Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
05/09/2024, 12:09
General
-
Target
560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e.exe
-
Size
1.4MB
-
MD5
c7fc0cee8ca35d709ed276e9f88ddbed
-
SHA1
ceea9d76bf0429872f4d7420addd0abdb5e8f4dc
-
SHA256
560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e
-
SHA512
a1b93c9cb87993f77f2decf0e4ee33277567651d7fb664b579f3e293f97c6b198ce701c02cffd9d295b3e40f62cd6500f55bc252212c5ec81ac9e257831273da
-
SSDEEP
24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aIHo9Hi9Yc1St1R1M9p09oMMhDIGL0:2TvC/MTQYxsWR7aIHEC+coJ1OpwoMMhv
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
Main
C2
84.38.132.103:7001
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FR1M2R
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
AutoIT Executable 45 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 64 IoCs
-
Program crash 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e.exe"C:\Users\Admin\AppData\Local\Temp\560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\RegAsymX.exe"C:\Users\Admin\AppData\Local\Temp\560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\RegAsymX.exe"C:\Users\Admin\AppData\Local\directory\RegAsymX.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\RegAsymX.exe"C:\Users\Admin\AppData\Local\directory\RegAsymX.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1966⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 5766⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 2086⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 5726⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 2086⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1926⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 5646⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 5646⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 2086⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2086⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 5726⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 2126⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 2126⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 5926⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 5646⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 5646⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 5726⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 2166⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 2046⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 2006⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 2086⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 5846⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 2006⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 5766⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1966⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 2166⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 2086⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 5606⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 5886⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 5766⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1966⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 2086⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 2046⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 2046⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2046⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 2046⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 5646⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 2086⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 5766⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 2006⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 2006⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 5726⤵
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 2126⤵
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 2126⤵
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 2086⤵
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 5606⤵
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 2126⤵
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 5606⤵
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1966⤵
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 2046⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2432 -ip 24321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1092 -ip 10921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1592 -ip 15921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1484 -ip 14841⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4808 -ip 48081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3120 -ip 31201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2692 -ip 26921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4764 -ip 47641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4120 -ip 41201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4272 -ip 42721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4736 -ip 47361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1744 -ip 17441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4036 -ip 40361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3656 -ip 36561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1376 -ip 13761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4420 -ip 44201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1420 -ip 14201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3224 -ip 32241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1800 -ip 18001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5108 -ip 51081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4184 -ip 41841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4952 -ip 49521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2580 -ip 25801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1464 -ip 14641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3752 -ip 37521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3536 -ip 35361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3452 -ip 34521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1268 -ip 12681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1584 -ip 15841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3832 -ip 38321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4744 -ip 47441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2504 -ip 25041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2216 -ip 22161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1668 -ip 16681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3352 -ip 33521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 804 -ip 8041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2720 -ip 27201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1448 -ip 14481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4988 -ip 49881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 372 -ip 3721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1496 -ip 14961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2748 -ip 27481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1600 -ip 16001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 692 -ip 6921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3260 -ip 32601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4968 -ip 49681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4448 -ip 44481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 684 -ip 6841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4320 -ip 43201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2416 -ip 24161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2808 -ip 28081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4580 -ip 45801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2708 -ip 27081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3276 -ip 32761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1988 -ip 19881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3388 -ip 33881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1168 -ip 11681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4532 -ip 45321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2252 -ip 22521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2612 -ip 26121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4572 -ip 45721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2316 -ip 23161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2844 -ip 28441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3992 -ip 39921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1952 -ip 19521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4536 -ip 45361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2024 -ip 20241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4128 -ip 41281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2740 -ip 27401⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5c2e38219d7a60c6d2d6eddae03c85343
SHA1b7e589e418ffb337b676a7520672bb9d336075ad
SHA256efb484d82e900438e9b6910c3dc3ee6ba3cf828f5852000d90045dcd074dea79
SHA512a6c6a4bdfe05d8d3743b88e0821732cba640f064b399872665806e2e86c58de537bc188a02d3699e2e95d1a0e648cd30b2c457ad36480cf0489371f6cea33329
-
Filesize
84KB
MD5e9d80ff6fcd8ceeb2f0c63b6d84354fd
SHA19e697f748635834b3b88f33fbb77323261b325b0
SHA25691f5f7478ffcd500ad50e86ada1faffc60979b449af4d56b3bf1f71bb7da0a3d
SHA512aba78fb40aae7238b20ba9fbe9d975481da595896a651962c41b89f6bea323a7040afaf35a33f0608a4f2d0aaf899537a5e1cc37887afc6ece0e468f9916b343
-
Filesize
408KB
MD5ce86f406e025ab6c2d4619b42b06a10f
SHA1910ec8a487315a88f37d98e65c61886bfb6e5a8d
SHA256c74e9a1bc00368e1cce005364c3b8ec3822241d895febc6f018491ea368e6464
SHA5126b999d9b150eb8b6ecbb37a4b0f3e0a0246a97bce310044bdd90926945a4fd6942bfece1b0f64c57108834efc63a60feb48497db2d4a1a7ded076dc1fe162665
-
Filesize
42KB
MD582867b0c21d8c24cf50c4408d8f9821b
SHA108cdc310e08ae5e72502e4077134bb6de08f3739
SHA256900638a4da24c03753d210ea0c53ff6d729c04563c67b533c5e4f5271f4a3fd5
SHA512f416f2e257caa70d47f152958c95f3f71443afbdd1e641b37ae0ca5d15954f19d8f0461fe035dd3a23afcb6d5e8c62577ae33aa192e35da3af3922bd868f2e0c
-
Filesize
483KB
MD589669f54c2cf58a12e6eb05f0b0c8b45
SHA19dd08035fb240b2d8c284c31786f20c04e4d871a
SHA2567367a34c0b9d0c68678b8bd5bd02a54c94d7a60000aabc0525079b641c0f5e03
SHA512000188de8af2c2886ab5085890835e29cf0e65f6c9fc01a52f47a709650d8c9f411bb8931e545c27edc132ee14fa685ec063d5681bffd9ece56a52473e9f2686
-
Filesize
1.4MB
MD5c7fc0cee8ca35d709ed276e9f88ddbed
SHA1ceea9d76bf0429872f4d7420addd0abdb5e8f4dc
SHA256560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e
SHA512a1b93c9cb87993f77f2decf0e4ee33277567651d7fb664b579f3e293f97c6b198ce701c02cffd9d295b3e40f62cd6500f55bc252212c5ec81ac9e257831273da
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
16KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB