Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
-
Size
200KB
-
MD5
3bd77d78bd8637e06ed6356abfa9d196
-
SHA1
eff1a7b64280ae0a312669c8fd40c0d77dcb9216
-
SHA256
13bf64ee0bd2893f76c4b5ddf18316528a7ec6d03b945f18f28102029317909b
-
SHA512
d7febc858fdf0b697623db6436ba907992c09fdce415d5a0175eb44df8127a54a984af116d9f972f82d3dab04de1e7f7b06e21712968e08179d77b40cd43e26f
-
SSDEEP
3072:v7PHhfEYrZL6nKclJRp6OeZroPoVDGOVAm6vZ8FH3FYwcE2oR2r0:jpfE8L6nKclJREAoVSOR6yx3wElR24
Malware Config
Extracted
xtremerat
momo44.no-ip.biz
Signatures
-
Detect XtremeRAT payload 34 IoCs
Processes:
resource yara_rule behavioral2/memory/3152-14-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/3564-18-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/3564-19-0x00000000777D0000-0x00000000778C0000-memory.dmp family_xtremerat behavioral2/memory/3972-22-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/372-26-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2600-30-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4268-34-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4128-38-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4140-42-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/912-47-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/936-52-0x00000000777D0000-0x00000000778C0000-memory.dmp family_xtremerat behavioral2/memory/3904-67-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2196-69-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4604-71-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4488-73-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4828-75-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/1008-77-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/936-80-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2084-85-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2928-87-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2848-89-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2540-91-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/64-93-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/3516-95-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2908-97-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2364-99-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/2496-104-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/860-106-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4140-108-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/1680-110-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4108-112-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/1408-114-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/4468-116-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral2/memory/852-118-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe -
Molebox Virtualization software 4 IoCs
Detects file using Molebox Virtualization software.
Processes:
resource yara_rule behavioral2/memory/912-2-0x0000000000C80000-0x0000000000CA1000-memory.dmp molebox behavioral2/memory/936-49-0x0000000000C80000-0x0000000000CA1000-memory.dmp molebox behavioral2/memory/2364-79-0x0000000000C80000-0x0000000000CA1000-memory.dmp molebox behavioral2/memory/3832-100-0x0000000000C80000-0x0000000000CA1000-memory.dmp molebox -
Adds Run key to start application 2 TTPs 22 IoCs
Processes:
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe -
Drops file in System32 directory 22 IoCs
Processes:
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2364 3564 WerFault.exe svchost.exe 3144 3564 WerFault.exe svchost.exe 880 3972 WerFault.exe svchost.exe 5076 3972 WerFault.exe svchost.exe 4016 372 WerFault.exe svchost.exe 2404 372 WerFault.exe svchost.exe 5036 2600 WerFault.exe svchost.exe 1960 2600 WerFault.exe svchost.exe 3156 4268 WerFault.exe svchost.exe 3888 4268 WerFault.exe svchost.exe 2320 4128 WerFault.exe svchost.exe 3720 4128 WerFault.exe svchost.exe 2356 4140 WerFault.exe svchost.exe 4540 4140 WerFault.exe svchost.exe 2556 3904 WerFault.exe svchost.exe 4024 3904 WerFault.exe svchost.exe 3288 2196 WerFault.exe svchost.exe 2948 2196 WerFault.exe svchost.exe 2660 4604 WerFault.exe svchost.exe 1392 4604 WerFault.exe svchost.exe 1164 4488 WerFault.exe svchost.exe 4388 4488 WerFault.exe svchost.exe 4068 4828 WerFault.exe svchost.exe 1848 4828 WerFault.exe svchost.exe 1196 1008 WerFault.exe svchost.exe 1844 1008 WerFault.exe svchost.exe 4112 2928 WerFault.exe svchost.exe 2284 2928 WerFault.exe svchost.exe 4016 2848 WerFault.exe svchost.exe 4908 2848 WerFault.exe svchost.exe 1416 2540 WerFault.exe svchost.exe 524 2540 WerFault.exe svchost.exe 5020 64 WerFault.exe svchost.exe 4116 64 WerFault.exe svchost.exe 1320 3516 WerFault.exe svchost.exe 2292 3516 WerFault.exe svchost.exe 2420 2908 WerFault.exe svchost.exe 4284 2908 WerFault.exe svchost.exe 3048 860 WerFault.exe svchost.exe 2748 860 WerFault.exe svchost.exe 4036 4140 WerFault.exe svchost.exe 2180 4140 WerFault.exe svchost.exe 3052 1680 WerFault.exe svchost.exe 1716 1680 WerFault.exe svchost.exe 3876 4108 WerFault.exe svchost.exe 1856 4108 WerFault.exe svchost.exe 4716 1408 WerFault.exe svchost.exe 1020 1408 WerFault.exe svchost.exe 1164 4468 WerFault.exe svchost.exe 4480 4468 WerFault.exe svchost.exe 3964 852 WerFault.exe svchost.exe 1124 852 WerFault.exe svchost.exe 4484 2124 WerFault.exe svchost.exe 1836 2124 WerFault.exe svchost.exe 4112 4684 WerFault.exe svchost.exe 2824 4684 WerFault.exe svchost.exe 2636 2932 WerFault.exe svchost.exe 676 2932 WerFault.exe svchost.exe 524 1416 WerFault.exe svchost.exe 928 1416 WerFault.exe svchost.exe 4232 2080 WerFault.exe svchost.exe 4948 2080 WerFault.exe svchost.exe 4668 1460 WerFault.exe svchost.exe 3572 1460 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exepid process 1848 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exedescription pid process target process PID 912 wrote to memory of 3152 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3152 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3152 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3152 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3564 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3564 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3564 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3564 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3972 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3972 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3972 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 3972 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 372 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 372 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 372 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 372 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 2600 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 2600 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 2600 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 2600 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4268 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4268 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4268 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4268 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4128 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4128 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4128 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4128 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4140 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4140 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4140 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 4140 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 2240 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 2240 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 2240 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 912 wrote to memory of 936 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe PID 912 wrote to memory of 936 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe PID 912 wrote to memory of 936 912 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe PID 936 wrote to memory of 2736 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 2736 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 2736 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4900 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4900 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4900 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 636 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 636 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 636 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 3904 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 3904 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 3904 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 3904 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 2196 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 2196 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 2196 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 2196 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4604 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4604 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4604 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4604 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4488 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4488 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4488 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4488 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 936 wrote to memory of 4828 936 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:3152
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:3564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 2003⤵
- Program crash
PID:2364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 2203⤵
- Program crash
PID:3144 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:3972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 2123⤵
- Program crash
PID:880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 2203⤵
- Program crash
PID:5076 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 2003⤵
- Program crash
PID:4016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 2083⤵
- Program crash
PID:2404 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 2003⤵
- Program crash
PID:5036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 2083⤵
- Program crash
PID:1960 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 2003⤵
- Program crash
PID:3156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 2083⤵
- Program crash
PID:3888 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 2043⤵
- Program crash
PID:2320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 2123⤵
- Program crash
PID:3720 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 2043⤵
- Program crash
PID:2356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 2283⤵
- Program crash
PID:4540 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2736
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4900
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:636
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 2044⤵
- Program crash
PID:2556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 2244⤵
- Program crash
PID:4024 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 2044⤵
- Program crash
PID:3288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 2244⤵
- Program crash
PID:2948 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 2044⤵
- Program crash
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 2244⤵
- Program crash
PID:1392 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2044⤵
- Program crash
PID:1164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2124⤵
- Program crash
PID:4388 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2044⤵
- Program crash
PID:4068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2244⤵
- Program crash
PID:1848 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 2044⤵
- Program crash
PID:1196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 2244⤵
- Program crash
PID:1844 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2084
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 2045⤵
- Program crash
PID:4112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 2125⤵
- Program crash
PID:2284 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 2045⤵
- Program crash
PID:4016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 2125⤵
- Program crash
PID:4908 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 2005⤵
- Program crash
PID:1416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 2085⤵
- Program crash
PID:524 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:64
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 2045⤵
- Program crash
PID:5020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 2125⤵
- Program crash
PID:4116 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:4136
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:4744
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 2045⤵
- Program crash
PID:1320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 2245⤵
- Program crash
PID:2292 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 2045⤵
- Program crash
PID:2420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 2245⤵
- Program crash
PID:4284 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:3832 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:2496
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 2006⤵
- Program crash
PID:3048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 2086⤵
- Program crash
PID:2748 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:4140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 2046⤵
- Program crash
PID:4036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 2246⤵
- Program crash
PID:2180 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2046⤵
- Program crash
PID:3052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2246⤵
- Program crash
PID:1716 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:4108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 2046⤵
- Program crash
PID:3876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 2246⤵
- Program crash
PID:1856 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 2046⤵
- Program crash
PID:4716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 2246⤵
- Program crash
PID:1020 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 2006⤵
- Program crash
PID:1164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 2086⤵
- Program crash
PID:4480 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 2046⤵
- Program crash
PID:3964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 2246⤵
- Program crash
PID:1124 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4940
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 2007⤵
- Program crash
PID:4484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 2247⤵
- Program crash
PID:1836 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:1376
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4748
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4248
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2112
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2047⤵
- Program crash
PID:4112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2247⤵
- Program crash
PID:2824 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 2047⤵
- Program crash
PID:2636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 847⤵
- Program crash
PID:676 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:1416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 2047⤵
- Program crash
PID:524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 2247⤵
- Program crash
PID:928 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 2047⤵
- Program crash
PID:4232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 2247⤵
- Program crash
PID:4948 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"6⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:3720
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:1460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 2048⤵
- Program crash
PID:4668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 2248⤵
- Program crash
PID:3572 -
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:4548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 2048⤵PID:2348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 2248⤵PID:5116
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:1032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 2048⤵PID:2044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 848⤵PID:3152
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:1972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 2048⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 2248⤵PID:3672
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2532
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:3052
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2048⤵PID:3688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2248⤵PID:4332
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:1236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 2048⤵PID:2312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 2248⤵PID:5052
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:3716
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 2049⤵PID:4236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1929⤵PID:3548
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 2129⤵PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 2209⤵PID:936
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:4416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 2009⤵PID:1512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 2249⤵PID:4976
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 2009⤵PID:2504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 2089⤵PID:4368
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:4116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 2049⤵PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 2249⤵PID:4400
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:2168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 2009⤵PID:880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 2249⤵PID:4192
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:2292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 2049⤵PID:1620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 2249⤵PID:3516
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:4344
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 20010⤵PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 22410⤵PID:2748
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:3152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 20410⤵PID:3524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 22410⤵PID:4436
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2008
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:4380
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 20410⤵PID:4032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 21210⤵PID:2304
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:3108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 20410⤵PID:2312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 22410⤵PID:1636
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 20410⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 22410⤵PID:4156
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:1880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 20410⤵PID:3964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 22410⤵PID:2132
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:852
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:4764
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:3656
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:2160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 20411⤵PID:804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 22411⤵PID:5096
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:2036
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:4484
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:1836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 20411⤵PID:3016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 22411⤵PID:2844
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 20411⤵PID:1292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 22411⤵PID:2404
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:3984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 20411⤵PID:3420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 22411⤵PID:4368
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 20411⤵PID:4612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 8411⤵PID:4748
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"10⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:1800
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:1496
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:3708
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:1756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 20412⤵PID:4676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 22412⤵PID:3724
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 20812⤵PID:2640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 22812⤵PID:4012
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:4476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 20412⤵PID:3972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 22412⤵PID:4268
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:1132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 20412⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 22412⤵PID:3340
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:912
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:4856
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:1548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 20012⤵PID:4648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 22412⤵PID:2304
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"11⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1848 -
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:2696
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:4952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 21213⤵PID:4156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 23213⤵PID:1152
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:5024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 20013⤵PID:3552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 22413⤵PID:5108
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 20413⤵PID:64
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 22413⤵PID:2408
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:1880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 20413⤵PID:4888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 22413⤵PID:1856
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 20013⤵PID:780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 22413⤵PID:1852
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:3020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 20013⤵PID:3016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 22413⤵PID:2844
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:1536
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:2636
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:5036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3564 -ip 35641⤵PID:4044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3564 -ip 35641⤵PID:2360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3972 -ip 39721⤵PID:2928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3972 -ip 39721⤵PID:4976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 372 -ip 3721⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 372 -ip 3721⤵PID:1452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2600 -ip 26001⤵PID:5000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2600 -ip 26001⤵PID:3468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4268 -ip 42681⤵PID:3004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4268 -ip 42681⤵PID:5020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4128 -ip 41281⤵PID:2664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4128 -ip 41281⤵PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 41401⤵PID:2996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4140 -ip 41401⤵PID:4344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3904 -ip 39041⤵PID:3672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3904 -ip 39041⤵PID:3380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 21961⤵PID:2696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2196 -ip 21961⤵PID:3076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 46041⤵PID:4328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4604 -ip 46041⤵PID:696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4488 -ip 44881⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4488 -ip 44881⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4828 -ip 48281⤵PID:3272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4828 -ip 48281⤵PID:1636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1008 -ip 10081⤵PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1008 -ip 10081⤵PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2928 -ip 29281⤵PID:3392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2928 -ip 29281⤵PID:3020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2848 -ip 28481⤵PID:2932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2848 -ip 28481⤵PID:2952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2540 -ip 25401⤵PID:676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2540 -ip 25401⤵PID:1456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 64 -ip 641⤵PID:1352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 64 -ip 641⤵PID:2080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3516 -ip 35161⤵PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3516 -ip 35161⤵PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2908 -ip 29081⤵PID:4080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2908 -ip 29081⤵PID:4952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 860 -ip 8601⤵PID:4184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 860 -ip 8601⤵PID:1332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4140 -ip 41401⤵PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4140 -ip 41401⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1680 -ip 16801⤵PID:2176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1680 -ip 16801⤵PID:2408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4108 -ip 41081⤵PID:3952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4108 -ip 41081⤵PID:3076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1408 -ip 14081⤵PID:1572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1408 -ip 14081⤵PID:4724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4468 -ip 44681⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4468 -ip 44681⤵PID:4688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 852 -ip 8521⤵PID:1848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 852 -ip 8521⤵PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2124 -ip 21241⤵PID:5096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2124 -ip 21241⤵PID:3680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4684 -ip 46841⤵PID:5076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4684 -ip 46841⤵PID:1552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 2932 -ip 29321⤵PID:1752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2932 -ip 29321⤵PID:3472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1416 -ip 14161⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1416 -ip 14161⤵PID:3156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2080 -ip 20801⤵PID:1464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 2080 -ip 20801⤵PID:2256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1460 -ip 14601⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1460 -ip 14601⤵PID:2928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 4548 -ip 45481⤵PID:420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4548 -ip 45481⤵PID:5112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1032 -ip 10321⤵PID:2600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1032 -ip 10321⤵PID:1576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1972 -ip 19721⤵PID:3856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 1972 -ip 19721⤵PID:3488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 2556 -ip 25561⤵PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 2556 -ip 25561⤵PID:3952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1236 -ip 12361⤵PID:2604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1236 -ip 12361⤵PID:2904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 768 -ip 7681⤵PID:3848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 768 -ip 7681⤵PID:820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 636 -ip 6361⤵PID:4496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 636 -ip 6361⤵PID:4484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4416 -ip 44161⤵PID:1384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4416 -ip 44161⤵PID:4000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 676 -ip 6761⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 676 -ip 6761⤵PID:4964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4116 -ip 41161⤵PID:1584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4116 -ip 41161⤵PID:3116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 2168 -ip 21681⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 2168 -ip 21681⤵PID:1960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 2292 -ip 22921⤵PID:4600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2292 -ip 22921⤵PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 2348 -ip 23481⤵PID:372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 2348 -ip 23481⤵PID:1672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3152 -ip 31521⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3152 -ip 31521⤵PID:3340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 472 -ip 4721⤵PID:3688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 472 -ip 4721⤵PID:4916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3108 -ip 31081⤵PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3108 -ip 31081⤵PID:3272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2232 -ip 22321⤵PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 2232 -ip 22321⤵PID:4284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1880 -ip 18801⤵PID:1740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 1880 -ip 18801⤵PID:3372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 2160 -ip 21601⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 2160 -ip 21601⤵PID:2544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 1836 -ip 18361⤵PID:936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1836 -ip 18361⤵PID:4560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 3444 -ip 34441⤵PID:2636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3444 -ip 34441⤵PID:4908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3984 -ip 39841⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3984 -ip 39841⤵PID:1456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 3536 -ip 35361⤵PID:4948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3536 -ip 35361⤵PID:2100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 1756 -ip 17561⤵PID:2084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 1756 -ip 17561⤵PID:1124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 768 -ip 7681⤵PID:2776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 768 -ip 7681⤵PID:4144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4476 -ip 44761⤵PID:2692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4476 -ip 44761⤵PID:1332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 1132 -ip 11321⤵PID:3824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 1132 -ip 11321⤵PID:1400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 1548 -ip 15481⤵PID:2028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1548 -ip 15481⤵PID:3876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4952 -ip 49521⤵PID:1460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4952 -ip 49521⤵PID:4336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 5024 -ip 50241⤵PID:3964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 5024 -ip 50241⤵PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 2908 -ip 29081⤵PID:4004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 2908 -ip 29081⤵PID:976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 1880 -ip 18801⤵PID:3004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 1880 -ip 18801⤵PID:3456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 804 -ip 8041⤵PID:988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 804 -ip 8041⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 3020 -ip 30201⤵PID:1384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 3020 -ip 30201⤵PID:4000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD572a5ebc90e1ed885685b92fcb655c834
SHA18b2657a5c5f003daef6f1f0f09f258f8c379e852
SHA2562de18ee84327e8591745134989a3dfafdeec78e8fa07cff9dc01faba4093a701
SHA512897c0551a8b11cfb54009e5191b25a9b7fee217b1cb96d617b21f12fee4b4ee84b068be702a6dde558d34c997a962f266c1338024e0ca4b1cf0fb95b5dd465a9