gh0strat | c329a169bc5d4000233d6ad94bb9d3268389b237d85132d9aab78d4f18c6a59e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Size

300KB
MD5

3110403db8b3ac2087f607210321f8b3
SHA1

aa1b2527c5b5a309658bb7f272a4826c7faa9e9c
SHA256

c329a169bc5d4000233d6ad94bb9d3268389b237d85132d9aab78d4f18c6a59e
SHA512

9adc89b59daf5101fd2344a3b502ffe39b364f33879f3acfa8cb802055e433de9b6bb12320c860abe06638b55beb9af631cee781b8fc38490757d1360d36eec1
SSDEEP

6144:JNOVLnWFcMFtsFkVRTl0QdTmNPPYhkUYeWlClcN0/dKUsV+DE:f8LWFr+kV1KIo+PWnWKzf

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023461-3.dat	family_gh0strat
behavioral2/files/0x000d000000023461-9.dat	family_gh0strat
behavioral2/memory/3208-13-0x0000000000400000-0x000000000044B000-memory.dmp	family_gh0strat
behavioral2/files/0x000f000000023461-16.dat	family_gh0strat
behavioral2/files/0x0011000000023461-22.dat	family_gh0strat
behavioral2/files/0x0013000000023461-28.dat	family_gh0strat
behavioral2/files/0x0015000000023461-34.dat	family_gh0strat
behavioral2/files/0x0017000000023461-40.dat	family_gh0strat
behavioral2/files/0x0019000000023461-46.dat	family_gh0strat
behavioral2/files/0x001b000000023461-52.dat	family_gh0strat
behavioral2/files/0x001d000000023461-58.dat	family_gh0strat
behavioral2/files/0x001f000000023461-64.dat	family_gh0strat
behavioral2/files/0x0021000000023461-70.dat	family_gh0strat
behavioral2/files/0x0021000000023461-71.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 34 IoCs

pid	Process
2924	svchost.exe
3164	svchost.exe
112	svchost.exe
548	svchost.exe
4580	svchost.exe
5076	svchost.exe
668	svchost.exe
5080	svchost.exe
2328	svchost.exe
2732	svchost.exe
2808	svchost.exe
4936	svchost.exe
2736	svchost.exe
2500	svchost.exe
4740	svchost.exe
2744	svchost.exe
2876	svchost.exe
220	svchost.exe
2952	svchost.exe
3876	svchost.exe
4948	svchost.exe
2284	svchost.exe
3536	svchost.exe
3280	svchost.exe
4120	svchost.exe
628	svchost.exe
4880	svchost.exe
3300	svchost.exe
4984	svchost.exe
4968	svchost.exe
4080	svchost.exe
4812	svchost.exe
3488	svchost.exe
4408	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\%SESSIONNAME%\mtbeh.pic	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe

Program crash 33 IoCs

pid	pid_target	Process	procid_target
4832	2924	WerFault.exe	84
5096	3164	WerFault.exe	88
1144	112	WerFault.exe	91
540	548	WerFault.exe	94
5084	4580	WerFault.exe	97
3236	5076	WerFault.exe	100
4556	668	WerFault.exe	103
4120	5080	WerFault.exe	107
1116	2328	WerFault.exe	110
4928	2732	WerFault.exe	113
3724	2808	WerFault.exe	116
4924	4936	WerFault.exe	119
4320	2736	WerFault.exe	122
4080	2500	WerFault.exe	125
4068	4740	WerFault.exe	128
1916	2744	WerFault.exe	131
2688	2876	WerFault.exe	134
2096	220	WerFault.exe	137
5024	2952	WerFault.exe	140
1888	3876	WerFault.exe	143
184	4948	WerFault.exe	146
3220	2284	WerFault.exe	149
4484	3536	WerFault.exe	152
4116	3280	WerFault.exe	155
2160	4120	WerFault.exe	158
3428	628	WerFault.exe	161
2040	4880	WerFault.exe	164
4372	3300	WerFault.exe	167
4356	4984	WerFault.exe	170
2736	4968	WerFault.exe	173
2748	4080	WerFault.exe	176
2840	4812	WerFault.exe	179
4472	3488	WerFault.exe	182

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeBackupPrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
Token: SeRestorePrivilege	3208	3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3110403db8b3ac2087f607210321f8b3_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:2924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 592
  2⤵
  - Program crash
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2924 -ip 2924
1⤵
PID:440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 592
  2⤵
  - Program crash
  PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3164 -ip 3164
1⤵
PID:5052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 592
  2⤵
  - Program crash
  PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 112 -ip 112
1⤵
PID:3052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 592
  2⤵
  - Program crash
  PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 548 -ip 548
1⤵
PID:3368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 592
  2⤵
  - Program crash
  PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4580 -ip 4580
1⤵
PID:2156

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:5076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 592
  2⤵
  - Program crash
  PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5076 -ip 5076
1⤵
PID:316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 596
  2⤵
  - Program crash
  PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 668 -ip 668
1⤵
PID:1468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 592
  2⤵
  - Program crash
  PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5080 -ip 5080
1⤵
PID:752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:2328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 600
  2⤵
  - Program crash
  PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2328 -ip 2328
1⤵
PID:804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 592
  2⤵
  - Program crash
  PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 2732 -ip 2732
1⤵
PID:3680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:2808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 592
  2⤵
  - Program crash
  PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2808 -ip 2808
1⤵
PID:3264

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 592
  2⤵
  - Program crash
  PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4936 -ip 4936
1⤵
PID:3892

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:2736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 592
  2⤵
  - Program crash
  PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2736 -ip 2736
1⤵
PID:3412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:2500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 592
  2⤵
  - Program crash
  PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2500 -ip 2500
1⤵
PID:2044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:4740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 592
  2⤵
  - Program crash
  PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4740 -ip 4740
1⤵
PID:3616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:2744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 592
  2⤵
  - Program crash
  PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2744 -ip 2744
1⤵
PID:3832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:2876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 592
  2⤵
  - Program crash
  PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2876 -ip 2876
1⤵
PID:3028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 572
  2⤵
  - Program crash
  PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 220 -ip 220
1⤵
PID:1284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:2952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 592
  2⤵
  - Program crash
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2952 -ip 2952
1⤵
PID:5028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:3876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 592
  2⤵
  - Program crash
  PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3876 -ip 3876
1⤵
PID:2432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 592
  2⤵
  - Program crash
  PID:184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4948 -ip 4948
1⤵
PID:4100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:2284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 592
  2⤵
  - Program crash
  PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2284 -ip 2284
1⤵
PID:4196

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:3536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 592
  2⤵
  - Program crash
  PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3536 -ip 3536
1⤵
PID:2780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 592
  2⤵
  - Program crash
  PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3280 -ip 3280
1⤵
PID:1884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:4120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 592
  2⤵
  - Program crash
  PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4120 -ip 4120
1⤵
PID:4584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 592
  2⤵
  - Program crash
  PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 628 -ip 628
1⤵
PID:4576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:4880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 592
  2⤵
  - Program crash
  PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4880 -ip 4880
1⤵
PID:4488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:3300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 592
  2⤵
  - Program crash
  PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3300 -ip 3300
1⤵
PID:1488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:4984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 592
  2⤵
  - Program crash
  PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4984 -ip 4984
1⤵
PID:1196

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 592
  2⤵
  - Program crash
  PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4968 -ip 4968
1⤵
PID:4140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 592
  2⤵
  - Program crash
  PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4080 -ip 4080
1⤵
PID:3484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 592
  2⤵
  - Program crash
  PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4812 -ip 4812
1⤵
PID:3504

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:3488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 592
  2⤵
  - Program crash
  PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3488 -ip 3488
1⤵
PID:1828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:4408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\%SESSIONNAME%\mtbeh.pic

Filesize
6.2MB

MD5
f30addedf4b4ee875d844cf6b21223fe

SHA1
6ca5edb1d275c74f61b1170ad57f362458fbec8d

SHA256
eb8157f56f61e780d6341a646da0f6a2f93085e3dc8cbbef4f3dba50bac38e23

SHA512
c6859624d0b693e4568715c700ce2b39c0a3e99da2ba9957981cbadcf926af81c77b39b65108470a52a744de553e41481f675df8a8beecb3a3b3dd7c9d43e10f

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
23.0MB

MD5
4cf669ecc597552826128bb40ad58c80

SHA1
67472e2aa2115fcc8e17021fdfb3532d16f843c8

SHA256
d7f45278a6258d3a7f808cb0b7ff67259ed219ec965e8c45da35981d93582530

SHA512
63cd9e5211eb431b84012ecb54e35e2c1525199c0d1d8fe5ec5f08377decc2c642f9d60a45914fb363c0d9b3c4c9fc9c2b3a6aec172aec4d8d21ab5b4cae3246

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
19.0MB

MD5
7395249633700439187bc4082c76ec27

SHA1
057913ff178619d4c56a0c8ef7f4e2660df2770f

SHA256
213caae3d940dd41f25be895f834126b4d1441a79c72fb13a7a06835b09333db

SHA512
f1e682f0b78480e4a0093737a8689e044fc32f7ccc544a85a51f6230ba58589b28b3ff32792d75010186b9a271d12e20c8852134a090a0faf39a3fffff1a5db2

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
23.0MB

MD5
c919a2dfc274b038d0245551a770befd

SHA1
38adf6101c40b96dacee86672f6eea6e02138813

SHA256
d30c3db33e7deecb0bad16af473d9e8d874d0b9be7c5d5633428d0a850515f45

SHA512
b1e470450c981fd4d14e36403d37832619d4a9c27b35bf9238502e5893569b852f41fa51c66bc1f7ff9dc2a8e2c5083787c8b8d37eb855c6cc305cc5d303034f

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
24.0MB

MD5
5af8107d45123fff942b9ddc165f5e21

SHA1
0655bb17159eb8e6e4b710a9f781376b8c58fbab

SHA256
a1f1a5c8c400c74a07c8986a0e1f510e9885e6db3c6548c895d5213d75d9b3b4

SHA512
917d9abb3fa058ff0ad73f3bdb6fcaded5ad42ac0f8644e30041d019eda9bdafaa59a36ffadf3e4a035489980cc8a202712f0363bb263359bdc96f220d8e281d

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
22.0MB

MD5
66f34e48d0e46134df73ca78a3a1d72e

SHA1
d880c18f0cf9b163d754b005c2ed7b8472e424a3

SHA256
899ec3383d1e181fa0a15d94a27f8d0de80e73b8e68f988177fe1c9384541ac0

SHA512
b2ea9231bc3aacee488e426d2163d06695c2b6cd8bc32cc208dea85ac776af61758004eecbd6b6296f6409731929681dbf8f85f24f7e3610c53e42bfdf63f070

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
21.0MB

MD5
5c334b93085c31e4408de90e4ea854c2

SHA1
97b2b2d678cb52dffc3d7f84da8d44fec09c4cee

SHA256
76bb8a5bd5b69be33f643ec9b16077f15b680f97e7e86e1b15a5fb83c2220279

SHA512
b84f0223bda3b121656235ffe5087048f631476d58aa6c6b2b1840a767c905f3fd05e484982e58c6f0d1921185185bd87cf3642b4285615776cad71508e73e15

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
19.0MB

MD5
b19874fe036619bfb27bd160dbf72e02

SHA1
9b016161b8be7b4b73389ec55aa17c3c79b1663f

SHA256
1660694f25d6c1e896154198f28c4462a32798097a6a43bae8c4f7d7b985bf02

SHA512
e2ff39673c38d03e865179ffc45307133da21c00af7fab720cd276152a6098e6636bcdc2813533a4c227dc9137b437002166ce3a92b4d4b363bdad3030e7b98c

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
24.1MB

MD5
1f6b66facb2149e48934cb6d642a51b5

SHA1
0f36364a55f52b08af6ca414bef9fa48b9782286

SHA256
eeb42ebba64e26ec11f21ad3cf5e0894e00f088aeef395e66b8ee6c3c6a9f68f

SHA512
51f415e510c14e50805e1948d3ce2bed2766056e439d79539bcbe1a2f61ff35722d3807bb0109b75c6a94d43a27cab78f543dc81408c8450b9d055a9a7837163

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
23.1MB

MD5
52c9523470b3e22d68a94cad79965a40

SHA1
d3105f7797cf47c2b2bd26c7e9fa99c22ef92fcd

SHA256
8e53dbf8a9b4811887b322e7253a7a2b2d55c916466885ca46b6a64742300f13

SHA512
cd39d0453007204ef3766fe68806d8e5a400cde9005ba8dfbe1033e3be4d18c81883353b4e3376ab049d0c968ee9d57362f9aaa352c5fc1d19e288f0b05c18e2

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
19.0MB

MD5
8fb1201fb0d9c1ffe323473695da9e87

SHA1
11a7b07ba4924a49384a9f03f916a62f0f5dc4ae

SHA256
77c7b41ae917b0db70d24e95736c061ccf565e22612e74d3265fa057859eca3d

SHA512
027b0c1728f48a59ec9771b2b084b50a1fe5bfb75017a3d4d484fa53f7b73147cdceea121a3aac839ab241b06c1657cc5ab0103f35a824b2bfc23618ca4b99fd

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
19.1MB

MD5
a78c07c933cabc7718a5aa95376337f3

SHA1
abb1be4cde465d0a44c312848c20d0eaa8a85f5b

SHA256
d43ad64459cdc30b366d2e9131bfcceb86c5e2fee0640ba8f06528a928539db5

SHA512
d65d01152bb16669199b596ba76ab4c3b2e4e58dedae8b7c26a55325d6a3daca8e47ebf631595a1e59788ca1785ce15df0691bd6283cbdcda8924e1a98cb1a50

Download Submit
\??\c:\program files (x86)\%sessionname%\mtbeh.pic

Filesize
7.8MB

MD5
3e507ee15aa0c2057e4fb6822851731b

SHA1
2c2470b90bcd74f8a0f3b8b4678cdb21f30584fa

SHA256
7dd668a542b8bfd8d9a55c7aaaedb44206178a594bf669eadde1e493ebd241cf

SHA512
3d315bb5ddcb3968fede240d2542ef65460a46ec9a0522e849d3a7e19b9da6f371e6e3abb80bffc23a0a5f45c5745a35e348d1c9a0c0362b65863acc67614195

Download Submit
memory/3208-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3208-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download