Analysis
-
max time kernel
149s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
29-04-2024 18:46
General
-
Target
085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe
-
Size
628KB
-
MD5
085e89b8c2a49aa819549e372a82a456
-
SHA1
844494e6e33fd48479b7509202a6fcbf43a0303e
-
SHA256
35cbc9343c28832d7bd8fca706ba5c8d68a9d3250b11346239c5c48432fbb332
-
SHA512
e72de6ca5683eaee8800d31ce4dc427d6d5e9c5adc5bcab4728f83666b486eed0c17c445c930e22e109861535f65a765c2a957ff8d09d86e8513ea2fb5f0fd8b
-
SSDEEP
12288:Y2wm3VGxU4zxgc5E8k7xsfDdOjmVOAbbbbbb7nnnnnMhPhPhPhPhPhF:Pwm3Yxpz5nktI6mVfbbbbbb7nnnnnMhJ
Score
10/10
Malware Config
Extracted
Family
xpertrat
Version
3.0.10
Botnet
Test
C2
140.82.57.249:3614
Mutex
N3S7K4V2-L8C6-M6Q5-Y5I3-V6L7F1Y2X5G0
Signatures
-
UAC bypass 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 4 IoCs
-
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
-
XpertRAT Core payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Windows security modification 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Program crash 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of UnmapMainImage 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Snyltehveps6" /TR "\"C:\ProgramData\Dissonans8.exe\""2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "Snyltehveps6"2⤵
-
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2956 -ip 29561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4204 -ip 42041⤵
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4320 -ip 43201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2120 -ip 21201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4784 -ip 47841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2692 -ip 26921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4876 -ip 48761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1612 -ip 16121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3708 -ip 37081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2332 -ip 23321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 548 -ip 5481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4184 -ip 41841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1124 -ip 11241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1136 -ip 11361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4940 -ip 49401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3948 -ip 39481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4524 -ip 45241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 30761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1052 -ip 10521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3296 -ip 32961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3056 -ip 30561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3196 -ip 31961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2544 -ip 25441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2612 -ip 26121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2476 -ip 24761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1160 -ip 11601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 836 -ip 8361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3536 -ip 35361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4420 -ip 44201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2180 -ip 21801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3808 -ip 38081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 976 -ip 9761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1440 -ip 14401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4236 -ip 42361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3984 -ip 39841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1240 -ip 12401⤵
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 124⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 124⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 124⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3068 -ip 30681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4696 -ip 46961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1592 -ip 15921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 636 -ip 6361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1864 -ip 18641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2620 -ip 26201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4288 -ip 42881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4620 -ip 46201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 4852 -ip 48521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 228 -ip 2281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 712 -ip 7121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1208 -ip 12081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4776 -ip 47761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 872 -ip 8721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 692 -ip 6921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 2456 -ip 24561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1772 -ip 17721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 736 -ip 7361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1640 -ip 16401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 544 -ip 5441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 5016 -ip 50161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 4384 -ip 43841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 3508 -ip 35081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3084 -ip 30841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 2380 -ip 23801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 4364 -ip 43641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4768 -ip 47681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 740 -ip 7401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 4472 -ip 44721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2424 -ip 24241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4744 -ip 47441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1832 -ip 18321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 4628 -ip 46281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4752 -ip 47521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2716 -ip 27161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 5068 -ip 50681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 908 -ip 9081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4896 -ip 48961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3468 -ip 34681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 804 -ip 8041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3748 -ip 37481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 4480 -ip 44801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 2752 -ip 27521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 756 -ip 7561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 4312 -ip 43121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 4112 -ip 41121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 3000 -ip 30001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2040 -ip 20401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3096 -ip 30961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 4484 -ip 44841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4468 -ip 44681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1720 -ip 17201⤵
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 124⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 2364 -ip 23641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3644 -ip 36441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 768 -ip 7681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3436 -ip 34361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4328 -ip 43281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 4616 -ip 46161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3952 -ip 39521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4160 -ip 41601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 4496 -ip 44961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4140 -ip 41401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 3704 -ip 37041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 1288 -ip 12881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 3500 -ip 35001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 220 -ip 2201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3180 -ip 31801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3636 -ip 36361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2340 -ip 23401⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
628KB
MD5c6b7a73e2d854ba9c52ccf6913c66b94
SHA1915979731b5b290c0457779f26dbc385611be3cd
SHA256e208a5a1b5c20b1f62fb04fb4033011f8b358a807942c18db9852edb6c5d2af1
SHA512f775862a177b533aac890227ca013307bdef64da056f8dee8f034e4d5f60878087254a4f27d6faae1363f9303402bad0976463bab29fc6e2c5b6868e7b742351
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
268KB
-
Filesize
1.1MB