Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 22:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
90f392a4cf798ee027ecc7287f0e36fa_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
General
-
Target
90f392a4cf798ee027ecc7287f0e36fa_JaffaCakes118.dll
-
Size
181KB
-
MD5
90f392a4cf798ee027ecc7287f0e36fa
-
SHA1
69b098ca1a1a95996da8548dea175fbbe77fd28a
-
SHA256
f13022015f6b147f4a6637dc764860f49eaa8f040b31656c281338f71b72a98a
-
SHA512
6c9b52d09e00f9f1ec833efbb14f95d2426bfcabfb24e482ff131da100d03718b99f298ed0129c9946f79128fef28de608f4e676bf22c0cc9f1708ceade3041a
-
SSDEEP
1536:61Pnv0wn+OHkJ9yhGdliDSA2PrGWESsBo2ZjPNxB3UB+1uw8bpkTWgTzMymmeCHO:wnuucdliWAQrxNccnbYntHJ3cp7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid Process 2672 rundll32mgr.exe 2644 WaterMark.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32mgr.exepid Process 2720 rundll32.exe 2720 rundll32.exe 2672 rundll32mgr.exe 2672 rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
Processes:
rundll32.exesvchost.exedescription ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Processes:
resource yara_rule behavioral1/memory/2672-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2672-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2672-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2672-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2672-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2644-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2644-59-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2644-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2672-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2644-401-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2644-659-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Program Files\Windows Mail\wab.exe svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPNSSUI.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\installer.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jpeg.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWSS.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\jsdebuggeride.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfps_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblibmpeg2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradient_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsTap.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2692 2720 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32mgr.exeWaterMark.exesvchost.exesvchost.exerundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
WaterMark.exesvchost.exepid Process 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe 1756 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WaterMark.exesvchost.exerundll32.exeWerFault.exedescription pid Process Token: SeDebugPrivilege 2644 WaterMark.exe Token: SeDebugPrivilege 1756 svchost.exe Token: SeDebugPrivilege 2720 rundll32.exe Token: SeDebugPrivilege 2692 WerFault.exe Token: SeDebugPrivilege 2644 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid Process 2672 rundll32mgr.exe 2644 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exesvchost.exedescription pid Process procid_target PID 2768 wrote to memory of 2720 2768 rundll32.exe 30 PID 2768 wrote to memory of 2720 2768 rundll32.exe 30 PID 2768 wrote to memory of 2720 2768 rundll32.exe 30 PID 2768 wrote to memory of 2720 2768 rundll32.exe 30 PID 2768 wrote to memory of 2720 2768 rundll32.exe 30 PID 2768 wrote to memory of 2720 2768 rundll32.exe 30 PID 2768 wrote to memory of 2720 2768 rundll32.exe 30 PID 2720 wrote to memory of 2672 2720 rundll32.exe 31 PID 2720 wrote to memory of 2672 2720 rundll32.exe 31 PID 2720 wrote to memory of 2672 2720 rundll32.exe 31 PID 2720 wrote to memory of 2672 2720 rundll32.exe 31 PID 2720 wrote to memory of 2692 2720 rundll32.exe 32 PID 2720 wrote to memory of 2692 2720 rundll32.exe 32 PID 2720 wrote to memory of 2692 2720 rundll32.exe 32 PID 2720 wrote to memory of 2692 2720 rundll32.exe 32 PID 2672 wrote to memory of 2644 2672 rundll32mgr.exe 33 PID 2672 wrote to memory of 2644 2672 rundll32mgr.exe 33 PID 2672 wrote to memory of 2644 2672 rundll32mgr.exe 33 PID 2672 wrote to memory of 2644 2672 rundll32mgr.exe 33 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 2252 2644 WaterMark.exe 34 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 2644 wrote to memory of 1756 2644 WaterMark.exe 35 PID 1756 wrote to memory of 256 1756 svchost.exe 1 PID 1756 wrote to memory of 256 1756 svchost.exe 1 PID 1756 wrote to memory of 256 1756 svchost.exe 1 PID 1756 wrote to memory of 256 1756 svchost.exe 1 PID 1756 wrote to memory of 256 1756 svchost.exe 1 PID 1756 wrote to memory of 336 1756 svchost.exe 2 PID 1756 wrote to memory of 336 1756 svchost.exe 2 PID 1756 wrote to memory of 336 1756 svchost.exe 2 PID 1756 wrote to memory of 336 1756 svchost.exe 2 PID 1756 wrote to memory of 336 1756 svchost.exe 2 PID 1756 wrote to memory of 384 1756 svchost.exe 3 PID 1756 wrote to memory of 384 1756 svchost.exe 3 PID 1756 wrote to memory of 384 1756 svchost.exe 3 PID 1756 wrote to memory of 384 1756 svchost.exe 3 PID 1756 wrote to memory of 384 1756 svchost.exe 3 PID 1756 wrote to memory of 392 1756 svchost.exe 4 PID 1756 wrote to memory of 392 1756 svchost.exe 4 PID 1756 wrote to memory of 392 1756 svchost.exe 4 PID 1756 wrote to memory of 392 1756 svchost.exe 4 PID 1756 wrote to memory of 392 1756 svchost.exe 4 PID 1756 wrote to memory of 424 1756 svchost.exe 5 PID 1756 wrote to memory of 424 1756 svchost.exe 5 PID 1756 wrote to memory of 424 1756 svchost.exe 5 PID 1756 wrote to memory of 424 1756 svchost.exe 5 PID 1756 wrote to memory of 424 1756 svchost.exe 5
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:392
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1476
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1032
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:692
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:776
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:828
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2576
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:984
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:300
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1052
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1076
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1124
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:824
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2444
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:388
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90f392a4cf798ee027ecc7287f0e36fa_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90f392a4cf798ee027ecc7287f0e36fa_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2252
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 2204⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize259KB
MD54910bd4a21c4a2259063505e68a00c0d
SHA1c0a2ba5734e4cbe27ab56912d69544cb3edc4f6a
SHA2560f8c9c00bb877da8e9a92ad16315000e1d0757a3fc70b64535427a2c39fb36bc
SHA512093a53cfa9b7d24bed04bbef24dc3eea83da180292dcbbe84d5b8cf80b830fdde03b286fac5ca7eb3bf2ba05c10162a0161e3b5cf7d0e88294497a1547a8c66f
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize255KB
MD546ce09046154de8d386dd5905b240007
SHA13093ae3ab15f7f07a25c257cb94567e01fe2064e
SHA256f657867924a2de3d4da651df6317a4c260b6331625525a084ab0c94ae239bc7c
SHA512ce996fe01b6f8ad29fda795df3cc90443a9bfd63129d41c3ec46b0749bdfa2c41ef3d4ee0cb0c7b088c65ea084bd04dc2d38ac7e44b963df9f53880e594d2228
-
Filesize
123KB
MD5d58c48349740be379fadc337f47feb1a
SHA13d5ae46f74e54add467e9f79da72561007cc2ae4
SHA2561fc6dfe1b7b269618dbb0846316915612b6c88e3a981e43efad871ee648d1ce7
SHA512a5eff12e9db610b14eb80b695a37c91d983accb1457c12e4a89ad28335c4152912657f46576ebbcdca03161f650ac1a1cabc40c9dea27748325ca2eb5cebbc35