Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2023, 06:46
Static task
static1
General
-
Target
61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe
-
Size
1.0MB
-
MD5
57a9d3ab7023393ff07fd5739ff7a45a
-
SHA1
ec8fd5389b923de3522090bf5d74c45662f3ad08
-
SHA256
61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a
-
SHA512
afcc2dd80ecc5de8f69baac0a4a459cffea46bf12cbd936f4c083a78cc9dbf1143754c86b3263f52fdf40559539aa3eb97c460c28540ca61b7c8eda562f89c49
-
SSDEEP
24576:ByxYr2PF9xDNoL453EdAVFMXLZisUVcMoiFMJ/POuo3RA+:0jjmJaGZzGcM3OOP3
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it751078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it751078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it751078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it751078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it751078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it751078.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation jr840354.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation lr029644.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 9 IoCs
pid Process 2392 zidP0105.exe 944 zigM0409.exe 1980 it751078.exe 1952 jr840354.exe 1128 1.exe 3972 kp876670.exe 1928 lr029644.exe 1328 oneetx.exe 4780 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 4412 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it751078.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zidP0105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zidP0105.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zigM0409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zigM0409.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 29 IoCs
pid pid_target Process procid_target 812 1952 WerFault.exe 95 3628 1928 WerFault.exe 102 3256 1928 WerFault.exe 102 4468 1928 WerFault.exe 102 3612 1928 WerFault.exe 102 2772 1928 WerFault.exe 102 4896 1928 WerFault.exe 102 2344 1928 WerFault.exe 102 5092 1928 WerFault.exe 102 2584 1928 WerFault.exe 102 1660 1928 WerFault.exe 102 4396 1328 WerFault.exe 121 3756 1328 WerFault.exe 121 916 1328 WerFault.exe 121 3128 1328 WerFault.exe 121 3596 1328 WerFault.exe 121 764 1328 WerFault.exe 121 2096 1328 WerFault.exe 121 4456 1328 WerFault.exe 121 4964 1328 WerFault.exe 121 992 1328 WerFault.exe 121 3108 1328 WerFault.exe 121 3392 1328 WerFault.exe 121 2052 4780 WerFault.exe 150 1816 4780 WerFault.exe 150 2288 4780 WerFault.exe 150 3612 1328 WerFault.exe 121 840 1328 WerFault.exe 121 4404 1328 WerFault.exe 121 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3360 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1980 it751078.exe 1980 it751078.exe 1128 1.exe 3972 kp876670.exe 3972 kp876670.exe 1128 1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1980 it751078.exe Token: SeDebugPrivilege 1952 jr840354.exe Token: SeDebugPrivilege 1128 1.exe Token: SeDebugPrivilege 3972 kp876670.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1928 lr029644.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3772 wrote to memory of 2392 3772 61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe 86 PID 3772 wrote to memory of 2392 3772 61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe 86 PID 3772 wrote to memory of 2392 3772 61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe 86 PID 2392 wrote to memory of 944 2392 zidP0105.exe 87 PID 2392 wrote to memory of 944 2392 zidP0105.exe 87 PID 2392 wrote to memory of 944 2392 zidP0105.exe 87 PID 944 wrote to memory of 1980 944 zigM0409.exe 88 PID 944 wrote to memory of 1980 944 zigM0409.exe 88 PID 944 wrote to memory of 1952 944 zigM0409.exe 95 PID 944 wrote to memory of 1952 944 zigM0409.exe 95 PID 944 wrote to memory of 1952 944 zigM0409.exe 95 PID 1952 wrote to memory of 1128 1952 jr840354.exe 97 PID 1952 wrote to memory of 1128 1952 jr840354.exe 97 PID 1952 wrote to memory of 1128 1952 jr840354.exe 97 PID 2392 wrote to memory of 3972 2392 zidP0105.exe 100 PID 2392 wrote to memory of 3972 2392 zidP0105.exe 100 PID 2392 wrote to memory of 3972 2392 zidP0105.exe 100 PID 3772 wrote to memory of 1928 3772 61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe 102 PID 3772 wrote to memory of 1928 3772 61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe 102 PID 3772 wrote to memory of 1928 3772 61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe 102 PID 1928 wrote to memory of 1328 1928 lr029644.exe 121 PID 1928 wrote to memory of 1328 1928 lr029644.exe 121 PID 1928 wrote to memory of 1328 1928 lr029644.exe 121 PID 1328 wrote to memory of 3360 1328 oneetx.exe 138 PID 1328 wrote to memory of 3360 1328 oneetx.exe 138 PID 1328 wrote to memory of 3360 1328 oneetx.exe 138 PID 1328 wrote to memory of 4412 1328 oneetx.exe 159 PID 1328 wrote to memory of 4412 1328 oneetx.exe 159 PID 1328 wrote to memory of 4412 1328 oneetx.exe 159
