glupteba | 0e6ed6846176bfe72cf9b11d77882b9f6e58b9469431643c354c90ec0bb6f603

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Size

6.5MB
MD5

a1d33dcfceb6c873427f79d9dceeb16f
SHA1

ebae24127a13d15f7937ac08abeacef1d42bc37d
SHA256

0e6ed6846176bfe72cf9b11d77882b9f6e58b9469431643c354c90ec0bb6f603
SHA512

9d0e55a7172d3479c0f0a5a7c0c419e520d290b629b796c63d71e564d926c073860108522a5a292725d1f880da2c06bc4c5f0ec584244863144447c8b5414be4
SSDEEP

196608:SZzk3OcQrxruTKPCEwvoC7KfTOSaWthXBpjdx:SlsOcQ1rLQ7KiSxX

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

resource	yara_rule
behavioral2/memory/4160-2-0x0000000001F00000-0x00000000025D0000-memory.dmp	family_glupteba
behavioral2/memory/4160-3-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/4160-5-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/4160-6-0x0000000001F00000-0x00000000025D0000-memory.dmp	family_glupteba
behavioral2/memory/4700-9-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/4700-10-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/4700-16-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-18-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-20-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-21-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-23-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-24-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-25-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-27-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-28-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-29-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba
behavioral2/memory/1988-31-0x0000000000400000-0x0000000000AEB000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2960	netsh.exe
3544	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BoldBush = "\"C:\\Windows\\rss\\csrss.exe\""	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
File created	C:\Windows\rss\csrss.exe	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2776	4160	WerFault.exe	88
4352	4160	WerFault.exe	88
364	4160	WerFault.exe	88
4976	4160	WerFault.exe	88
4396	4160	WerFault.exe	88
536	4160	WerFault.exe	88
3816	4160	WerFault.exe	88
2212	4160	WerFault.exe	88
3872	4160	WerFault.exe	88
4368	4160	WerFault.exe	88
1072	4160	WerFault.exe	88
3712	4160	WerFault.exe	88
5084	4160	WerFault.exe	88
2476	4160	WerFault.exe	88
2748	4160	WerFault.exe	88
1236	4160	WerFault.exe	88
2372	4160	WerFault.exe	88
4984	4700	WerFault.exe	130
1212	4700	WerFault.exe	130
1720	4700	WerFault.exe	130
2168	4700	WerFault.exe	130
4788	4700	WerFault.exe	130
4592	4700	WerFault.exe	130
1524	4700	WerFault.exe	130
412	4700	WerFault.exe	130
3004	4700	WerFault.exe	130
3452	4700	WerFault.exe	130
2816	1988	WerFault.exe	158
5012	1988	WerFault.exe	158
2888	1988	WerFault.exe	158
3720	1988	WerFault.exe	158
3880	1988	WerFault.exe	158
3236	1988	WerFault.exe	158
2476	1988	WerFault.exe	158
2748	1988	WerFault.exe	158
1872	1988	WerFault.exe	158
3620	1988	WerFault.exe	158
4920	1988	WerFault.exe	158
1248	1988	WerFault.exe	158
636	1988	WerFault.exe	158
3412	1988	WerFault.exe	158
3288	1988	WerFault.exe	158
2876	1988	WerFault.exe	158
748	1988	WerFault.exe	158
1380	1988	WerFault.exe	158
1272	1988	WerFault.exe	158
412	1988	WerFault.exe	158
1328	1988	WerFault.exe	158
4824	1988	WerFault.exe	158
1664	1988	WerFault.exe	158
3208	1988	WerFault.exe	158
4756	1988	WerFault.exe	158
3528	1988	WerFault.exe	158
2096	1988	WerFault.exe	158
3272	1988	WerFault.exe	158
3860	1988	WerFault.exe	158
4524	1988	WerFault.exe	158
60	1988	WerFault.exe	158
4008	1988	WerFault.exe	158
1244	1988	WerFault.exe	158
5048	1988	WerFault.exe	158
4412	1988	WerFault.exe	158
4080	1988	WerFault.exe	158
1924	1988	WerFault.exe	158

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
1988	csrss.exe
1988	csrss.exe
1988	csrss.exe
1988	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4160	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 3156	4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe	150
PID 4700 wrote to memory of 3156	4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe	150
PID 3156 wrote to memory of 2960	3156	cmd.exe	154
PID 3156 wrote to memory of 2960	3156	cmd.exe	154
PID 4700 wrote to memory of 1844	4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe	155
PID 4700 wrote to memory of 1844	4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe	155
PID 1844 wrote to memory of 3544	1844	cmd.exe	157
PID 1844 wrote to memory of 3544	1844	cmd.exe	157
PID 4700 wrote to memory of 1988	4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe	158
PID 4700 wrote to memory of 1988	4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe	158
PID 4700 wrote to memory of 1988	4700	a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe	158

C:\Users\Admin\AppData\Local\Temp\a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 296
  2⤵
  - Program crash
  PID:2776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 304
  2⤵
  - Program crash
  PID:4352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 300
  2⤵
  - Program crash
  PID:364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 624
  2⤵
  - Program crash
  PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 628
  2⤵
  - Program crash
  PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 676
  2⤵
  - Program crash
  PID:536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 676
  2⤵
  - Program crash
  PID:3816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 668
  2⤵
  - Program crash
  PID:2212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 704
  2⤵
  - Program crash
  PID:3872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 604
  2⤵
  - Program crash
  PID:4368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 712
  2⤵
  - Program crash
  PID:1072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 656
  2⤵
  - Program crash
  PID:3712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 776
  2⤵
  - Program crash
  PID:5084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 728
  2⤵
  - Program crash
  PID:2476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 812
  2⤵
  - Program crash
  PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 728
  2⤵
  - Program crash
  PID:1236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 576
  2⤵
  - Program crash
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a1d33dcfceb6c873427f79d9dceeb16f_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 260
    3⤵
    - Program crash
    PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 284
    3⤵
    - Program crash
    PID:1212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 276
    3⤵
    - Program crash
    PID:1720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 672
    3⤵
    - Program crash
    PID:2168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 728
    3⤵
    - Program crash
    PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 736
    3⤵
    - Program crash
    PID:4592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 736
    3⤵
    - Program crash
    PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 776
    3⤵
    - Program crash
    PID:412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 804
    3⤵
    - Program crash
    PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 764
    3⤵
    - Program crash
    PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3544
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe /6-JaffaCakes118
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 292
      4⤵
      Program crash
      PID:2816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 320
      4⤵
      Program crash
      PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 304
      4⤵
      Program crash
      PID:2888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 748
      4⤵
      Program crash
      PID:3720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 784
      4⤵
      Program crash
      PID:3880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 784
      4⤵
      Program crash
      PID:3236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 784
      4⤵
      Program crash
      PID:2476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 836
      4⤵
      Program crash
      PID:2748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 828
      4⤵
      Program crash
      PID:1872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 700
      4⤵
      Program crash
      PID:3620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 860
      4⤵
      Program crash
      PID:4920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 844
      4⤵
      Program crash
      PID:1248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 824
      4⤵
      Program crash
      PID:636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 892
      4⤵
      Program crash
      PID:3412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 880
      4⤵
      Program crash
      PID:3288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 816
      4⤵
      Program crash
      PID:2876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 972
      4⤵
      Program crash
      PID:748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 924
      4⤵
      Program crash
      PID:1380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 992
      4⤵
      Program crash
      PID:1272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1004
      4⤵
      Program crash
      PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 908
      4⤵
      Program crash
      PID:1328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1008
      4⤵
      Program crash
      PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1416
      4⤵
      Program crash
      PID:1664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1428
      4⤵
      Program crash
      PID:3208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1520
      4⤵
      Program crash
      PID:4756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1448
      4⤵
      Program crash
      PID:3528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1376
      4⤵
      Program crash
      PID:2096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1468
      4⤵
      Program crash
      PID:3272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1544
      4⤵
      Program crash
      PID:3860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1460
      4⤵
      Program crash
      PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1564
      4⤵
      Program crash
      PID:60
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1580
      4⤵
      Program crash
      PID:4008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1536
      4⤵
      Program crash
      PID:1244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1548
      4⤵
      Program crash
      PID:5048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1436
      4⤵
      Program crash
      PID:4412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1556
      4⤵
      Program crash
      PID:4080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1452
      4⤵
      Program crash
      PID:1924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1488
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1596
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1528
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1548
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1392
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1548
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1432
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1448
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1460
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1536
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1416
      4⤵
      PID:116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1552
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1404
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1452
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1472
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1384
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1460
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1416
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1388
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1548
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1556
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1412
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1528
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1460
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1372
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1544
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1492
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1388
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1372
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1444
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1448
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1528
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1488
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1412
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1488
      4⤵
      PID:1152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 528
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1388
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1484
      4⤵
      PID:60
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1540
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 900
      4⤵
      PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4160 -ip 4160
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4160 -ip 4160
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4160 -ip 4160
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4160 -ip 4160
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4160 -ip 4160
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4160 -ip 4160
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4160 -ip 4160
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4160 -ip 4160
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4160 -ip 4160
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4160 -ip 4160
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4160 -ip 4160
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4160 -ip 4160
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4160 -ip 4160
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4160 -ip 4160
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4160 -ip 4160
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4160 -ip 4160
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4160 -ip 4160
1⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3924 /prefetch:8
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4700 -ip 4700
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4700 -ip 4700
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4700 -ip 4700
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4700 -ip 4700
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4700 -ip 4700
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4700 -ip 4700
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4700 -ip 4700
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4700 -ip 4700
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4700 -ip 4700
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4700 -ip 4700
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1988 -ip 1988
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1988 -ip 1988
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1988 -ip 1988
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1988 -ip 1988
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1988 -ip 1988
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1988 -ip 1988
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1988 -ip 1988
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1988 -ip 1988
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1988 -ip 1988
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1988 -ip 1988
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1988 -ip 1988
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1988 -ip 1988
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1988 -ip 1988
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1988 -ip 1988
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1988 -ip 1988
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1988 -ip 1988
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1988 -ip 1988
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1988 -ip 1988
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1988 -ip 1988
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1988 -ip 1988
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1988 -ip 1988
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1988 -ip 1988
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1988 -ip 1988
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1988 -ip 1988
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1988 -ip 1988
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1988 -ip 1988
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1988 -ip 1988
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1988 -ip 1988
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1988 -ip 1988
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1988 -ip 1988
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1988 -ip 1988
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1988 -ip 1988
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1988 -ip 1988
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1988 -ip 1988
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1988 -ip 1988
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1988 -ip 1988
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1988 -ip 1988
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1988 -ip 1988
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1988 -ip 1988
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1988 -ip 1988
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1988 -ip 1988
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1988 -ip 1988
1⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1988 -ip 1988
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1988 -ip 1988
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1988 -ip 1988
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1988 -ip 1988
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1988 -ip 1988
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1988 -ip 1988
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1988 -ip 1988
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1988 -ip 1988
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1988 -ip 1988
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1988 -ip 1988
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1988 -ip 1988
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1988 -ip 1988
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1988 -ip 1988
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1988 -ip 1988
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1988 -ip 1988
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1988 -ip 1988
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1988 -ip 1988
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1988 -ip 1988
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1988 -ip 1988
1⤵
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe

Filesize
6.5MB

MD5
a1d33dcfceb6c873427f79d9dceeb16f

SHA1
ebae24127a13d15f7937ac08abeacef1d42bc37d

SHA256
0e6ed6846176bfe72cf9b11d77882b9f6e58b9469431643c354c90ec0bb6f603

SHA512
9d0e55a7172d3479c0f0a5a7c0c419e520d290b629b796c63d71e564d926c073860108522a5a292725d1f880da2c06bc4c5f0ec584244863144447c8b5414be4

Download Submit
memory/1988-25-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-24-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-18-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-29-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-28-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-27-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-23-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-20-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-21-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/1988-31-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/4160-5-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/4160-2-0x0000000001F00000-0x00000000025D0000-memory.dmp

Filesize
6.8MB

Download
memory/4160-3-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/4160-1-0x0000000001A20000-0x0000000001EF4000-memory.dmp

Filesize
4.8MB

Download
memory/4160-6-0x0000000001F00000-0x00000000025D0000-memory.dmp

Filesize
6.8MB

Download
memory/4700-10-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/4700-9-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/4700-8-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/4700-16-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download