Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 19:07
Static task
static1
Behavioral task
behavioral1
Sample
Microsoft-Office-Pro_AXUdx5sk.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Microsoft-Office-Pro_AXUdx5sk.exe
Resource
win10v2004-20230220-en
General
-
Target
Microsoft-Office-Pro_AXUdx5sk.exe
-
Size
3.5MB
-
MD5
793c091d621ab270b4d7d8993a524ed4
-
SHA1
a71ba72c3806a01342fdbd5d44eef61394d4070e
-
SHA256
b13eb5dae6302c922ea00378babc97b214e90cf6e2e0b37e67fd6b82c4b38db9
-
SHA512
f35d79a0ac8a29669672de82b8cbe90a9d80735dd99b4b72817ce9a7f5b8a21c58e9f79e95f87f8259ec607921d23e266744611b7ae386c4f54ef4de0dbb4d38
-
SSDEEP
98304:LOhfS5oFTjvvhWUPrJC9DRczor/PgTyCMQmR8Ud12Fohv:yhfhTjv5jrJaDRUsoR+s6v
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
is-CR83O.tmpvLiteSort323.exevLiteSort323.exepid process 1400 is-CR83O.tmp 1324 vLiteSort323.exe 1316 vLiteSort323.exe -
Loads dropped DLL 1 IoCs
Processes:
is-CR83O.tmppid process 1400 is-CR83O.tmp -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
vLiteSort323.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build vLiteSort323.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build vLiteSort323.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop vLiteSort323.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop vLiteSort323.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
Processes:
is-CR83O.tmpdescription ioc process File created C:\Program Files (x86)\vLiteSort\is-V3LL4.tmp is-CR83O.tmp File created C:\Program Files (x86)\vLiteSort\is-I2682.tmp is-CR83O.tmp File created C:\Program Files (x86)\vLiteSort\is-C8L8V.tmp is-CR83O.tmp File created C:\Program Files (x86)\vLiteSort\is-QOKOO.tmp is-CR83O.tmp File created C:\Program Files (x86)\vLiteSort\is-784TE.tmp is-CR83O.tmp File opened for modification C:\Program Files (x86)\vLiteSort\vLiteSort323.exe is-CR83O.tmp File created C:\Program Files (x86)\vLiteSort\unins000.dat is-CR83O.tmp File opened for modification C:\Program Files (x86)\vLiteSort\unins000.dat is-CR83O.tmp File created C:\Program Files (x86)\vLiteSort\is-GA000.tmp is-CR83O.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 37 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2012 1324 WerFault.exe vLiteSort323.exe 4656 1324 WerFault.exe vLiteSort323.exe 5004 1324 WerFault.exe vLiteSort323.exe 2664 1324 WerFault.exe vLiteSort323.exe 4260 1316 WerFault.exe vLiteSort323.exe 4248 1316 WerFault.exe vLiteSort323.exe 616 1316 WerFault.exe vLiteSort323.exe 1704 1316 WerFault.exe vLiteSort323.exe 4576 1316 WerFault.exe vLiteSort323.exe 1172 1316 WerFault.exe vLiteSort323.exe 4028 1316 WerFault.exe vLiteSort323.exe 3108 1316 WerFault.exe vLiteSort323.exe 2276 1316 WerFault.exe vLiteSort323.exe 1412 1316 WerFault.exe vLiteSort323.exe 4208 1316 WerFault.exe vLiteSort323.exe 2712 1316 WerFault.exe vLiteSort323.exe 4320 1316 WerFault.exe vLiteSort323.exe 3876 1316 WerFault.exe vLiteSort323.exe 4776 1316 WerFault.exe vLiteSort323.exe 2540 1316 WerFault.exe vLiteSort323.exe 3944 1316 WerFault.exe vLiteSort323.exe 4468 1316 WerFault.exe vLiteSort323.exe 4428 1316 WerFault.exe vLiteSort323.exe 3024 1316 WerFault.exe vLiteSort323.exe 920 1316 WerFault.exe vLiteSort323.exe 4792 1316 WerFault.exe vLiteSort323.exe 4616 1316 WerFault.exe vLiteSort323.exe 4692 1316 WerFault.exe vLiteSort323.exe 3536 1316 WerFault.exe vLiteSort323.exe 4564 1316 WerFault.exe vLiteSort323.exe 1604 1316 WerFault.exe vLiteSort323.exe 4000 1316 WerFault.exe vLiteSort323.exe 4328 1316 WerFault.exe vLiteSort323.exe 1172 1316 WerFault.exe vLiteSort323.exe 4828 1316 WerFault.exe vLiteSort323.exe 1352 1316 WerFault.exe vLiteSort323.exe 2236 1316 WerFault.exe vLiteSort323.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
vLiteSort323.exemsedge.exemsedge.exepid process 1316 vLiteSort323.exe 1316 vLiteSort323.exe 1316 vLiteSort323.exe 1316 vLiteSort323.exe 2372 msedge.exe 2372 msedge.exe 4396 msedge.exe 4396 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 4396 msedge.exe 4396 msedge.exe 4396 msedge.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msedge.exepid process 4396 msedge.exe 4396 msedge.exe 4396 msedge.exe 4396 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Microsoft-Office-Pro_AXUdx5sk.exeis-CR83O.tmpnet.exenet.exevLiteSort323.exemsedge.exedescription pid process target process PID 2300 wrote to memory of 1400 2300 Microsoft-Office-Pro_AXUdx5sk.exe is-CR83O.tmp PID 2300 wrote to memory of 1400 2300 Microsoft-Office-Pro_AXUdx5sk.exe is-CR83O.tmp PID 2300 wrote to memory of 1400 2300 Microsoft-Office-Pro_AXUdx5sk.exe is-CR83O.tmp PID 1400 wrote to memory of 1340 1400 is-CR83O.tmp net.exe PID 1400 wrote to memory of 1340 1400 is-CR83O.tmp net.exe PID 1400 wrote to memory of 1340 1400 is-CR83O.tmp net.exe PID 1400 wrote to memory of 1324 1400 is-CR83O.tmp vLiteSort323.exe PID 1400 wrote to memory of 1324 1400 is-CR83O.tmp vLiteSort323.exe PID 1400 wrote to memory of 1324 1400 is-CR83O.tmp vLiteSort323.exe PID 1340 wrote to memory of 4520 1340 net.exe net1.exe PID 1340 wrote to memory of 4520 1340 net.exe net1.exe PID 1340 wrote to memory of 4520 1340 net.exe net1.exe PID 1400 wrote to memory of 4372 1400 is-CR83O.tmp net.exe PID 1400 wrote to memory of 4372 1400 is-CR83O.tmp net.exe PID 1400 wrote to memory of 4372 1400 is-CR83O.tmp net.exe PID 1400 wrote to memory of 1316 1400 is-CR83O.tmp vLiteSort323.exe PID 1400 wrote to memory of 1316 1400 is-CR83O.tmp vLiteSort323.exe PID 1400 wrote to memory of 1316 1400 is-CR83O.tmp vLiteSort323.exe PID 4372 wrote to memory of 4896 4372 net.exe net1.exe PID 4372 wrote to memory of 4896 4372 net.exe net1.exe PID 4372 wrote to memory of 4896 4372 net.exe net1.exe PID 1316 wrote to memory of 4396 1316 vLiteSort323.exe msedge.exe PID 1316 wrote to memory of 4396 1316 vLiteSort323.exe msedge.exe PID 4396 wrote to memory of 4664 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 4664 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe PID 4396 wrote to memory of 3360 4396 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft-Office-Pro_AXUdx5sk.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft-Office-Pro_AXUdx5sk.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-HONRK.tmp\is-CR83O.tmp"C:\Users\Admin\AppData\Local\Temp\is-HONRK.tmp\is-CR83O.tmp" /SL4 $1D003E "C:\Users\Admin\AppData\Local\Temp\Microsoft-Office-Pro_AXUdx5sk.exe" 3422627 481282⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 193⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 194⤵
-
C:\Program Files (x86)\vLiteSort\vLiteSort323.exe"C:\Program Files (x86)\vLiteSort\vLiteSort323.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 8684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 9044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 10884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1404⤵
- Program crash
-
C:\Program Files (x86)\vLiteSort\vLiteSort323.exe"C:\Program Files (x86)\vLiteSort\vLiteSort323.exe" acc72abcfd35b06b0def5626fa90f3043⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 8524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 8604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 9284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 10604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 10684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 11124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 12244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 13044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 12364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 13164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 9724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 16804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 12364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 13204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 17444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 9324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 18924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 