Processes
-
C:\Users\Admin\AppData\Local\Temp\61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe"C:\Users\Admin\AppData\Local\Temp\61745071aa52ad3be9effde6e4f17e691273d1aa9a98b87408dccc193a45bc4a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidP0105.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidP0105.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigM0409.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigM0409.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it751078.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it751078.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr840354.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr840354.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 13805⤵
- Program crash
PID:812
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp876670.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp876670.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr029644.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr029644.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7003⤵
- Program crash
PID:3628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7603⤵
- Program crash
PID:3256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 8003⤵
- Program crash
PID:4468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 8043⤵
- Program crash
PID:3612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 9923⤵
- Program crash
PID:2772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 9643⤵
- Program crash
PID:4896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 12163⤵
- Program crash
PID:2344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 12243⤵
- Program crash
PID:5092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 13203⤵
- Program crash
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 6964⤵
- Program crash
PID:4396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 8884⤵
- Program crash
PID:3756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 9204⤵
- Program crash
PID:916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 10564⤵
- Program crash
PID:3128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 10764⤵
- Program crash
PID:3596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 10764⤵
- Program crash
PID:764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 11004⤵
- Program crash
PID:2096
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 9964⤵
- Program crash
PID:4456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 13004⤵
- Program crash
PID:4964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 13084⤵
- Program crash
PID:992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 7964⤵
- Program crash
PID:3108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 10924⤵
- Program crash
PID:3392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 16044⤵
- Program crash
PID:3612
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 10924⤵
- Program crash
PID:840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 16204⤵
- Program crash
PID:4404
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 8083⤵
- Program crash
PID:1660
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1952 -ip 19521⤵PID:3228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1928 -ip 19281⤵PID:4044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1928 -ip 19281⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:2456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:1388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1928 -ip 19281⤵PID:3500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1928 -ip 19281⤵PID:4676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1928 -ip 19281⤵PID:2996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1928 -ip 19281⤵PID:544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1928 -ip 19281⤵PID:1612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1928 -ip 19281⤵PID:2540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1328 -ip 13281⤵PID:4116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1328 -ip 13281⤵PID:1032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1328 -ip 13281⤵PID:964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1328 -ip 13281⤵PID:2756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1328 -ip 13281⤵PID:2700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1328 -ip 13281⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1328 -ip 13281⤵PID:4448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1328 -ip 13281⤵PID:4388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1328 -ip 13281⤵PID:944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1328 -ip 13281⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1328 -ip 13281⤵PID:1884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1328 -ip 13281⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 3962⤵
- Program crash
PID:2052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 4402⤵
- Program crash
PID:1816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 4402⤵
- Program crash
PID:2288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4780 -ip 47801⤵PID:3656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4780 -ip 47801⤵PID:4032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4780 -ip 47801⤵PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1328 -ip 13281⤵PID:4104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1328 -ip 13281⤵PID:5028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1328 -ip 13281⤵PID:5012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
723KB
MD5aa53eaef65b6d4631603e9c6ceb6d3d8
SHA16d8023fc3dcdcb0ced1daca490890e3c1c25589f
SHA256b3b1bbe696dc36661669b5baf70bba67c6e4131ee4feae506e6a928ecfe22fcf
SHA5128d89a0c06d5fc108a6173a6a1add2626e67ca77b73034f48389b80aaa24071184ad4da6b9fa5f23dad0b6e7c85e9a6b5efb7468f7d2435a12a85be41d84c9679
-
Filesize
723KB
MD5aa53eaef65b6d4631603e9c6ceb6d3d8
SHA16d8023fc3dcdcb0ced1daca490890e3c1c25589f
SHA256b3b1bbe696dc36661669b5baf70bba67c6e4131ee4feae506e6a928ecfe22fcf
SHA5128d89a0c06d5fc108a6173a6a1add2626e67ca77b73034f48389b80aaa24071184ad4da6b9fa5f23dad0b6e7c85e9a6b5efb7468f7d2435a12a85be41d84c9679
-
Filesize
169KB
MD544bb7751be5d1c278ba83cf292ca1699
SHA1b52479674d9dd6201e7d8cc13b7e9ca95b1a74c3
SHA256488c5dfdd5785726dc44885ecc5615030e1b093562ab08fc1ca7f6c3abf3695c
SHA512cc04ce79876fcb606d1eb42a21af6d630a63a8c3c2a97b5431897fe1321cc8c29ff103f78fe0b51322681311919e3de95a7837b068e7b5b60626a0f82aa83d62
-
Filesize
169KB
MD544bb7751be5d1c278ba83cf292ca1699
SHA1b52479674d9dd6201e7d8cc13b7e9ca95b1a74c3
SHA256488c5dfdd5785726dc44885ecc5615030e1b093562ab08fc1ca7f6c3abf3695c
SHA512cc04ce79876fcb606d1eb42a21af6d630a63a8c3c2a97b5431897fe1321cc8c29ff103f78fe0b51322681311919e3de95a7837b068e7b5b60626a0f82aa83d62
-
Filesize
569KB
MD587b33b45864df861d64aacc851e54a6a
SHA12ae3421cc1b2d11506da34806410a6c90c47fa36
SHA2562c8b4ed72c92f70261d593055b39591f167135e6dfcc0299e0313e357fa11b69
SHA512e48d6f6b10d9ce8610edbd7ecc93597826c7d1d894aed72202b88b148435334bd157d2a329e861efd8f98e1f01c30e2ffb8c0b590097ab7702bc080543446080
-
Filesize
569KB
MD587b33b45864df861d64aacc851e54a6a
SHA12ae3421cc1b2d11506da34806410a6c90c47fa36
SHA2562c8b4ed72c92f70261d593055b39591f167135e6dfcc0299e0313e357fa11b69
SHA512e48d6f6b10d9ce8610edbd7ecc93597826c7d1d894aed72202b88b148435334bd157d2a329e861efd8f98e1f01c30e2ffb8c0b590097ab7702bc080543446080
-
Filesize
11KB
MD51a7b9559d14c81c22ffd3883f84d963c
SHA149b7f5ee1ddf3b0ac85b2339fe6d3f1f81f0b603
SHA256c5d102c4c9e239f09a976e9a80a7007f91eeb77d49b84cc30fe4f6393aa4e63c
SHA5120bbe187d7f54e7cdc1ec5473ec4aa34eed6c60e6561b28e0b04b592ed0657cb266114d87dc335d970a062d196edbbe1f9edd029cba6a2e23c1e7ca4e210f05c2
-
Filesize
11KB
MD51a7b9559d14c81c22ffd3883f84d963c
SHA149b7f5ee1ddf3b0ac85b2339fe6d3f1f81f0b603
SHA256c5d102c4c9e239f09a976e9a80a7007f91eeb77d49b84cc30fe4f6393aa4e63c
SHA5120bbe187d7f54e7cdc1ec5473ec4aa34eed6c60e6561b28e0b04b592ed0657cb266114d87dc335d970a062d196edbbe1f9edd029cba6a2e23c1e7ca4e210f05c2
-
Filesize
587KB
MD5a40227c7e67e3f40ef4204d32af269fa
SHA13249f58cc070c5c0249c9b50542f68e9e0ea9270
SHA25699d41f92cddb223065e7449b54cf850ee308bbe18ed888c4495448852d83c7e2
SHA5120363ada1952b0dedbd8fdfc05176a24a87116e8c7113c7e443e52c83abbf14edfd8ccd714ce98cfbd7a0ff3e03a46fedd2400e381b92bafbd531d5bddc3d8c2c
-
Filesize
587KB
MD5a40227c7e67e3f40ef4204d32af269fa
SHA13249f58cc070c5c0249c9b50542f68e9e0ea9270
SHA25699d41f92cddb223065e7449b54cf850ee308bbe18ed888c4495448852d83c7e2
SHA5120363ada1952b0dedbd8fdfc05176a24a87116e8c7113c7e443e52c83abbf14edfd8ccd714ce98cfbd7a0ff3e03a46fedd2400e381b92bafbd531d5bddc3d8c2c
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1