bitrat | 6248ca77e095fba357308535038777b0e555c085dfa828a6f16faac4d818a7a3

General

Target

f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
Size

5.0MB
MD5

f16151d0d1ea959552d2fe8a724b0dc5
SHA1

d71382495ec36153ce86cb0e94755d283fbe53e6
SHA256

6248ca77e095fba357308535038777b0e555c085dfa828a6f16faac4d818a7a3
SHA512

3f9b550ed515a5e0f3f99f2235bef39d1a8332496b1e37cdf107c1ab4d54875c8a6142d3a5c277c504328b04821cd8d46608e0c2c977a4c256e1530f20096e57
SSDEEP

98304:viS/sRZddY2EGcHg/InwJtNELakTwPAALRuPa6o0h7:vxkZdCvGwbaYTas5o09

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

elevenpaths.cc:420

Attributes

communication_password
e48e13207341b6bffb7fb1622282247b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe

pid	process
1800	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
1800	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
1800	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
1800	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe

Program crash 48 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
228	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4064	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4472	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4680	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4396	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4496	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
336	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
872	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4476	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2700	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
1068	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4592	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2612	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2144	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4468	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3548	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4420	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
1360	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
776	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
5076	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4544	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3920	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
832	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2096	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
988	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2428	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3664	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2376	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
1624	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4952	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3024	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3148	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2112	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3732	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2912	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3944	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4624	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
5116	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3752	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
208	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3660	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
5112	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3172	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4644	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
336	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
3592	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
2868	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
4752	1800	WerFault.exe	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe

description pid process

Token: SeShutdownPrivilege 1800 f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe

pid process

1800 f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
1800 f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe

description	pid	process
Token: SeShutdownPrivilege	1800	f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f16151d0d1ea959552d2fe8a724b0dc5_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 872
2⤵
- Program crash
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 756
2⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 756
2⤵
- Program crash
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 892
2⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1260
2⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1296
2⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1300
2⤵
- Program crash
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1296
2⤵
- Program crash
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1336
2⤵
- Program crash
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1272
2⤵
- Program crash
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1360
2⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1392
2⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1388
2⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1396
2⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1352
2⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1436
2⤵
- Program crash
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1432
2⤵
- Program crash
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1396
2⤵
- Program crash
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1264
2⤵
- Program crash
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1488
2⤵
- Program crash
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1408
2⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1516
2⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1492
2⤵
- Program crash
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1544
2⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1352
2⤵
- Program crash
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1364
2⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1264
2⤵
- Program crash
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1424
2⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1536
2⤵
- Program crash
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1508
2⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1296
2⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1508
2⤵
- Program crash
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1376
2⤵
- Program crash
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 952
2⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1500
2⤵
- Program crash
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1452
2⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1516
2⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1364
2⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1508
2⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1512
2⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1452
2⤵
- Program crash
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1544
2⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1444
2⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1460
2⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1368
2⤵
- Program crash
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1372
2⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1364
2⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1356
2⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1800 -ip 1800
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1800 -ip 1800
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1800 -ip 1800
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1800 -ip 1800
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1800 -ip 1800
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1800 -ip 1800
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1800 -ip 1800
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1800 -ip 1800
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1800 -ip 1800
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1800 -ip 1800
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1800 -ip 1800
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1800 -ip 1800
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1800 -ip 1800
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1800 -ip 1800
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1800 -ip 1800
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1800 -ip 1800
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1800 -ip 1800
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1800 -ip 1800
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1800 -ip 1800
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1800 -ip 1800
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1800 -ip 1800
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1800 -ip 1800
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1800 -ip 1800
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1800 -ip 1800
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1800 -ip 1800
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1800 -ip 1800
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1800 -ip 1800
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1800 -ip 1800
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1800 -ip 1800
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1800 -ip 1800
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1800 -ip 1800
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1800 -ip 1800
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1800 -ip 1800
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1800 -ip 1800
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1800 -ip 1800
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1800 -ip 1800
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1800 -ip 1800
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1800 -ip 1800
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1800 -ip 1800
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1800 -ip 1800
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1800 -ip 1800
1⤵
PID:5108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-0-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1800-1-0x0000000003250000-0x00000000036F9000-memory.dmp

Filesize
4.7MB

Download
memory/1800-2-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-3-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-4-0x00000000741E0000-0x0000000074219000-memory.dmp

Filesize
228KB

Download
memory/1800-5-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download
memory/1800-6-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-7-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download
memory/1800-8-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-10-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-11-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download
memory/1800-12-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-13-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download
memory/1800-14-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-16-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download
memory/1800-17-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-18-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-19-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download
memory/1800-21-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download
memory/1800-22-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-24-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download
memory/1800-25-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-26-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/1800-31-0x0000000073F30000-0x0000000073F69000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing