6294d8e0d42627baba3b852b953552d
SHA512151a28a0b2eb9cca0113d300a7fbf1bf2d712e9da34507e18f9bc311e511f6393b966e21ad8c7b40e7ef83911cddfc8741f0df48cef77903f409c010043571be
-
Filesize
211B
MD5f02c032808cc042c78df5117615c21bd
SHA1119d8fb3a258d7b04f7534064420ae4234fd6900
SHA25630cdad1dd1fbb9daa66fb5362e3284ffd20b9ab7370b9b6cd959561914d499a6
SHA512ab984078caaca819864a8ed8a5298726f88da66eb74b75a81373113f0076ebe75ffb5472bbaeb829e01bcd5a9c28addfdf294ab2738cd9b93289f7b6312c1f1b
-
Filesize
211B
MD5ad763c94ed7ff972c5f0b996f1ada3b9
SHA1da5a60a5ae835e0c1bf53c15349573d619b644e0
SHA2565cfcdad20fb36691a1311a85a3b94276cbc2ef70d2a3ec99b358d5734da26008
SHA512863a4f2a9a6e806abf933ea9c2669b575d8660a5d6fdd72248beabbd9fa698b27620fce8971c23ed58cd020e8b027fe11e571a20b6d242eec00d58d01ee0eadb
-
Filesize
211B
MD5fe7e5260fe5f82240bf442f6e14e1559
SHA163d8a0088e22f39ce0d7007f387f27edc8feff4e
SHA256b62c960662b87e69679587383926652734a1a78a70f730dc070e6b5d730921b4
SHA512594087e7dd284e491d0f040a08d8e771f3a7c06b334c2a4bd640f2f5dd0d230e7304829a939860cf7571fb22846d36ceebdeaebd83404d41773e2945e4ae449c
-
Filesize
211B
MD580608e54c9d6f59779dc426298fa2532
SHA17c2925e9b21afbd9797ebd47b26cb7509a681b06
SHA2562c610b825eda21227911a30ef5515f60875fc14b81d73b522cdbcd86964e809d
SHA512d8a1407df42ea261dbef6152b491a52465c67f79ff0eb681834faad7b352855bcfe842f96b6ec590ea981a74861c0c6e04b672a614e63d74fb79a4933a91d88a
-
Filesize
211B
MD5377511d0e0c329c9253864c4075d9ceb
SHA18dd4e09f2eb5348a93e52542699344b36a5aee92
SHA256b0177a6e7059afaf7c1faf12d5b4b880263b2ea7163ce0e810bcf59029be57e0
SHA5121126d8f69b122cd3c7800fcea319d50fcdef7055f2c71558b6859f01ba25dd00bd23f5c33061e036c505106b36b1cc4369230d605908eb3cbae639d17b7e22da
-
Filesize
224B
MD53369da65be3db4fc20753e109ea3c206
SHA19a2197e3b25bc85f853654e81d43100bdf394b80
SHA256093375928b5b23b5bc72b33858e451f2f2a8352236fda5ad06384c781697c08a
SHA51261289c5aac727e721a75d0534cfe3f06e81afd95f2d857ed83ffa89c522254faf8c29af53e6f828fa38d12bebbb6a5f0aac8d7795bf950175fd993335f92a20d
-
Filesize
224B
MD59c06ae9fa2caf21d8525eec91be22c08
SHA18298b04e2b45f637c8e04be27d42adce451bf374
SHA256574ad250309f0fbc1f9247de97d6ee3d9d14ddc910682c2eac2b43d5e192bc49
SHA5128eb34485b26e4afee545375c01c199b128b07da404b27c2abb434bd0f5def641dba96da37bb2214e7b21ce418af538abe536062a918c368bc4793382d3c8952f
-
Filesize
224B
MD5730d8f0e9f085eb51ee7f64f821329a6
SHA11b25bec68cf0af2a2902bda25f86e5db39117a9d
SHA2562973a0cfe51d236a41730334fa67f3a947f1c0160ec0477c4b097071cdf03b2f
SHA5126ecc65d6158d43c3bbf47707ce770b48f06e7a33947dfc34740aa1437de60eae844108041d4b2915c44eb79af7fdd970c711e8e6b4c46de83b8c332490d7b963
-
Filesize
224B
MD52dadeebcab65323b29b8a22062284f76
SHA103b1a8b49b87046af3a819c28df419d0c5c3b4b5
SHA2568aaba91bda21a5d6e84136927f5e1c9f48dac973acf1f1bfe057edf2cf370c2c
SHA512a0a7830411ab4c28ff6c0ee29a5a3e1c7a78c61aec9039128eedbb94b70e295c10ba59b47cf0424aa7d36d07a20bd49ea4ed5afcaf36a9878aa6e69687956518
-
Filesize
224B
MD513c0a1ee513e3952342cfe03eaa8f31b
SHA11a1b24cc24266146ca7ccf795acfb7a488a3b854
SHA256ecb76e778699238375644b69c504bae3c349ba313ae781d849e54ff6e2ff656b
SHA512562e750e79da50a4668666965841d688c34d6641d6322eb2ecd4561699050ac20102381c888ba132e1a84406b54adee16d07bfd7072abff219f67330041a8b98
-
Filesize
224B
MD527573779c615e2e97b39e68a9f7572bb
SHA1e5a2687e887bddddf921136ccc2598bfb2b42de7
SHA25644b0a3982cbc80e77c6d936a407423fea1640a71108b63a7524c72ffc47469df
SHA5125a565d1b3783343b6bd8d1971e579d7fa3a944c5bf403ca76ee0975893f43810cc6fd32b0787660d242886dea004cae3b5c81fd560b462f3c978bfca6a111811
-
Filesize
224B
MD565d0d44ef37e9436278eda200fa79790
SHA1a88bdfa49e5fdf1bc5594c49cd58b2b319c68dd7
SHA2567494547997bb89042bd5d520a17698c77d5daf7bb91dea5866db2d02276354cb
SHA512e7952c6447974583076fb27e90114b8e9374a6a5b25d4a042bbdbb506d6462f326226e83ff8b149c92e339ecc513f500fb692c19f59c55753aa3f1ef25b55013
-
Filesize
224B
MD57b4ba48ebdc19fb27225c133b49fd621
SHA1eed49882275ea5a9cd0f4f5d52126d065a558f77
SHA256f215c4f767b71d45b06e9f943add09760ec16649518e86a4899cae9d35b6b74c
SHA512a00da5695501f29fcfd20c2a3f4b95665e5c6a522a24eb6f551a2af69d9c1ea6c310d46ff8eeac424d41bbb6b2a13ba706e29303a8dec1b3b1884ec738231457
-
Filesize
224B
MD5b8b1b2ecac8a5d069faaccac24274ecd
SHA18e144da6f25c7ffb6db43644aa0df1bb629ad3d7
SHA2565082420ad90723718a472b72147f68e2d0716a15f71e5f7dd1824a3f83b1205e
SHA5129d56be68424273cdedb9d743a8cd8abe32ba50157fb03562fbbb3990962f5eac53dabc2b74ff8446aa0ed26097f1caad68d1024a775cd0bcdb47b8d88a021dfd
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6