Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975.exe
-
Size
882KB
-
MD5
c2874e64dc4a713e5f1a394c132d9382
-
SHA1
f8e8f6448660d3bde3affda3a4534e24d2bd6074
-
SHA256
41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975
-
SHA512
95c339e5bab30ea79de68e97ab6ea06cc0520807610bcf9b25267b8150b718078b28243a5347e51ad89f09fc736bd35cb077222b576992e6361b64b7ec316b45
-
SSDEEP
12288:tMr1y90Jd4rJMuNnRX3l8dI2YcKoPLByw4yNkz1sLw1m5pPT4zVyc8kvjRMbHaCE:oy44plHolDkz1AIeCzAc9yJIixO+8
Malware Config
Extracted
redline
breha
77.91.124.55:19071
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975.exe"C:\Users\Admin\AppData\Local\Temp\41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR7cC46.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR7cC46.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NH5Jt10.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NH5Jt10.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VH4zj36.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VH4zj36.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PV08BV7.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1PV08BV7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 5686⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Re2210.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Re2210.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 5527⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1526⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gY89Th.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gY89Th.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 5925⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Sw518nV.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Sw518nV.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1364⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Jb8fK7.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Jb8fK7.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4769.tmp\476A.tmp\476B.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Jb8fK7.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe774346f8,0x7ffe77434708,0x7ffe774347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5512 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8968955020085673568,8488566114052611580,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1320 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x70,0x16c,0x7ffe774346f8,0x7ffe77434708,0x7ffe774347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4773152641618116549,9868372178909514009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4773152641618116549,9868372178909514009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe774346f8,0x7ffe77434708,0x7ffe774347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,9119213488434023393,11572950650591213736,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,9119213488434023393,11572950650591213736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2132 -ip 21321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4496 -ip 44961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3884 -ip 38841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4288 -ip 42881⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
6KB
MD521df1da7ea22957b8b9f15220b8db555
SHA1b1948940bb592c57e6bdb733e2a0f24352b66e08
SHA256d4d11188bf701e9e60afce4bf63481ccd3f27b7ce45275994519b7654f4f0094
SHA5120edbd88a588771ab0ddea6e1cd0210db67f10f0fe4c1793d329d3f9603ab3e74032fce1a749b09b62554ca0952ae5e93346d6728086a2c66e8e189a067283f1e
-
Filesize
1KB
MD53e72cb769f6cc768eaccd8040ed6e876
SHA12de43273463f07c4b2fd7910f8338a86aed63c0f
SHA256817a1432af89d89a65c50df435a4c243235e14df16985eb8e5c9684185ee8c4e
SHA51210e62d98e7cd704f9321f6ed937158bdac98f66f41dfbfd5c57be8eb4a2ef667ea91c5facafeab85710f29f93f413d6e977070ebe75974d202f90b0e379736ff
-
Filesize
2KB
MD542e8f176d15095148467bda0f60f989b
SHA11c62d6974c6801db10741ff46a469b9a67679034
SHA256f253a802ae936fa550890dafd5ec1872f558868090ce2223046abb4fdb6b9b78
SHA512fe8bef8a401d19b31d55c89fa18daaab9dc6846c80f07ed124b2ce4558c7e36609953611cec60f6725e8115b19f1eb07194f12410d09cc8f80c37d217b0557ac
-
Filesize
2KB
MD598f20a504d53d8407e36346b031c43c7
SHA1849e9877b42575fa11f1d6114e040806ca119ec5
SHA2561c2686d3608ce9320af86bffeed8493edde6a3d0f0ff077286619e061c86c08b
SHA512d31f40979402a3910fde31fdb52ae0a46ee21cc0bf6f39c5c2f2e524b5e335e0ed70f441b254578389cc89e8ffe3704de85cd66d0bc5ec50db08be405cc1deec
-
Filesize
7KB
MD54dd348a2d680a450e04f3904db05990f
SHA1a42307ff6da020e85dbae2c2482e3f048d72011a
SHA256ee260f8e7a4a0ae64261c33a1a22d5c47d8449b4feeefc13250ba45f99422029
SHA51214dce1f955a8173e82433dbabef8e03c0b357bf35d3391023606d8494a8268716d902e9a49b7aea921506ad84ff635c77822e47d89514b927fa6c8f7ab67c7fd
-
Filesize
89B
MD59057f80d69370ac9df9e56e7b14d5778
SHA1ffa751d761610270afd311563d4bcec0e0346120
SHA256c3215e74a0ef87731bc5eee6276c8d4cb73461a83e763c9fc771a85e2f756dd1
SHA512bfd5b61129b45950679f52eb8244283575daa31d6d29322696efcca8ff4f006fdef92b814b1b03a11b3b973f1872fbfcb8b69d524a30f68a4d261b255d809e85
-
Filesize
146B
MD52cb080ceb78f8d88f29d33071a9f6921
SHA1aa3c1afdf513df47ecb64a3686277d0952f9c49b
SHA256b1a07ab76159a5a2692699664c46c232b18405a0fa53b58760ba17c7394e2446
SHA51267c0b26009f225c4d5cd892da9c56c91aa283483877dfce7bfdb0b18f7a68914f6471dfed69a51d614ac6bc6b998982da8c6432bfeeda064b5613eaf54ce1e9e
-
Filesize
82B
MD53fa440d890550787b1bdd9321b0d172a
SHA1a778907c2892c7f361131ec47285c4fef292f9dc
SHA256140cf6374de3f9f27537facf254fd1ef139ee414c731ed4b796979e9c98c345e
SHA51207143c521fdba1cf7092cfa596ca969a3d4d474bd0f18e0cf948c8c65d3a571775ca9bc110841dfc62b1ed429e86ba2f49d06aa380f5c90f11038eb35f6d44e1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD53a202403bb71e554c7e17cc93bcd9d89
SHA174d22d27f3f6302119e94211b920a9128867fee9
SHA256d2732e71d1244e19daefe16b7f20beda4170cefdaeac037c4c3eab9c4812e069
SHA5123f50ac9feef8837e42a149e1c72a9261b6375c982290b0348aa4ff2332d6771c0ea336f49faea4c05048ea9ee0fe422f784eb75534d48d20157cfdf3c59f5555
-
Filesize
48B
MD5381a8d1646852bcf669b0c746c106890
SHA1907743dd14377c4c6acb2b67a8c00e5685f641c1
SHA256472bebd702dcad4717c69051b35d1ffb9eca79feb7a50ac1bdb984154c9b1939
SHA512ca121e296060a53b7bf420bbd71b742ff4e0a94948928baeae4811be071772a8d38ef36be554568fed1c266992eeddaeba6ef53c4fc6248e1e9f8e504bc765f0
-
Filesize
1KB
MD54bfc334ae1dad68f2845d4e458f5e418
SHA1ee0fa11e63fdc449761fea8551923125d1428a99
SHA256637d19864fc2841ed0380dcea3e6da9024dd615ac06f2447301471efd566a3a2
SHA512e16fe4ee5d2df76a186ca04b109879b05b775d383eda80f19213348c1fb32c856b57f606f03e687128f451c311ec85b34ff5b84cbd122ecb2ee4d481de49aebd
-
Filesize
1KB
MD53a3641a8777b85ba92ee6e3fdd7d88e9
SHA1b3fd2aca50a0096ae38d370180f5772f6412602d
SHA256d3aebbf1db1cbd17d1ab13fc11f049b8b64b8ca25b7f5667ac891bbb8f89666f
SHA512109dbcb2aa420a0c79ced0a95ae5f3240b6c3b648b357f170109bfc3cfa8f2773382c13f63171048f93bfd8aac4a31e3fa9f04761ad3949ab7c58be028d6e16c
-
Filesize
1KB
MD59dc07c91c7f21fb914c6d58201a99598
SHA1bf65914ef15704bfd3150b0fdd994c7a87548f65
SHA25642fbb5741e7b8f18292554fca7853558fb0e2f2c7629b431a11ef3e3c9f46b80
SHA512760d548e31aeb914058477e4dba7ae7b7f7556753c552de0b7d22aa0a99fca8a5a17dfcbca86fee8b4e9e57ee8df3d1bbf1d0d64ab65b249fd308d24d17e764b
-
Filesize
1KB
MD5489feacf4693eeadb31f0df676340a6b
SHA14bb65130c5277ce97070f94371566b060806e5f2
SHA256686ca1a7098ba077afe31cc1357c135e288e6ceddeff3a5f60218f98ae1a27be
SHA5122e0549ea7d58243e81629ce9cef93f23928d29f27a3f8ad010709e1daaa99345ef15bbe523c7f1114148a78be5cc74d7de2add12f4fb6f72d795fb820b667b1b
-
Filesize
1KB
MD5de102310f86f1ab369d5201d52385a7c
SHA1b450264aa3b6a47c1a070bb9ffa75ea6ce59f249
SHA256133e9893fd2874306a1d001484b24867aa981c4f0a21955ff5996f99a19b171f
SHA512596cf9a97b0ea828f7085bb1eb5862b92094c3b9d89edcfee810c9984910ec77bdd2bc74232be52a6b1a12012aae15ed30570266c7a91d3986cb73ac1b1381a8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD54127674e1bea0018a7be6301ec4be79a
SHA1d7c6ad574237ee726127c7a11f994204cd802397
SHA256cfbac5e54eb88463babe022de432a7466a4c52c2a278b395775e011f5f3cf126
SHA512794cbe2ef695d2706b4f1dd011be5f0df87157d909ffe73e90263122bf1bc084fb0cc8f356b4d3a9e572a52cd1251b47ff9322c33cb3ccf55165fe5bc2e053b1
-
Filesize
8KB
MD5f2c6d27ec5a052184ed2fa60272809b0
SHA16072880ba14576a0238699ca06f94adfd627350a
SHA2561e8a5b3f18d3a8aadf81408d956d7b49dabc2c209dc1a1abb7360675508c7e04
SHA512f22814b37e2e2339523311fdf2bf5e08b9478ed0a84da8ec2c1ef5e0a4ef69c217a162944b49e2b99aeecb6db9949361e575674a1f5c39616efd5903154cc4c0
-
Filesize
11KB
MD5bda24a19b4c697f372b04fe06cca4cf3
SHA1f10e5780870d4a86355dadab0e5795baeb06009d
SHA2560dd2e21d5f478da0a72482dcb2637054c39869fff4057a7489dd8dac7f01210e
SHA512ae1a7c190ea0f1b0b368613c67bac2e3a684760a8add7ecbe394363ef52c1b1da4e4296128ef08764fcbe7632f692e5fcdabd6d81fe1626516291e067b3ee4a0
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
87KB
MD5949cbec3b3037780fbcf68b41a82fe60
SHA12f836ee237ffb57daf8d5dfff0461a1d65b4b672
SHA25636cbd02759f14d89ab98129f5568effa2e7d10b7b9ceb8f174e4aaafd8fbc8c3
SHA512facf34694cc2dad67b73cc7f6ba854deba1356c121f84490bc00106f349814418650522e49e3b4a9ddcee4ac6a4c06b453028ccf9dce65921a04d421c34c923e
-
Filesize
742KB
MD51c72cf4e68143e9563b613c8948873fc
SHA1ec5ed7fd64b5b2849317f8c9014bfb706db860d7
SHA256b7e5e3d078bcea0202418040de2234147d9f30ad195320677f36fa09ce6e8829
SHA5120fc3209463dada372dc2f91473848d56371f1877b92543dd4b0d92d05d419d57e5f33fd24eed8462338303852647c25dd825edd36a1feb14897998bd0d530251
-
Filesize
336KB
MD5cc40d1fd09946625e7b9a8b39115e019
SHA148487fed757a58e76c7bf8948a1e5114de85cd2c
SHA2563bdd4e656c4cf13ca8ecde337887d6ff65566b117dfc37413ac9b412be60a17c
SHA51248dad8fe2f06c50aa49e5b8c483b2a955f81a6599b0b1281fb29a4bbc1690a8d4c1c78320dbac36c9550afbcc288d043370c6045d51ac77b8cb4e0e437a65bce
-
Filesize
508KB
MD5522091f101a94de136e66d69be30e14f
SHA1e087bc9561aea26fc0612d2c02540692cb51d312
SHA25636c8c1bd5a2a065ca10b6ec7db47fafec37aae4cec85a358905be8177588fe43
SHA51265516d8d40c419d08014d68828010e53278ad8442db6d3090fd33946b5869de00b933fa2c9f155031b303cf0008c07506bc03fe60b70918633d059a15223b8b0
-
Filesize
145KB
MD5ce3b6a20db18d730a3706a0d4c9e3a67
SHA1200fff6de835d17f8e240b16226d7e79f1c58eab
SHA2568f9e23a3acbad41d00e4521368b32db5a801611914f2217088bbe2ee379e3775
SHA512533e2604545d2a0a6d8f69f83b1c06400416c3618b5ce68050c96c4384ead04558594958a1128d67ed6683585528a8b67f418f7efc0d583568bf2f547bfab2ce
-
Filesize
324KB
MD5597c5108f287f50f7c2cdc8c9b4ee0b9
SHA19840c5ec7759f9d39832183a196828df83665c97
SHA256a8ac4275228bdbd18e96161c17aa38551f4748db6ff650997fc5c44095ec608b
SHA5124d9e41761bc272030001f8176546683b66e444ea24d4ec2f807ef07ff039409769d270eb042a647348d4bd1149f25e0870ba2c4f002d4861f7ab483af308eade
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
295KB
MD5e5b62ebfb765fb5276bd60ac1160cf42
SHA12ae5b0b91d341d092180314b7c6bfa5c53e367b7
SHA256c70ba80942dad9cddb5fa849b84f3d38fe1b5426dca1e0329d491cb4367f55c6
SHA5125ac3fc6c3f874a84660d373fe1c89f922daaf43eeb794ec2d6998c0823ce81f8c5ec802392b48a715c27bb737c23edf0c4311f6e4f93bcbc7ab577df943d8af3
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
584KB
-
Filesize
1.0MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB