Malware Analysis Report

2025-01-22 14:27

Sample ID 240623-pt5ymazhnf
Target 0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118
SHA256 98bfb6dbce441f0045bb41cbff65a491837b292611aa26c1048f5f58c879b234
Tags
gh0strat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98bfb6dbce441f0045bb41cbff65a491837b292611aa26c1048f5f58c879b234

Threat Level: Known bad

The file 0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat rat

Gh0st RAT payload

Gh0strat

Loads dropped DLL

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 12:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 12:38

Reported

2024-06-23 12:40

Platform

win7-20240508-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\%SESSIONNAME%\gtgmy.pic C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k regsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp

Files

\??\c:\program files (x86)\%sessionname%\gtgmy.pic

MD5 0815469301c930c991627762bc68cadc
SHA1 f6c9335e65491aaa8a82ba036f8a5634ac680872
SHA256 4b72d5c45b0d335a77a06f3ce9ef30ed227d18862c0e3daff21c5e7b9f4b2138
SHA512 739f773e7506a5697b0ab3d5e3333787b802baf9234f6e64b22139623bd987ddf8d93d41749b88007f1abc80ce6cf45bf3f2f6a7df264c856cea77639814c832

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 12:38

Reported

2024-06-23 12:40

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\%SESSIONNAME%\lvsjf.pic C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1036 -ip 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3624 -ip 3624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2676 -ip 2676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3884 -ip 3884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4688 -ip 4688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1164 -ip 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2608 -ip 2608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1192 -ip 1192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3964 -ip 3964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2052 -ip 2052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3472 -ip 3472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2024 -ip 2024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3856 -ip 3856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3940 -ip 3940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2368 -ip 2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4688 -ip 4688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 540 -ip 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5048 -ip 5048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 936 -ip 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2304 -ip 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 dfee2f01495c76601875a46d8e6ab1e8
SHA1 b1804dc410b986e9cb6029c2a3696eb0b99cc96b
SHA256 3b8f795ecce5eba3bd5e4381da68601b434a74c27c6980aae275adc74586138b
SHA512 908e413e551ecaaabfa56faac417f5df4389becef19d18b241255be5a4c698e48f3b2a1358c28323ccdf1321e94126ea90c556fe2ddd732816c8414c5477b259

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 265a2be32d3f9a5b28739a383baf1e0c
SHA1 e5273f37026651ecbd6537dbcb356ecc1642bdff
SHA256 c636663278d8fad009ad033407c83bcc547c3c95977eafe7d9b1a119933e0017
SHA512 14fc134a16a5bf73eead701ed1160fb4440be55fc05e63d4056a5297a5a99f1af01bc8c66ab801f85ddd7bc4057d8894228afd3e93028e88248e0eec17440795

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 79b52489ce6d63ce813c84b525cb0540
SHA1 4490120961bfd98fbb6cf56ea168f25025052e31
SHA256 5b1d2df8f792a96946eab45bf460d5f0b7d3eb05f9ed7908b04600e297275eae
SHA512 22348ea097b30de7d2a7cd4770ebd01681472abc1b33296135427187827af0fb4e44a4ba1152256eb44a150a3f9604e3e4466763f7a9317b95be158ada9eb286

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 0d1b9b5b75781080b7554b2f568d89ea
SHA1 925893c2a69a8e292ef79ceb6931eb391f1657cc
SHA256 69d9727be3577017ffba9327047363459a27da5947be828793c8a85117735426
SHA512 e16ca69fc56706bf6944bff619a0d17db64029dceefc3530c907d6da82abe5b4245de573ec8505fb391c69f5133394025141a4e98b9f7b7855c7615328c3badc

C:\Program Files (x86)\%SESSIONNAME%\lvsjf.pic

MD5 99920ac919edd0319fa76c7ad559ffd3
SHA1 1c6b75e9831d0819111541c0590f4f306b1a2998
SHA256 9d4ab4947b130114388c9e967f137aafad4d8cf6c7eafb94b24da74c62a89953
SHA512 de2b14a8b7a382991d6f9ae0545a348fc61e33ea91915faab251b0d0e21c60580bec58f89f115494e1f4d7ec16aee5d12283885aeb52fdfc656972fb146bc649

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 ab8959c26adaca624970ff04a69f6ecc
SHA1 5a19ccd6072881ac2f8b8e35fd09894444a49dcf
SHA256 22d985cbc1977f5a0c941b0cfe79475c79a8f8005eb991466cd7252292876c63
SHA512 d4796d971337a00999a2e4b04d7aa99aab631291ca4a89fa558e448038b68ce4a0aa05a7b82f90169640b2c6afe61d1f06a4104574df6169a55b2afd0c54c71f

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 3b791c0a6cc660600a829092742fba8a
SHA1 13b04ebedcb7137af73f826fefcd51532ee8660d
SHA256 81504fe4cdada87e891f5bd31526221cb913600ba514e7b935a21c99ea6b5877
SHA512 d908ce256ba5fd2e06c341f8d4444a0903adaed817eee8989b036cc8c90835c699b08b0e3f28ff93625714ad963498bbc913ec21701e490e4c946cbb5fa21cb9

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 0e8d4373744bf061ee702fd2f37b0ff8
SHA1 14526cdec3b24f4ffd2ac2156f29745793d86810
SHA256 40eae4a86f0e3976dd382e4d539cc503a1544af79dbcc9f0a490a6f0a80bad18
SHA512 218f8f8fde8b0a7ad025cde1cc33466a8e5ec0f967fcbf15e81ab5e0cb021689f2b1f4ff443213e0b8016779b7fac508e94f5814706df93c4abc5718f2ffe75b

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 fba5ff24547d980f03e9b7cbc675a872
SHA1 befbe8ba205df78132b250895e55bd15e2a22bac
SHA256 a133342b842b2ef32f9fa74f1c358089719bae4816a31ddbf26ab96eb68bcaaa
SHA512 df99de87e748d65c30958f0f5cdd7d8924ebd0299c481b180cd8603fae9da0014500a9df37b0c44c47ff7701f4bfa789fd5aeaf399c8fcd0a318743ef336da90

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 088881915e573951e311179100e90c3f
SHA1 cd3a3e620ed72bc8b9001befac9e3309255b5b77
SHA256 794af9593cd18ea77f0f57a22af1fa72e252b45c72cc1928249a79f04f717c8b
SHA512 85c493ffd8f9b795aa2907888776ebcf5f28ab965332e13a40a7cde8207e07b641c99f2b8f528a4082dc15d172cbb448c0872955cfa1ba072578d72b6440e9e5

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 8e7e79b79a2dc51a8ece865f60ef49d1
SHA1 8445a5b47a6736dc6a90fbe836ad235c40251f0c
SHA256 957c2dcf11fe131a663acccde64479b06aa289cd529f820b69d380a6ccc2af1c
SHA512 267df50a9cd3b79fa7abeb86976f06dc0630632b6c70f97538c7f0ad752ea2d4dd224a1444ad728a7a2c62fb7b443ed5c9804fbf23cc5a669ef3a3a34137f77b

\??\c:\program files (x86)\%sessionname%\lvsjf.pic

MD5 ff715d897f6c20311bec97daa42679f3
SHA1 e750bf2b35ba6649720bfcde8a50db0eb3b14c5d
SHA256 efa83e2348a126d5c67c56b84d3c180cf1f6f8833d111075c4a09c771852298c
SHA512 e5ca4f5230d29c93cc8495bb3d7daefaac07129ae8895e079bf759c24041fd4e040ce2835ea28376f72e03f5c3c059f4f1cd599e10891f10f5c24718f6e8efa6

C:\Program Files (x86)\%SESSIONNAME%\lvsjf.pic

MD5 30f8e5b92f2dd811e85a43917819a766
SHA1 3728e37bb5eef7e8473ed56654302b7e9c95503f
SHA256 707ed5f227d4f70944963bff10b0cd9fa282cfcc19f13318ab7121a0aa2a91ff
SHA512 411d695487ab7e75aa7dd3c010e7d7d3bb728f0164bd550d0f7a583e5d61659aee1f3666b6b7d6aae5c4acb4dfb8441ca813b781cc505a0e97d25203664cc3c0