darkcomet | 53e3a6c30a9afc46e68af8c105f43e199e139c422abb0e2bf0f51a6fb4c8ef48

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Size

1.6MB
MD5

5a8968b14bc1e9c21add9021c89a2e2f
SHA1

49a84fab07f42639255ed6effdba70cc1e44aff1
SHA256

53e3a6c30a9afc46e68af8c105f43e199e139c422abb0e2bf0f51a6fb4c8ef48
SHA512

15f6d18cd2d240e376690a4a3dff637a22d0a5026caa2662c8a59373d7475a2bef8b4380f4d740ac0cc6eb90c0f11bb8703364fd282e8ae8b67fe9e3aaf6d728
SSDEEP

24576:fpN7TsakOkW14dL7CVDCDjtCuriUsYRbgaUyURZaAxvMGq3bvt/LfA:Hoaq44dL7C5mNRDMxvM3bl/E

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	iexplore.exe

Program crash 50 IoCs

pid	pid_target	Process	procid_target
1300	212	WerFault.exe	83
3640	212	WerFault.exe	83
1044	212	WerFault.exe	83
3008	212	WerFault.exe	83
2016	212	WerFault.exe	83
2740	212	WerFault.exe	83
1388	212	WerFault.exe	83
4256	212	WerFault.exe	83
1284	212	WerFault.exe	83
4724	212	WerFault.exe	83
1704	212	WerFault.exe	83
4584	212	WerFault.exe	83
4012	212	WerFault.exe	83
4856	212	WerFault.exe	83
1948	212	WerFault.exe	83
2824	212	WerFault.exe	83
2272	212	WerFault.exe	83
1620	212	WerFault.exe	83
636	212	WerFault.exe	83
3504	212	WerFault.exe	83
1324	212	WerFault.exe	83
872	212	WerFault.exe	83
1612	212	WerFault.exe	83
1856	212	WerFault.exe	83
2324	212	WerFault.exe	83
4888	640	WerFault.exe	143
2176	640	WerFault.exe	143
4504	640	WerFault.exe	143
3684	640	WerFault.exe	143
4532	640	WerFault.exe	143
3180	640	WerFault.exe	143
3996	640	WerFault.exe	143
2320	640	WerFault.exe	143
3520	640	WerFault.exe	143
4428	640	WerFault.exe	143
2172	640	WerFault.exe	143
3612	640	WerFault.exe	143
1588	640	WerFault.exe	143
4344	640	WerFault.exe	143
1848	640	WerFault.exe	143
1300	640	WerFault.exe	143
3716	640	WerFault.exe	143
1564	640	WerFault.exe	143
2848	640	WerFault.exe	143
2020	640	WerFault.exe	143
4464	640	WerFault.exe	143
1844	640	WerFault.exe	143
4756	640	WerFault.exe	143
2552	640	WerFault.exe	143
4736	640	WerFault.exe	143

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 640	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe	143

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeSecurityPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeSystemtimePrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeBackupPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeRestorePrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeShutdownPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeDebugPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeUndockPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeManageVolumePrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeImpersonatePrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: 33	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: 34	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: 35	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: 36	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	640	iexplore.exe
Token: SeSecurityPrivilege	640	iexplore.exe
Token: SeTakeOwnershipPrivilege	640	iexplore.exe
Token: SeLoadDriverPrivilege	640	iexplore.exe
Token: SeSystemProfilePrivilege	640	iexplore.exe
Token: SeSystemtimePrivilege	640	iexplore.exe
Token: SeProfSingleProcessPrivilege	640	iexplore.exe
Token: SeIncBasePriorityPrivilege	640	iexplore.exe
Token: SeCreatePagefilePrivilege	640	iexplore.exe
Token: SeBackupPrivilege	640	iexplore.exe
Token: SeRestorePrivilege	640	iexplore.exe
Token: SeShutdownPrivilege	640	iexplore.exe
Token: SeDebugPrivilege	640	iexplore.exe
Token: SeSystemEnvironmentPrivilege	640	iexplore.exe
Token: SeChangeNotifyPrivilege	640	iexplore.exe
Token: SeRemoteShutdownPrivilege	640	iexplore.exe
Token: SeUndockPrivilege	640	iexplore.exe
Token: SeManageVolumePrivilege	640	iexplore.exe
Token: SeImpersonatePrivilege	640	iexplore.exe
Token: SeCreateGlobalPrivilege	640	iexplore.exe
Token: 33	640	iexplore.exe
Token: 34	640	iexplore.exe
Token: 35	640	iexplore.exe
Token: 36	640	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 640	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe	143
PID 212 wrote to memory of 640	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe	143
PID 212 wrote to memory of 640	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe	143
PID 212 wrote to memory of 640	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe	143
PID 212 wrote to memory of 640	212	5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe	143

C:\Users\Admin\AppData\Local\Temp\5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 252
  2⤵
  - Program crash
  PID:1300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 428
  2⤵
  - Program crash
  PID:3640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 616
  2⤵
  - Program crash
  PID:1044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 624
  2⤵
  - Program crash
  PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 668
  2⤵
  - Program crash
  PID:2016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 424
  2⤵
  - Program crash
  PID:2740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 632
  2⤵
  - Program crash
  PID:1388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 672
  2⤵
  - Program crash
  PID:4256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 620
  2⤵
  - Program crash
  PID:1284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 668
  2⤵
  - Program crash
  PID:4724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 656
  2⤵
  - Program crash
  PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 644
  2⤵
  - Program crash
  PID:4584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 612
  2⤵
  - Program crash
  PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 648
  2⤵
  - Program crash
  PID:4856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 616
  2⤵
  - Program crash
  PID:1948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 424
  2⤵
  - Program crash
  PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 668
  2⤵
  - Program crash
  PID:2272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 684
  2⤵
  - Program crash
  PID:1620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 692
  2⤵
  - Program crash
  PID:636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 696
  2⤵
  - Program crash
  PID:3504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 688
  2⤵
  - Program crash
  PID:1324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 652
  2⤵
  - Program crash
  PID:872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 424
  2⤵
  - Program crash
  PID:1612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 700
  2⤵
  - Program crash
  PID:1856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 672
  2⤵
  - Program crash
  PID:2324
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Identifies Wine through registry keys
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 256
    3⤵
    - Program crash
    PID:4888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 260
    3⤵
    - Program crash
    PID:2176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 268
    3⤵
    - Program crash
    PID:4504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 284
    3⤵
    - Program crash
    PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 260
    3⤵
    - Program crash
    PID:4532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 640
    3⤵
    - Program crash
    PID:3180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 660
    3⤵
    - Program crash
    PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 652
    3⤵
    - Program crash
    PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 696
    3⤵
    - Program crash
    PID:3520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 712
    3⤵
    - Program crash
    PID:4428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 704
    3⤵
    - Program crash
    PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 720
    3⤵
    - Program crash
    PID:3612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 708
    3⤵
    - Program crash
    PID:1588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 684
    3⤵
    - Program crash
    PID:4344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 700
    3⤵
    - Program crash
    PID:1848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 724
    3⤵
    - Program crash
    PID:1300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 680
    3⤵
    - Program crash
    PID:3716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 696
    3⤵
    - Program crash
    PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 732
    3⤵
    - Program crash
    PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 736
    3⤵
    - Program crash
    PID:2020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 664
    3⤵
    - Program crash
    PID:4464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 644
    3⤵
    - Program crash
    PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 268
    3⤵
    - Program crash
    PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 636
    3⤵
    - Program crash
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 692
    3⤵
    - Program crash
    PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 212 -ip 212
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 212 -ip 212
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 212 -ip 212
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 212 -ip 212
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 212 -ip 212
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 212 -ip 212
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 212 -ip 212
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 212 -ip 212
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 212 -ip 212
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 212 -ip 212
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 212 -ip 212
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 212 -ip 212
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 212 -ip 212
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 212 -ip 212
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 212 -ip 212
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 212 -ip 212
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 212 -ip 212
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 212 -ip 212
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 212 -ip 212
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 212 -ip 212
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 212 -ip 212
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 212 -ip 212
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 212 -ip 212
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 212 -ip 212
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 212 -ip 212
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 640 -ip 640
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 640 -ip 640
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 640 -ip 640
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 640 -ip 640
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 640 -ip 640
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 640 -ip 640
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 640 -ip 640
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 640 -ip 640
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 640 -ip 640
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 640 -ip 640
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 640 -ip 640
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 640 -ip 640
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 640 -ip 640
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 640 -ip 640
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 640 -ip 640
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 640 -ip 640
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 640 -ip 640
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 640 -ip 640
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 640 -ip 640
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 640 -ip 640
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 640 -ip 640
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 640 -ip 640
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 640 -ip 640
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 640 -ip 640
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 640 -ip 640
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-0-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/212-1-0x00000000004C8000-0x0000000000593000-memory.dmp

Filesize
812KB

Download
memory/212-2-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/212-3-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/212-4-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/212-7-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/212-8-0x00000000004C8000-0x0000000000593000-memory.dmp

Filesize
812KB

Download
memory/640-6-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads