gh0strat | 78b8310b9df32e78f9bbf7d47e15b0efa215c7facee2389d8d6922b4156a1aa0

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 13:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78b8310b9df32e78f9bbf7d47e15b0efa215c7facee2389d8d6922b4156a1aa0.exe
Size

188KB
MD5

713fb09d70d90d60d1d49ce353fe05b0
SHA1

797c04a9ddc7579728bc6087bcdc44215bb84882
SHA256

78b8310b9df32e78f9bbf7d47e15b0efa215c7facee2389d8d6922b4156a1aa0
SHA512

434eac53e47525f5fa486dd1206895701b2eb58981c907f1aca444536a897e141e7adfb2ee3a493682af55a06dd7859faf95ab74fbac0309cf9eb6bf0eef0982
SSDEEP

3072:GTQa1nW7nA+J+KhHtoyviMmrhplCQuM359VgrzjKr+YHd:QVnW7XUSHtoyiMmdCQdVg2r+Y

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022e21-132.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-133.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-134.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-136.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-138.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-140.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-142.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-144.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-146.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-148.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-150.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-152.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-154.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-156.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-158.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-160.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-162.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-164.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-166.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-168.dat	family_gh0strat
behavioral2/files/0x0008000000022e21-170.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 20 IoCs

pid	Process
4084	svchost.exe
4432	svchost.exe
2988	svchost.exe
3800	svchost.exe
4200	svchost.exe
540	svchost.exe
2524	svchost.exe
1116	svchost.exe
1696	svchost.exe
2380	svchost.exe
1912	svchost.exe
728	svchost.exe
4444	svchost.exe
1460	svchost.exe
2448	svchost.exe
2224	svchost.exe
3860	svchost.exe
4300	svchost.exe
4904	svchost.exe
1600	svchost.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tbmbgqgpck	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\trwxtpawdx	svchost.exe
File created	C:\Windows\SysWOW64\tdcginbjur	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tdlbketqhg	svchost.exe
File created	C:\Windows\SysWOW64\tgwqxivuye	svchost.exe
File created	C:\Windows\SysWOW64\tnyeawcqms	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tiykkvfrdn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tpeyjsjgld	svchost.exe
File created	C:\Windows\SysWOW64\twphmxijmg	svchost.exe
File created	C:\Windows\SysWOW64\twgmlhpcyr	svchost.exe
File created	C:\Windows\SysWOW64\tniycnuxah	svchost.exe
File created	C:\Windows\SysWOW64\tkkpqkctcu	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tpuehcqayo	svchost.exe
File created	C:\Windows\SysWOW64\tbdhfaoipv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tpktobeuer	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tgnvwrdnmp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tebqqdhmnj	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tldfsrmibx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\trgsvgsepm	svchost.exe
File created	C:\Windows\SysWOW64\tippjfmlqy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\APPLIC~1\Storm\update\xdjme.dlc	78b8310b9df32e78f9bbf7d47e15b0efa215c7facee2389d8d6922b4156a1aa0.exe

Program crash 19 IoCs

pid	pid_target	Process	procid_target
1072	4084	WerFault.exe	80
4632	4432	WerFault.exe	85
2148	2988	WerFault.exe	88
3720	3800	WerFault.exe	91
1396	4200	WerFault.exe	94
1464	540	WerFault.exe	97
5036	2524	WerFault.exe	100
4612	1116	WerFault.exe	103
2208	1696	WerFault.exe	106
5032	2380	WerFault.exe	111
4428	1912	WerFault.exe	116
2276	728	WerFault.exe	120
5068	4444	WerFault.exe	124
4068	1460	WerFault.exe	127
3364	2448	WerFault.exe	130
1728	2224	WerFault.exe	133
2088	3860	WerFault.exe	136
1984	4300	WerFault.exe	139
4632	4904	WerFault.exe	142

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2244	78b8310b9df32e78f9bbf7d47e15b0efa215c7facee2389d8d6922b4156a1aa0.exe
Token: SeRestorePrivilege	2244	78b8310b9df32e78f9bbf7d47e15b0efa215c7facee2389d8d6922b4156a1aa0.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeRestorePrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeSecurityPrivilege	4084	svchost.exe
Token: SeSecurityPrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeSecurityPrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeSecurityPrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeRestorePrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeRestorePrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeRestorePrivilege	4432	svchost.exe
Token: SeBackupPrivilege	2988	svchost.exe
Token: SeRestorePrivilege	2988	svchost.exe
Token: SeBackupPrivilege	3800	svchost.exe
Token: SeRestorePrivilege	3800	svchost.exe
Token: SeBackupPrivilege	4200	svchost.exe
Token: SeRestorePrivilege	4200	svchost.exe
Token: SeBackupPrivilege	540	svchost.exe
Token: SeRestorePrivilege	540	svchost.exe
Token: SeBackupPrivilege	2524	svchost.exe
Token: SeRestorePrivilege	2524	svchost.exe
Token: SeBackupPrivilege	1116	svchost.exe
Token: SeRestorePrivilege	1116	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeRestorePrivilege	1696	svchost.exe
Token: SeBackupPrivilege	2380	svchost.exe
Token: SeRestorePrivilege	2380	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeRestorePrivilege	1912	svchost.exe
Token: SeBackupPrivilege	728	svchost.exe
Token: SeRestorePrivilege	728	svchost.exe
Token: SeBackupPrivilege	4444	svchost.exe
Token: SeRestorePrivilege	4444	svchost.exe
Token: SeBackupPrivilege	1460	svchost.exe
Token: SeRestorePrivilege	1460	svchost.exe
Token: SeBackupPrivilege	2448	svchost.exe
Token: SeRestorePrivilege	2448	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	3860	svchost.exe
Token: SeRestorePrivilege	3860	svchost.exe
Token: SeBackupPrivilege	4300	svchost.exe
Token: SeRestorePrivilege	4300	svchost.exe
Token: SeBackupPrivilege	4904	svchost.exe
Token: SeRestorePrivilege	4904	svchost.exe

C:\Users\Admin\AppData\Local\Temp\78b8310b9df32e78f9bbf7d47e15b0efa215c7facee2389d8d6922b4156a1aa0.exe
"C:\Users\Admin\AppData\Local\Temp\78b8310b9df32e78f9bbf7d47e15b0efa215c7facee2389d8d6922b4156a1aa0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 892
  2⤵
  - Program crash
  PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4084 -ip 4084
1⤵
PID:4412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 996
  2⤵
  - Program crash
  PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4432 -ip 4432
1⤵
PID:4816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 956
  2⤵
  - Program crash
  PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2988 -ip 2988
1⤵
PID:2688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 984
  2⤵
  - Program crash
  PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3800 -ip 3800
1⤵
PID:4436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 912
  2⤵
  - Program crash
  PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4200 -ip 4200
1⤵
PID:1012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 972
  2⤵
  - Program crash
  PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 540 -ip 540
1⤵
PID:3428

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 972
  2⤵
  - Program crash
  PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2524 -ip 2524
1⤵
PID:984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 972
  2⤵
  - Program crash
  PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1116 -ip 1116
1⤵
PID:2392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 956
  2⤵
  - Program crash
  PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1696 -ip 1696
1⤵
PID:2716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 908
  2⤵
  - Program crash
  PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2380 -ip 2380
1⤵
PID:4872

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 956
  2⤵
  - Program crash
  PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1912 -ip 1912
1⤵
PID:4852

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 908
  2⤵
  - Program crash
  PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 728 -ip 728
1⤵
PID:2844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 968
  2⤵
  - Program crash
  PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4444 -ip 4444
1⤵
PID:2360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 972
  2⤵
  - Program crash
  PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1460 -ip 1460
1⤵
PID:3092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 956
  2⤵
  - Program crash
  PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2448 -ip 2448
1⤵
PID:4844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 976
  2⤵
  - Program crash
  PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2224 -ip 2224
1⤵
PID:5040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 680
  2⤵
  - Program crash
  PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3860 -ip 3860
1⤵
PID:1608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 968
  2⤵
  - Program crash
  PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4300 -ip 4300
1⤵
PID:3508

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 984
  2⤵
  - Program crash
  PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4904 -ip 4904
1⤵
PID:612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\ProgramData\Storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
83f564eeb71a011fd33f607c359d2156

SHA1
a584e941a51bee0978de569be864fbfa39b46f47

SHA256
1604553752b12ed1274793d3a3b322e7985db88de210471e2d080b78d996aa00

SHA512
f6d04401ce29ccd64572437d6383b8d63f842a1a5bf5f62024e0d9d48d1dd6195da13072e382562f0d140c3ff96e627b3f4b14a8f810ee3cee66844c9f14b92a

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
ebdc1767db88d48ffbe0ef2191bf22cd

SHA1
e7436fd3d7e0d004df04d33c193362cf1a8f022b

SHA256
c96c8648dc5a778ed53ec3c916c3a80ac5aa6ee7cea8798f41bb496561186942

SHA512
ff362e77601a92bffb8f8ce566184d5f648ab4f7c61c8cae50c95f3ebfbc1c4db7eeb5520c666d7ab8d89d0cb66c46f6032efcafe144df20ded33092faa02cb7

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
408B

MD5
b91522a844b5d11cb32cf33371dbe9ce

SHA1
09af5f17cc7f41128972592b8f496cff544e858d

SHA256
d750a1506db26cbb0a776b7f6f20dd2c8a656dc9823c3578ee67f84254c14c3e

SHA512
632ed04b7d681ae398fc9ff3467813be6cf639298a5fbc90ce51e4c0df980a9f4ab967bcbae6a779b6968b953aeb4812d9f6fa71c56e7913fb744544602c1856

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
510B

MD5
ab9258507ab221a4a867d71daa20035e

SHA1
d3451f05eeff7dbeee2b41e20f76ec8f7ce52517

SHA256
ad254b53c7757c13079514fff42b3b60f0933e668997dc4419dfccf66fa317f4

SHA512
c551b75a7a0a86bc9a4b4f0880568a38fed17e58fd718350fe002abf6e8e611a8aec4ca815777279abb84b5fcd693895dcda8807d7ce79029e4ebfeb17b0c308

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
569B

MD5
288951f215ebd1d76b98e69ba4fbaabc

SHA1
6ac8c046843321eeb9ced9928605f4f7c4e4fcd0

SHA256
d9570af39aa02ed0b94bc7fd503eb0b95236de95e29e83e7506c6864240b6f13

SHA512
ef8dd54856839a5491a78249e754dc4b3075a72c0e2cc5c21a71c142746d1f48d6ff610237ce67ae2857e313a084994d4ead8928089de21cd115a4740a24ff12

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
712B

MD5
881331af8f58b198d48fd653e5b9141a

SHA1
d1457649374353028b65b8753f34f2d573d1f19d

SHA256
dc32a3ee175b43ca8e4572e871e0e042d825e78ffe25ef3f2c7cbdd83d82802e

SHA512
5253901a7f503cc5a2da0423e988fd97e7089806776ca1a2dc62dd1cb12570021e29ff61ef71e6506a36798bc135fe164ee93bb294176db07b7a7faee23149bd

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
813B

MD5
0f4d22a2e21cffa3d37924a48fa5c284

SHA1
ee3618308f6e6ca633236b11f8955b9fb5a8118b

SHA256
5e176d43e2160c16a6e1f7e4f2c4125648167c8e3f4770ea5398b20606611f49

SHA512
1b978772d2130e5b4b0acd91a91a017c11f5ceec40aab16f9062968b0eb5d1347324db589d33bf6c002bb7ead3d44175d7f9f2f49c4d42d64973e6c1c58be53d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
914B

MD5
449f5c741a95bd6860f04f20876ab304

SHA1
9806ed768dc17fdbc76263f476f45f1c7b172863

SHA256
5cf2c2a2c1f0d7a80f20d58e19df66bff0d6a94bd8c299cfc6b9e40103e734e2

SHA512
1640b386d86c5c94a1f8908dc36f3a7e3678d5b01a103fa09e86c630ff1c18e0c62d8c1a14cb6f68ed37e0aac35738fa59b72c4ed2bb93dc07d18c800c183170

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1016B

MD5
b433e4efd4c20e7409c260180381555d

SHA1
5e7dcb5df3ed3c1e0f173af96ebd20588b57e032

SHA256
7627e933cda6a536b82fa209db76c08e50b42d7eae4be1c450333a9e7c5de8e1

SHA512
c7c7ea448506499e64044933a7117f485bbd1b4fb4964ae28e5eae436738b923cbbc33cdd86969e877ffb7f8dcaf914edf750e764e5f67b03e7c72f45b961ad9

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
3fdc87c5a03c4f485a5139c3a0f6e0c0

SHA1
f233754efbfdcdeb2cf2b57807853fcb90d23608

SHA256
7c955505480defd9fed4a1ee3e17b1ba6374741f49b37aea6258fb62128847e9

SHA512
b153db7272c3abb5b8971e5ff4b2175384e67fe07ee10978d39925b33303d1bef141b1612ed26c87e14fe96a8404f5839a524ad288f01426f36258c16907d405

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
03ad7d29e1715bb85abe9c7a24bded91

SHA1
075c10b43476d9d6a62a88fa69f2bce85c9543b2

SHA256
6ee79c0af90e3eb89ee631a319c67f0cac4c32284cfda5b9a8ea9be94629f41e

SHA512
225156b71f1fc96061b49104a768553371e3f01184700cc9481a38876606f40b3dc4e7c6273cb62437bc425384f2743b5a6f4225589a058bfb65084c98aac1f9

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
a33195057c6e76308aa1985a78ef1b94

SHA1
e9d1589cf5e82f9266f0c3772a367a6f5acf2634

SHA256
63986efda5ab124f2f1fb71899a3e9ec52dc7e030f16c8360602c09834030017

SHA512
9bacd194683013abfc1ebbcb747b57e84b38d552f2241c9a45cb5402fb2d4455f3a207707ec925456e1df921b2e7bc8eb052bdfd9e4cfe2dcb5255548fe180d6

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
2fc08dd1354276b44fa119ad0686e714

SHA1
93f09267db2553e6b5755a36d5754ea1afe31802

SHA256
65d4ef19a9f4269a2849098dcc8c944c813c2d3cf491844ebc61ab44c45fa35a

SHA512
8d7aa0567fa74e6d9e372dca935c323a1c5429b747eb8bea1e45c8b7e811fccb74c120cc97bc3489c2e6678c81d64600fb568b22e89152c4efc1865f0642475f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
ac5178bc2125056af97d8e5aa9489fa1

SHA1
f42e7132d0a63a917345355f5054036476395b4a

SHA256
b978078b7b472b7af809156e5e437ac0b7a1d199112a50c2b22b103461059552

SHA512
6fb5e6ba4a02a337ccb27dfb546127653dc464a43d9ed70128232bb3f690532bdd882c6a15743ea9d9237647c879facc48f23a69770523bdbc96f6c7467d314f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
cea942339773e51040235aa61a17d9a4

SHA1
e95c6a9c76788d9ce772b5b93d3781a3c91257ef

SHA256
408e91e51f55246ef7f21b0691146d8043479928ba4b50d6cd8fba6fcdf84409

SHA512
ed5b5d51855c6232213f5d4b84ba254f023b1f43ca5b3b8181eb6439b6aeda29a6bffade86c6774b018bf28e05986ffa977afd415a5b30f95e3565e7101f7b75

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
fb80911982b64e716e34512e87c8801d

SHA1
ba0ac4d5e7b10b405733980abb1eb7c3af34ee4b

SHA256
ef266de73a578540c5dcedfdfd62a0f0be5ed2d2d2b32a1b575c85462e0b6478

SHA512
781b8a0f72c0181818c2e6d85de940c4754f841935b9b2435fe5cc45e03758a67dd661e2b0d6eaeedeba70c450949de34dce8975c9877bc6474c760f106e65fe

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
a3d08696d7fa3f67e814890c17e81640

SHA1
4746c16ff2609922f12388dc784392a582a31712

SHA256
96d24beedd8ba295103035b87adbe75497c502d3306a965bd95073d34c071725

SHA512
f94b680b1985691789e27befa10e34778d7b49d8d82a1a8ffeb3df40eee11d8fd8693cff0acb1d4d670cee85a61078e627cef68a0d09ed795eac10193a683a41

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
b1f78bf8611e1dc2bfedf36426c3c10d

SHA1
45f168401bce70ca0cc3e0c45f9f7eaee6428153

SHA256
a17922d72ea7c03df551e7259eb6f18ba6b63509057a94120c1e2a6ba0a0729f

SHA512
1f63de2f0d8f63d10d4f358f46637931ed9929fd00341530dce4647debec41045a7a10068eb4b7748615cdf0e05cdce98ab545c34cf84a5155b5cb3e5ce2bf16

Download Submit
\??\c:\progra~3\applic~1\storm\update\xdjme.dlc

Filesize
3.9MB

MD5
223ea9395082c019a95db5189bd2d418

SHA1
20e4b4077f7b6cae24c6c7826f36a4b0c3ec79b9

SHA256
cc713f0608174eafdce31c2ef166be708a9a3efcbdd85a77c165757536882435

SHA512
e07e722a8974aa8f516a3df9da1da92a71aa65533779fe3486465b5f452a9a0c3d88b90c33550cc4897d71963c08631fbd52a3fd396abeb57b096a2f24688fd8

Download Submit