20884⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd72c746f8,0x7ffd72c74708,0x7ffd72c747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11909841732590075998,8003925216937491890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11909841732590075998,8003925216937491890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11909841732590075998,8003925216937491890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11909841732590075998,8003925216937491890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11909841732590075998,8003925216937491890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11909841732590075998,8003925216937491890,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:15⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 16804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 17844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 17764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 19364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 18324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 17484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 21684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 18404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 21804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 20084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 18684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 20124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 22284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 20084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\BAiE3du0\Adc22bDCjsI9fdl9.exeC:\Users\Admin\AppData\Local\Temp\BAiE3du0\Adc22bDCjsI9fdl9.exe /VERYSILENT4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 19604⤵
- Program crash
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause uLiteSort3223⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause uLiteSort3224⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1324 -ip 13241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1324 -ip 13241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1324 -ip 13241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1324 -ip 13241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1316 -ip 13161⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1316 -ip 13161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\vLiteSort\vLiteSort323.exeFilesize
5.0MB
MD54af1016f76925c5d68cfff427c7d5e12
SHA18d101c27e855e2652767adbfa53b06b42397aaa3
SHA25620998e14a3765b85ec2cc21a7013a286a07735fbcf3c120dfa731f040493bbed
SHA5126ab3c4886dc731dee3285883afd5fec06bde9cdae4f9ebdf49cce945ed71d7ffdc91128062eb2f5b6546264c1f2875e6fa487a40c4ff04cbf1b674b63aeaa290
-
C:\Program Files (x86)\vLiteSort\vLiteSort323.exeFilesize
5.0MB
MD54af1016f76925c5d68cfff427c7d5e12
SHA18d101c27e855e2652767adbfa53b06b42397aaa3
SHA25620998e14a3765b85ec2cc21a7013a286a07735fbcf3c120dfa731f040493bbed
SHA5126ab3c4886dc731dee3285883afd5fec06bde9cdae4f9ebdf49cce945ed71d7ffdc91128062eb2f5b6546264c1f2875e6fa487a40c4ff04cbf1b674b63aeaa290
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5aaeb1f5e097ab38083674077b84b8ed6
SHA17d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2
SHA2561654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef
SHA512130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51db53baf44edd6b1bc2b7576e2f01e12
SHA1e35739fa87978775dcb3d8df5c8d2063631fa8df
SHA2560d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48
SHA51284f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
240B
MD57ad987cfb6b5fb5f3ee70a6f142f0815
SHA1a065492c371c6af9322e36928a5355cb22eb3a78
SHA2569dda1283f2c8a4675d05050178de56bb616ada53033f1b2f15c7b034a61e78ab
SHA512bd24f938e9117ebf0cc899af1b6569d5243d582dfd2e9c1607a7eeb94db4ccc92d744d41b459a71c3e70d9cdf6ca7c8b0df0a0aee22432cf9b0397b0005e984f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5aa82be10821586530f7690542ea28c91
SHA16e90034a06be642c849981c06475005b396b99a1
SHA2560611e0f3978c0033d1042fcc4f4a5fc5b3f32b5a17fa04ff84e0f9265943dc41
SHA512e0c92640f6d4c99a113f589ab94d0caf58679a49fce0f19ef3ed92e3b086c21185ca3290e2f90b1b868e6be502edb835bfcc6717adb9251eefa0bee3b397e8c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5a83b4b39593cf0df762107efdbd2ab50
SHA1a2f43facb78a4f4d668b28328ccf9a97714495c1
SHA256706d8ac2ec0168f332d4095648608f4b352ca1ed08300a3ba5091ed6a2984e56
SHA5125a528fc561d5c53896d64a7728988aa88dbf702e75c8218789bcd0cddc13b06bc825ceb23a839cd43bbbe32c52070d828339d9148600da654febfbea4e5e8f58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5cf12df93211bd3c741766bc6e48a7831
SHA1f94f3cd3ca9aa5cc85bd589675065af4b4145db3
SHA2561e6fd4ef14c72bf42702aec3585c074e3f678bc95e12b5873c256f558aaddca1
SHA512d6a4f1f6c3c60a3985ad97ded551abc9b219e8129bdb7736f200307a18ed9bc11f2f46822734c73d76e7725f6499f0c6eb3d5df9bfa23312b84cffb8fef7ee6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD56edf79a3dabe51dc88ebb3e6644c25ce
SHA1530385ea6bf3fcda21ec36c37d47a7807f6c7634
SHA2560844b4f49ce7711b2819750205d0904fe1b5eb6027bd7069865a3e2bcbd40f2a
SHA5122dbab98b611468b63e66edb73ea4208440eb66956be9b8d62849c84f7f4d3fe684abbdaf4767a625aa2c19a0dbc52e49c6fb7400786d99301f5ab9facd6c543e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD526fd2e72dc4020283a4993493604203f
SHA1a718a4cc38d7d428fa29ebbaae06c0bc56370bc8
SHA256cb3efdf9bdf09d548694cb41ee495f9cdc42dc9e52fa5a358840b1768b0be902
SHA51237c72192559be6d519ab2cf3e31a9b32b1210b31deaa597c5b9051c7f6ce1c6a46040845a510e34d6c9b98e5a7f165784e6e16f4bcd918de2514ac2f34b8d55b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD547e94a96372e6f095b8a3fd7edc48ec0
SHA1377b68f34e5964ca8be1b1b0c1507dd7f0e5f005
SHA25615c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e
SHA5125bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5fba39c2843551d4a933809e0fc6b665c
SHA19eb5b00ee08f4f797e1287558f839d7766e117a3
SHA2562e2dcee818c4335809ed6b020018e3530367b4c92e815a92a7c7bfae911f0876
SHA5121162f2ca39a12ac82c06477eba677d8689f5dbf5110abda2cde5576790295271850ceb24e089df792078080fab19c172def0acb9f7d55f0416af913d4ba5cc78
-
C:\Users\Admin\AppData\Local\Temp\is-HONRK.tmp\is-CR83O.tmpFilesize
655KB
MD5501a63ff5e3d323de0f1c481f4649196
SHA1cc8980e51b22f89164cbf2266e1404d039e9713e
SHA2567e4b8deaf06186af1d4524d3253a16532038a249c6380a6c8fed33b27b37e13e
SHA512f67905bd787cef6a9aefe0f76330ead22886f8110ff4f0b225288c523153f8d37588d7aae97c3be448f06da8c3896482d3f71886a130e37731196b4c0843e549
-
C:\Users\Admin\AppData\Local\Temp\is-HONRK.tmp\is-CR83O.tmpFilesize
655KB
MD5501a63ff5e3d323de0f1c481f4649196
SHA1cc8980e51b22f89164cbf2266e1404d039e9713e
SHA2567e4b8deaf06186af1d4524d3253a16532038a249c6380a6c8fed33b27b37e13e
SHA512f67905bd787cef6a9aefe0f76330ead22886f8110ff4f0b225288c523153f8d37588d7aae97c3be448f06da8c3896482d3f71886a130e37731196b4c0843e549
-
C:\Users\Admin\AppData\Local\Temp\is-PCKDJ.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\??\pipe\LOCAL\crashpad_4396_JOLQPNBGZVZOHKZLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1316-177-0x0000000000400000-0x00000000016FC000-memory.dmpFilesize
19.0MB
-
memory/1316-173-0x0000000001CD0000-0x0000000001CD1000-memory.dmpFilesize
4KB
-
memory/1316-178-0x0000000001CD0000-0x0000000001CD1000-memory.dmpFilesize
4KB
-
memory/1316-464-0x0000000000400000-0x00000000016FC000-memory.dmpFilesize
19.0MB
-
memory/1316-176-0x0000000000400000-0x00000000016FC000-memory.dmpFilesize
19.0MB
-
memory/1316-172-0x0000000000400000-0x00000000016FC000-memory.dmpFilesize
19.0MB
-
memory/1316-181-0x0000000000400000-0x00000000016FC000-memory.dmpFilesize
19.0MB
-
memory/1324-168-0x0000000000400000-0x00000000016FC000-memory.dmpFilesize
19.0MB
-
memory/1324-166-0x0000000004220000-0x0000000004221000-memory.dmpFilesize
4KB
-
memory/1324-165-0x0000000000400000-0x00000000016FC000-memory.dmpFilesize
19.0MB
-
memory/1324-164-0x0000000000400000-0x00000000016FC000-memory.dmpFilesize
19.0MB
-
memory/1400-175-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/1400-149-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/2300-174-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2300-133-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB