remcos | a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe
Size

483KB
MD5

c16b61d355597e973962354a54d9105a
SHA1

418f9f2d76cc53b40f6f7321f93bff947af7a699
SHA256

a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8
SHA512

9e4ede43e4cce4a0312cb52a795bf04bf75b7f5c8dfd837f47d86968db11febc92434d1aa71d88e785d3e99e12a99d997ce0edc9061fe2b380f82d03f7c7071e
SSDEEP

6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNH5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDicv

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

jansuri.kozow.com:7232

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3XBWOL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3180	3192	WerFault.exe	iexplore.exe
4600	372	WerFault.exe	iexplore.exe
2436	2440	WerFault.exe	iexplore.exe
2364	1216	WerFault.exe	iexplore.exe
5036	4260	WerFault.exe	iexplore.exe
4532	3780	WerFault.exe	iexplore.exe
4264	3016	WerFault.exe	iexplore.exe
3180	4588	WerFault.exe	iexplore.exe
3192	3376	WerFault.exe	iexplore.exe
4920	4996	WerFault.exe	iexplore.exe
3960	2948	WerFault.exe	iexplore.exe
2852	1000	WerFault.exe	iexplore.exe
2480	4692	WerFault.exe	iexplore.exe
1404	320	WerFault.exe	iexplore.exe
4724	4432	WerFault.exe	iexplore.exe
3960	3384	WerFault.exe	iexplore.exe
3276	1776	WerFault.exe	iexplore.exe
1000	3780	WerFault.exe	iexplore.exe
4116	4016	WerFault.exe	iexplore.exe
1788	1420	WerFault.exe	iexplore.exe
3092	4464	WerFault.exe	iexplore.exe
3144	1612	WerFault.exe	iexplore.exe
4872	1720	WerFault.exe	iexplore.exe
1392	4268	WerFault.exe	iexplore.exe
5108	4724	WerFault.exe	iexplore.exe
972	2364	WerFault.exe	iexplore.exe
1208	228	WerFault.exe	iexplore.exe
2576	4596	WerFault.exe	iexplore.exe
1360	436	WerFault.exe	iexplore.exe
3676	4492	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 31 IoCs

Processes:

17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exeiexplore.exe

description	pid	process	target process
PID 4000 set thread context of 1084	4000	17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe	iexplore.exe
PID 1084 set thread context of 372	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 3192	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 2440	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4260	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 1216	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 3780	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 3016	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 3376	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4588	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4996	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 2948	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 1000	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 320	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4692	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4432	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 3384	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 1776	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 3780	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4016	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 1420	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4464	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 1612	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4268	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 1720	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4724	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 228	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 2364	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4596	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 4492	1084	iexplore.exe	iexplore.exe
PID 1084 set thread context of 436	1084	iexplore.exe	iexplore.exe

Suspicious behavior: MapViewOfSection 39 IoCs

Processes:

17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exeiexplore.exe

pid	process
4000	17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe
1084	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exeiexplore.exe

description	pid	process	target process
PID 4000 wrote to memory of 1084	4000	17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe	iexplore.exe
PID 4000 wrote to memory of 1084	4000	17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe	iexplore.exe
PID 4000 wrote to memory of 1084	4000	17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe	iexplore.exe
PID 4000 wrote to memory of 1084	4000	17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe	iexplore.exe
PID 1084 wrote to memory of 372	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 372	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 372	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 372	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3192	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3192	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3192	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3192	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 2440	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 2440	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 2440	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 2440	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4260	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4260	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4260	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4260	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 1216	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 1216	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 1216	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 1216	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3780	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3780	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3780	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3780	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3016	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3016	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3016	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3016	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3376	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3376	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3376	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 3376	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4588	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4588	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4588	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4588	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 552	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 552	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 552	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4996	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4996	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4996	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4996	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 2948	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 2948	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 2948	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 2948	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 1000	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 1000	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 1000	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 1000	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 320	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 320	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 320	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 320	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4692	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4692	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4692	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4692	1084	iexplore.exe	iexplore.exe
PID 1084 wrote to memory of 4432	1084	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\17122153850e49c0cfb850fba174cf16707d6542d13cef87fc72c790ae00b3df54faaaaed9126.dat-decoded.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4000
- \??\c:\program files (x86)\internet explorer\iexplore.exe
  "c:\program files (x86)\internet explorer\iexplore.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1084
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kqgbvagnczyzemgkbypnwtmx"
    3⤵
    PID:372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 12
      4⤵
      Program crash
      PID:4600
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\usllwsqhqiqegsuosibohyggfwb"
    3⤵
    PID:3192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 12
      4⤵
      Program crash
      PID:3180
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wnyewlbieqiqqgrsbloqklbxolsdjz"
    3⤵
    PID:2440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 12
      4⤵
      Program crash
      PID:2436
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rcmvtswurmmkchvycxc"
    3⤵
    PID:4260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 12
      4⤵
      Program crash
      PID:5036
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\besotkgnnuepfnjkmipckz"
    3⤵
    PID:1216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 12
      4⤵
      Program crash
      PID:2364
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\myfguurpbcwtptfodtjevduxi"
    3⤵
    PID:3780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 12
      4⤵
      Program crash
      PID:4532
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ihgiruoudhsadiyyn"
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 12
      4⤵
      Program crash
      PID:4264
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tjlbsmhwrpkeopmcxbxs"
    3⤵
    PID:3376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 12
      4⤵
      Program crash
      PID:3192
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ddrutfspfxcjqvigoljtcjho"
    3⤵
    PID:4588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 12
      4⤵
      Program crash
      PID:3180
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ysnlpdebauhd"
    3⤵
    PID:552
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ysnlpdebauhd"
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 12
      4⤵
      Program crash
      PID:4920
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\inswqwpcoczhmcb"
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 12
      4⤵
      Program crash
      PID:3960
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lpxorozwckruoqxcilx"
    3⤵
    PID:1000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 12
      4⤵
      Program crash
      PID:2852
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fwtgnnu"
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 12
      4⤵
      Program crash
      PID:1404
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pyyyofejepn"
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 12
      4⤵
      Program crash
      PID:2480
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aseroypdrxfxnd"
    3⤵
    PID:4432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 12
      4⤵
      Program crash
      PID:4724
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjftmp"
    3⤵
    PID:3384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 12
      4⤵
      Program crash
      PID:3960
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\heklmhfjp"
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 12
      4⤵
      Program crash
      PID:3276
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ryyenaqldsmn"
    3⤵
    PID:3780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 12
      4⤵
      Program crash
      PID:1000
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mnlvjhcwqoqgiglwoqgeviauotzjcynj"
    3⤵
    PID:1352
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mnlvjhcwqoqgiglwoqgeviauotzjcynj"
    3⤵
    PID:4016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 12
      4⤵
      Program crash
      PID:4116
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\opzo"
    3⤵
    PID:2436
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\opzo"
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 12
      4⤵
      Program crash
      PID:1788
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zjezljf"
    3⤵
    PID:4420
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zjezljf"
    3⤵
    PID:2992
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zjezljf"
    3⤵
    PID:1200
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zjezljf"
    3⤵
    PID:4464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 12
      4⤵
      Program crash
      PID:3092
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tysqhqsdoberhbakpptsybsuqjf"
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 12
      4⤵
      Program crash
      PID:3144
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\esfjijdxcjwwjhwwzagubonlryonyl"
    3⤵
    PID:2680
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\esfjijdxcjwwjhwwzagubonlryonyl"
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 12
      4⤵
      Program crash
      PID:1392
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gulbjbnyqrobtnkaqlbnmtauzegwrvfxo"
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 12
      4⤵
      Program crash
      PID:4872
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lemlgsserwlhidckaibinggkt"
    3⤵
    PID:4724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 12
      4⤵
      Program crash
      PID:5108
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vyrwgldfnedmsjzoktojqlabudlsl"
    3⤵
    PID:228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 12
      4⤵
      Program crash
      PID:1208
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yawohdozbmvrupnstdbdbynkdjvbeiyg"
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 12
      4⤵
      Program crash
      PID:972
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\spsgecikpjzkgqryuipw"
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 12
      4⤵
      Program crash
      PID:2576
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\cjyyeutmdrrxqenkmsbxtmtb"
    3⤵
    PID:2484
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\cjyyeutmdrrxqenkmsbxtmtb"
    3⤵
    PID:4492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 12
      4⤵
      Program crash
      PID:3676
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nddjfnefrzjctkbovdwzerosxib"
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 12
      4⤵
      Program crash
      PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 372 -ip 372
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3192 -ip 3192
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2440 -ip 2440
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4260 -ip 4260
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1216 -ip 1216
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3780 -ip 3780
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3016 -ip 3016
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3376 -ip 3376
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4588 -ip 4588
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4996 -ip 4996
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2948 -ip 2948
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1000 -ip 1000
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 320 -ip 320
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4692 -ip 4692
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4432 -ip 4432
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3384 -ip 3384
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1776 -ip 1776
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3780 -ip 3780
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4016 -ip 4016
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1420 -ip 1420
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4464 -ip 4464
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1612 -ip 1612
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4268 -ip 4268
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1720 -ip 1720
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4724 -ip 4724
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 228 -ip 228
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2364 -ip 2364
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4492 -ip 4492
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 436 -ip 436
1⤵
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2000,i,9877262470271371196,11878025205711850266,262144 --variations-seed-version /prefetch:8
1⤵
PID:4268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1084-26-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-8-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-3-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-27-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-5-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-6-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-7-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-28-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-9-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-10-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-11-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-13-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-1-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-47-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-63-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-0-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-4-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-2-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-62-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-48-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-49-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-53-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-54-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-52-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-55-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-56-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-57-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-58-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-59-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-60-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1084-61-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/2440-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3192-15-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download