Analysis
-
max time kernel
148s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2023 04:25
Static task
static1
General
-
Target
d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe
-
Size
979KB
-
MD5
cb903ce4bb6433f49be3c8c1ac9b6ff0
-
SHA1
4ad34670b39347a66c56246ec396b3ba8b6bcfd5
-
SHA256
d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345
-
SHA512
9e884dd97522da97915437da34e4baf4d929722bcbc46a4277e5b27716bc6acf990bf08a5aff2e703467ed7384e29ccd44cf17a0db7dbc8c9d8d4020ec1ec3a2
-
SSDEEP
12288:5y90N9d13w1iujv01iDVR4Krmt8qOKcw41BoInppgPdy//x5mneq2raH4dBFo6AQ:5yx+ilmSBokngcBq1CNdBFy9w9AQNKg
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr627599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr627599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr627599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr627599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr627599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr627599.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation si253819.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 9 IoCs
pid Process 1836 un400033.exe 1164 un840776.exe 4132 pr627599.exe 60 qu576099.exe 1364 rk596140.exe 2224 si253819.exe 1528 oneetx.exe 1700 oneetx.exe 1752 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 4924 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr627599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr627599.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un400033.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un400033.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un840776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un840776.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 30 IoCs
pid pid_target Process procid_target 4412 4132 WerFault.exe 86 3764 60 WerFault.exe 95 448 2224 WerFault.exe 101 1708 2224 WerFault.exe 101 364 2224 WerFault.exe 101 1220 2224 WerFault.exe 101 2628 2224 WerFault.exe 101 1444 2224 WerFault.exe 101 1032 2224 WerFault.exe 101 2512 2224 WerFault.exe 101 4600 2224 WerFault.exe 101 2288 2224 WerFault.exe 101 4396 1528 WerFault.exe 120 4184 1528 WerFault.exe 120 3636 1528 WerFault.exe 120 2784 1528 WerFault.exe 120 1360 1528 WerFault.exe 120 3604 1528 WerFault.exe 120 4644 1528 WerFault.exe 120 3256 1528 WerFault.exe 120 2616 1528 WerFault.exe 120 3744 1528 WerFault.exe 120 3380 1528 WerFault.exe 120 3064 1528 WerFault.exe 120 1860 1700 WerFault.exe 149 3928 1528 WerFault.exe 120 800 1528 WerFault.exe 120 1676 1528 WerFault.exe 120 2400 1752 WerFault.exe 159 1712 1528 WerFault.exe 120 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5024 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4132 pr627599.exe 4132 pr627599.exe 60 qu576099.exe 60 qu576099.exe 1364 rk596140.exe 1364 rk596140.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4132 pr627599.exe Token: SeDebugPrivilege 60 qu576099.exe Token: SeDebugPrivilege 1364 rk596140.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2224 si253819.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2864 wrote to memory of 1836 2864 d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe 84 PID 2864 wrote to memory of 1836 2864 d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe 84 PID 2864 wrote to memory of 1836 2864 d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe 84 PID 1836 wrote to memory of 1164 1836 un400033.exe 85 PID 1836 wrote to memory of 1164 1836 un400033.exe 85 PID 1836 wrote to memory of 1164 1836 un400033.exe 85 PID 1164 wrote to memory of 4132 1164 un840776.exe 86 PID 1164 wrote to memory of 4132 1164 un840776.exe 86 PID 1164 wrote to memory of 4132 1164 un840776.exe 86 PID 1164 wrote to memory of 60 1164 un840776.exe 95 PID 1164 wrote to memory of 60 1164 un840776.exe 95 PID 1164 wrote to memory of 60 1164 un840776.exe 95 PID 1836 wrote to memory of 1364 1836 un400033.exe 99 PID 1836 wrote to memory of 1364 1836 un400033.exe 99 PID 1836 wrote to memory of 1364 1836 un400033.exe 99 PID 2864 wrote to memory of 2224 2864 d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe 101 PID 2864 wrote to memory of 2224 2864 d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe 101 PID 2864 wrote to memory of 2224 2864 d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe 101 PID 2224 wrote to memory of 1528 2224 si253819.exe 120 PID 2224 wrote to memory of 1528 2224 si253819.exe 120 PID 2224 wrote to memory of 1528 2224 si253819.exe 120 PID 1528 wrote to memory of 5024 1528 oneetx.exe 137 PID 1528 wrote to memory of 5024 1528 oneetx.exe 137 PID 1528 wrote to memory of 5024 1528 oneetx.exe 137 PID 1528 wrote to memory of 4924 1528 oneetx.exe 156 PID 1528 wrote to memory of 4924 1528 oneetx.exe 156 PID 1528 wrote to memory of 4924 1528 oneetx.exe 156
Processes
-
C:\Users\Admin\AppData\Local\Temp\d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe"C:\Users\Admin\AppData\Local\Temp\d083504ee4bd68ca340d01feac299e16b6ab068664a19f3f9837ad2b00d5b345.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un400033.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un400033.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un840776.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un840776.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr627599.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr627599.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 10885⤵
- Program crash
PID:4412
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu576099.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu576099.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 13165⤵
- Program crash
PID:3764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk596140.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk596140.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si253819.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si253819.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 7123⤵
- Program crash
PID:448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 7883⤵
- Program crash
PID:1708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 8603⤵
- Program crash
PID:364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 9563⤵
- Program crash
PID:1220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 9603⤵
- Program crash
PID:2628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 9803⤵
- Program crash
PID:1444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 12163⤵
- Program crash
PID:1032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 12483⤵
- Program crash
PID:2512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 13243⤵
- Program crash
PID:4600
-
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 7084⤵
- Program crash
PID:4396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 8484⤵
- Program crash
PID:4184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 8924⤵
- Program crash
PID:3636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 10564⤵
- Program crash
PID:2784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 10764⤵
- Program crash
PID:1360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 10924⤵
- Program crash
PID:3604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 11324⤵
- Program crash
PID:4644
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:5024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 9964⤵
- Program crash
PID:3256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 7804⤵
- Program crash
PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 7724⤵
- Program crash
PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 13124⤵
- Program crash
PID:3380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 15564⤵
- Program crash
PID:3064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 11724⤵
- Program crash
PID:3928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 16164⤵
- Program crash
PID:800
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 11004⤵
- Program crash
PID:1676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 16444⤵
- Program crash
PID:1712
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 14443⤵
- Program crash
PID:2288
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4132 -ip 41321⤵PID:4388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 60 -ip 601⤵PID:964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2224 -ip 22241⤵PID:4684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2224 -ip 22241⤵PID:2136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2224 -ip 22241⤵PID:2708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2224 -ip 22241⤵PID:4172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2224 -ip 22241⤵PID:4768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2224 -ip 22241⤵PID:1712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2224 -ip 22241⤵PID:4668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2224 -ip 22241⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2224 -ip 22241⤵PID:2040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2224 -ip 22241⤵PID:2612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1528 -ip 15281⤵PID:1120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1528 -ip 15281⤵PID:2092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1528 -ip 15281⤵PID:2576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1528 -ip 15281⤵PID:460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1528 -ip 15281⤵PID:1544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1528 -ip 15281⤵PID:2436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1528 -ip 15281⤵PID:3612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1528 -ip 15281⤵PID:4160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1528 -ip 15281⤵PID:4812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1528 -ip 15281⤵PID:1160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1528 -ip 15281⤵PID:4252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1528 -ip 15281⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 4322⤵
- Program crash
PID:1860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1700 -ip 17001⤵PID:2828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1528 -ip 15281⤵PID:1988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1528 -ip 15281⤵PID:4972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1528 -ip 15281⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 4282⤵
- Program crash
PID:2400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1752 -ip 17521⤵PID:2520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1528 -ip 15281⤵PID:4448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD50c8be10a5a6fcb08bf74cc42c10f6370
SHA12c852730b711fa54b2232b4b24416a1fa371d1fc
SHA25624d7dacb81931a7363a331c7fda7381bf6311abbd183a8b5d663170a6f2091f6
SHA512a98566a23a628f52d8cfcb0b655e93df969487386793d8e936eaf0ff1d8e992017ace4ffe5f94e7f0a0058411c64ba40f6085e8cfbcad8593ff1143b95a08011
-
Filesize
270KB
MD50c8be10a5a6fcb08bf74cc42c10f6370
SHA12c852730b711fa54b2232b4b24416a1fa371d1fc
SHA25624d7dacb81931a7363a331c7fda7381bf6311abbd183a8b5d663170a6f2091f6
SHA512a98566a23a628f52d8cfcb0b655e93df969487386793d8e936eaf0ff1d8e992017ace4ffe5f94e7f0a0058411c64ba40f6085e8cfbcad8593ff1143b95a08011
-
Filesize
270KB
MD50c8be10a5a6fcb08bf74cc42c10f6370
SHA12c852730b711fa54b2232b4b24416a1fa371d1fc
SHA25624d7dacb81931a7363a331c7fda7381bf6311abbd183a8b5d663170a6f2091f6
SHA512a98566a23a628f52d8cfcb0b655e93df969487386793d8e936eaf0ff1d8e992017ace4ffe5f94e7f0a0058411c64ba40f6085e8cfbcad8593ff1143b95a08011
-
Filesize
270KB
MD50c8be10a5a6fcb08bf74cc42c10f6370
SHA12c852730b711fa54b2232b4b24416a1fa371d1fc
SHA25624d7dacb81931a7363a331c7fda7381bf6311abbd183a8b5d663170a6f2091f6
SHA512a98566a23a628f52d8cfcb0b655e93df969487386793d8e936eaf0ff1d8e992017ace4ffe5f94e7f0a0058411c64ba40f6085e8cfbcad8593ff1143b95a08011
-
Filesize
270KB
MD50c8be10a5a6fcb08bf74cc42c10f6370
SHA12c852730b711fa54b2232b4b24416a1fa371d1fc
SHA25624d7dacb81931a7363a331c7fda7381bf6311abbd183a8b5d663170a6f2091f6
SHA512a98566a23a628f52d8cfcb0b655e93df969487386793d8e936eaf0ff1d8e992017ace4ffe5f94e7f0a0058411c64ba40f6085e8cfbcad8593ff1143b95a08011
-
Filesize
270KB
MD50c8be10a5a6fcb08bf74cc42c10f6370
SHA12c852730b711fa54b2232b4b24416a1fa371d1fc
SHA25624d7dacb81931a7363a331c7fda7381bf6311abbd183a8b5d663170a6f2091f6
SHA512a98566a23a628f52d8cfcb0b655e93df969487386793d8e936eaf0ff1d8e992017ace4ffe5f94e7f0a0058411c64ba40f6085e8cfbcad8593ff1143b95a08011
-
Filesize
270KB
MD50c8be10a5a6fcb08bf74cc42c10f6370
SHA12c852730b711fa54b2232b4b24416a1fa371d1fc
SHA25624d7dacb81931a7363a331c7fda7381bf6311abbd183a8b5d663170a6f2091f6
SHA512a98566a23a628f52d8cfcb0b655e93df969487386793d8e936eaf0ff1d8e992017ace4ffe5f94e7f0a0058411c64ba40f6085e8cfbcad8593ff1143b95a08011
-
Filesize
705KB
MD56bd9b4b727996e794b88e84eedf1ff64
SHA1e4839ef60055c868377e43bdf80433de018fd5ea
SHA256ebd3adc8b0a341d077f365cbac06cd77318cfb4a02344204f44d1ac14d45bca6
SHA512833a1af8fdf5a58290fb110431a2df53343924d856d3d0e735ac1308c61ed5f1324d88d2be55a3ce3231dd68a5e58b3eadb49fe7073259fdda1d4ee1b2b09924
-
Filesize
705KB
MD56bd9b4b727996e794b88e84eedf1ff64
SHA1e4839ef60055c868377e43bdf80433de018fd5ea
SHA256ebd3adc8b0a341d077f365cbac06cd77318cfb4a02344204f44d1ac14d45bca6
SHA512833a1af8fdf5a58290fb110431a2df53343924d856d3d0e735ac1308c61ed5f1324d88d2be55a3ce3231dd68a5e58b3eadb49fe7073259fdda1d4ee1b2b09924
-
Filesize
136KB
MD5359db2338ae0f977dcf10e90cf9816fb
SHA194126cb670e5f434e555c991c967e0ee98fae552
SHA2565f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc
SHA512d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc
-
Filesize
136KB
MD5359db2338ae0f977dcf10e90cf9816fb
SHA194126cb670e5f434e555c991c967e0ee98fae552
SHA2565f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc
SHA512d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc
-
Filesize
551KB
MD5cbfc32be8f15980a0101601ffef99c8a
SHA1acc1a35d4029004bc24659c524661912d9f99040
SHA256fd412c91a98fc50178c95edf2ac64314abb625df866a366df9b26a86a65fff5e
SHA512276fcadca97bc780391fd4a73a43918ae419b3b7391c589b80c0c135a381691dc1cc596bfc62abb9e491e7c5feebc8d4ec1baf7b3a79af7a9af51c39da279030
-
Filesize
551KB
MD5cbfc32be8f15980a0101601ffef99c8a
SHA1acc1a35d4029004bc24659c524661912d9f99040
SHA256fd412c91a98fc50178c95edf2ac64314abb625df866a366df9b26a86a65fff5e
SHA512276fcadca97bc780391fd4a73a43918ae419b3b7391c589b80c0c135a381691dc1cc596bfc62abb9e491e7c5feebc8d4ec1baf7b3a79af7a9af51c39da279030
-
Filesize
278KB
MD5b264c6b5e8428dffec0fcfdec9a2c02b
SHA1f01773d24f284d0a8d656b8908d3f7a698364a29
SHA256f137261d0dab9042264ec1b3e65c4966409af11583e8defc4b8c239e56c5d531
SHA512359b16d7e9dc11fea5e0829e7293984c31d7360d45ecc1c6cd2d78f7f75f07bc59da7a7cbe3020edb47d8054df929b6d4c3a0ae66a04c15f8ec11e9394cc817e
-
Filesize
278KB
MD5b264c6b5e8428dffec0fcfdec9a2c02b
SHA1f01773d24f284d0a8d656b8908d3f7a698364a29
SHA256f137261d0dab9042264ec1b3e65c4966409af11583e8defc4b8c239e56c5d531
SHA512359b16d7e9dc11fea5e0829e7293984c31d7360d45ecc1c6cd2d78f7f75f07bc59da7a7cbe3020edb47d8054df929b6d4c3a0ae66a04c15f8ec11e9394cc817e
-
Filesize
360KB
MD5957b7d9325d5a547bd1793ba810f36fb
SHA14ab0305135f2f4713d149b27eabf8d7a9e47925b
SHA256dc09ac435dadd5606bcbcf1343f05a5aebc96be0b809ae4fbbf3063a10df3c21
SHA5124b5d9867ad514061ff43032f2c54337aaf62fecb40a112af5d04f4f13c124f4e40ef19d675234127efbcc745892610d83c43c31a334f51c6b3f08d808c8e04e6
-
Filesize
360KB
MD5957b7d9325d5a547bd1793ba810f36fb
SHA14ab0305135f2f4713d149b27eabf8d7a9e47925b
SHA256dc09ac435dadd5606bcbcf1343f05a5aebc96be0b809ae4fbbf3063a10df3c21
SHA5124b5d9867ad514061ff43032f2c54337aaf62fecb40a112af5d04f4f13c124f4e40ef19d675234127efbcc745892610d83c43c31a334f51c6b3f08d808c8e04e6
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5