gh0strat | c11a68bb59e1ce8c3eb405811057f31fdcb5df5ad0afe691ad320dff6af75194

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 16:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Size

91KB
MD5

39fb4515406c2ad135907422e9a8d4c2
SHA1

26b5dfd29c1eb2d94fdeb16be56a1f406411b613
SHA256

c11a68bb59e1ce8c3eb405811057f31fdcb5df5ad0afe691ad320dff6af75194
SHA512

7d18e2797d8214bb7119800809836b5a7c57cec0fe8cf780621fc128b7b1b5d906349ec1978fb8da966195ff238c20760e2d20ac27123e1deddf8e742e6474b6
SSDEEP

1536:FRicmlkKXvbMOQa/62KDK+H7NVR1jwU/k+plcFzhjoeE+y2h+DBl48xgRYc15IKr:FscmlPbt/657NVR1jpuzCeE+Jh+du8Gz

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000234d4-5.dat	family_gh0strat
behavioral2/files/0x000c0000000234d4-11.dat	family_gh0strat
behavioral2/memory/4916-15-0x0000000000400000-0x0000000000449000-memory.dmp	family_gh0strat
behavioral2/files/0x00130000000234df-19.dat	family_gh0strat
behavioral2/files/0x00150000000234df-25.dat	family_gh0strat
behavioral2/files/0x000f000000023420-31.dat	family_gh0strat
behavioral2/files/0x0011000000023420-37.dat	family_gh0strat
behavioral2/files/0x0013000000023420-43.dat	family_gh0strat
behavioral2/files/0x0015000000023420-49.dat	family_gh0strat
behavioral2/files/0x0017000000023420-55.dat	family_gh0strat
behavioral2/files/0x0019000000023420-61.dat	family_gh0strat
behavioral2/files/0x001b000000023420-68.dat	family_gh0strat
behavioral2/files/0x001d000000023420-74.dat	family_gh0strat
behavioral2/files/0x001d000000023420-76.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 36 IoCs

pid	Process
3016	svchost.exe
3760	svchost.exe
4908	svchost.exe
1516	svchost.exe
4644	svchost.exe
4852	svchost.exe
2708	svchost.exe
2044	svchost.exe
4648	svchost.exe
5084	svchost.exe
4820	svchost.exe
1556	svchost.exe
1984	svchost.exe
2124	svchost.exe
1076	svchost.exe
908	svchost.exe
5096	svchost.exe
2160	svchost.exe
2704	svchost.exe
928	svchost.exe
2976	svchost.exe
664	svchost.exe
3188	svchost.exe
2912	svchost.exe
1604	svchost.exe
3400	svchost.exe
1332	svchost.exe
4324	svchost.exe
684	svchost.exe
4048	svchost.exe
640	svchost.exe
4968	svchost.exe
4996	svchost.exe
4200	svchost.exe
2972	svchost.exe
4188	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%SESSIONNAME%\myisd.pic	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe

Program crash 35 IoCs

pid	pid_target	Process	procid_target
2568	3016	WerFault.exe	86
2800	3760	WerFault.exe	90
3972	4908	WerFault.exe	93
4264	1516	WerFault.exe	96
5104	4644	WerFault.exe	99
2564	4852	WerFault.exe	102
888	2708	WerFault.exe	107
1464	2044	WerFault.exe	110
4888	4648	WerFault.exe	113
4448	5084	WerFault.exe	116
1300	4820	WerFault.exe	119
5056	1556	WerFault.exe	122
4224	1984	WerFault.exe	127
2280	2124	WerFault.exe	130
4732	1076	WerFault.exe	133
4180	908	WerFault.exe	136
1540	5096	WerFault.exe	139
1648	2160	WerFault.exe	142
2240	2704	WerFault.exe	145
3592	928	WerFault.exe	148
3308	2976	WerFault.exe	151
1660	664	WerFault.exe	154
2764	3188	WerFault.exe	157
4536	2912	WerFault.exe	160
4428	1604	WerFault.exe	163
4236	3400	WerFault.exe	166
4828	1332	WerFault.exe	169
4244	4324	WerFault.exe	172
2504	684	WerFault.exe	175
736	4048	WerFault.exe	178
3244	640	WerFault.exe	181
3612	4968	WerFault.exe	184
2312	4996	WerFault.exe	187
2996	4200	WerFault.exe	190
4376	2972	WerFault.exe	193

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeBackupPrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
Token: SeRestorePrivilege	4916	39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 592
  2⤵
  - Program crash
  PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3016 -ip 3016
1⤵
PID:408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 592
  2⤵
  - Program crash
  PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3760 -ip 3760
1⤵
PID:2504

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 592
  2⤵
  - Program crash
  PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4908 -ip 4908
1⤵
PID:2288

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 592
  2⤵
  - Program crash
  PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1516 -ip 1516
1⤵
PID:1016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 592
  2⤵
  - Program crash
  PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4644 -ip 4644
1⤵
PID:2360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:4852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 592
  2⤵
  - Program crash
  PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4852 -ip 4852
1⤵
PID:2116

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:2708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 592
  2⤵
  - Program crash
  PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2708 -ip 2708
1⤵
PID:3048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 592
  2⤵
  - Program crash
  PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2044 -ip 2044
1⤵
PID:2760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 592
  2⤵
  - Program crash
  PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4648 -ip 4648
1⤵
PID:1584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:5084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 592
  2⤵
  - Program crash
  PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5084 -ip 5084
1⤵
PID:3968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 592
  2⤵
  - Program crash
  PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4820 -ip 4820
1⤵
PID:2724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:1556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 600
  2⤵
  - Program crash
  PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1556 -ip 1556
1⤵
PID:3148

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:1984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 592
  2⤵
  - Program crash
  PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1984 -ip 1984
1⤵
PID:408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:2124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 592
  2⤵
  - Program crash
  PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2124 -ip 2124
1⤵
PID:4620

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:1076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 592
  2⤵
  - Program crash
  PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1076 -ip 1076
1⤵
PID:2628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 600
  2⤵
  - Program crash
  PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 908 -ip 908
1⤵
PID:4280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 600
  2⤵
  - Program crash
  PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5096 -ip 5096
1⤵
PID:3940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:2160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 592
  2⤵
  - Program crash
  PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2160 -ip 2160
1⤵
PID:1472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 592
  2⤵
  - Program crash
  PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2704 -ip 2704
1⤵
PID:4856

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 592
  2⤵
  - Program crash
  PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 928 -ip 928
1⤵
PID:3632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 592
  2⤵
  - Program crash
  PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2976 -ip 2976
1⤵
PID:4952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 592
  2⤵
  - Program crash
  PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 664 -ip 664
1⤵
PID:2044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:3188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 592
  2⤵
  - Program crash
  PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3188 -ip 3188
1⤵
PID:1816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 592
  2⤵
  - Program crash
  PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2912 -ip 2912
1⤵
PID:2264

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:1604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 592
  2⤵
  - Program crash
  PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1604 -ip 1604
1⤵
PID:3100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:3400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 592
  2⤵
  - Program crash
  PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3400 -ip 3400
1⤵
PID:4052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:1332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 596
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1332 -ip 1332
1⤵
PID:316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 600
  2⤵
  - Program crash
  PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4324 -ip 4324
1⤵
PID:3772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 592
  2⤵
  - Program crash
  PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 684 -ip 684
1⤵
PID:5032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:4048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 600
  2⤵
  - Program crash
  PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4048 -ip 4048
1⤵
PID:4864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 592
  2⤵
  - Program crash
  PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 640 -ip 640
1⤵
PID:1904

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 592
  2⤵
  - Program crash
  PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4968 -ip 4968
1⤵
PID:2260

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 592
  2⤵
  - Program crash
  PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4996 -ip 4996
1⤵
PID:4368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 592
  2⤵
  - Program crash
  PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4200 -ip 4200
1⤵
PID:1620

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:2972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 600
  2⤵
  - Program crash
  PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2972 -ip 2972
1⤵
PID:1696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:4188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\%SESSIONNAME%\myisd.pic

Filesize
22.0MB

MD5
5420172aaab5221bb31bf7d421e19ac3

SHA1
8f88b506d5369e93123e980bf9b62e827aedd41b

SHA256
eed4f86dc6fdc4d77d7a267568e9fa55dbf93cffac6ca57d27defb3a03dcd387

SHA512
da7d0d1629cd29831e056d5c0c87bc7c1dc57efca289141e4cde7f96a6b78f1a84c51a1770e8d53e4d6932593811d1b3f6929610f46dd420fd6dc73eaa1d1f23

Download Submit
C:\Windows\SysWOW64\%SESSIONNAME%\myisd.pic

Filesize
19.0MB

MD5
ba9f2b1f29ad2a34bc70a910fe4faa80

SHA1
dbe9203e0d3aba7f320dcb50b586260ddf8cc7b2

SHA256
20b8a92737a73460bf9438fd8d6b6fa30532a3e1d5da09992bafbec0bcfa41f7

SHA512
961423c869178c9dcdbc36617a426150f80d142ef3f88d93014eb85eca757cbdcbb89e553113edd9adfb3f873415b30043c551232f2eadaf6efa6a24b9c99964

Download Submit
C:\Windows\SysWOW64\%SESSIONNAME%\myisd.pic

Filesize
11.9MB

MD5
634dd12feda3a5f862f0b1b9775bf05f

SHA1
5e083406739ec21bb2277b4e711b6d2aa618bcf9

SHA256
c66197c60fcb7bcfaaa4c740e7d00b3b53a51f210d1bb887a70b2a61ba6f1d53

SHA512
73fdc884e3d6dca05a9866bfecd232ef28b63e47047c562853179c69a1d7c66f710ffb37eb2b6cc67dd1d44b2fe126a4e377d98b03dc609e31147eb2ada0c03e

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
21.1MB

MD5
22fd479f555bcbcaa41380d7586cf266

SHA1
b97a648f16a3a0a63c3a3b03fcfdd4caee9c98c5

SHA256
4214ca1dfe2d0b0603799abe606943de8d7a52b9af444678d066fc6c069293d0

SHA512
a58c8b3d2d5b895d7d41df077d0f065c435c9c7a8f34a76449719bbbd003ee78fa87af1d0a85e6bb2d12c8553a056d783a72a69ef038a73d7dce87c612dbd60a

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
22.1MB

MD5
84421c1de49256abe69ec8efebe2fce0

SHA1
763b7a54257ae0550f3d008449c567b3f50e0985

SHA256
744566386ba9c5f7e3316a077ab06505d241f3ae5fa2a26691c2bbe4fd86e667

SHA512
a67031568c73b9373acc234b36c3d17e2a479c286c86a2dfcd1bb6cb6f1c5bbf82445ecb1c5f5b1ef557479f3fe2935ae688ee5b2acdf002ebd9c78a68cac6dc

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
20.1MB

MD5
d60ed06b22dd1d16ef32703db7701151

SHA1
979773224cf93a233a53abf0b2c7381c76834214

SHA256
95ccded38d8c39bd21ef34df93b513f75e15921ec187140d8d282d43920b01ec

SHA512
6065a7f1d9dd651cc2e038add010a1efbc03382a8f249055a1aad0d6d0fb5263e80af35fa2e3de83844c1ac2d2de5a6d781ade4c0dc5fe2886007f14bf72f380

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
23.0MB

MD5
4614b89cdbf7aae95465a1c70c0c0089

SHA1
2df2b619d59cc860ec7042900f8ea114f9bae11e

SHA256
1f3072779d08de02c039f4d56791e31b62ba1679d43179d0fde76653634ea040

SHA512
1423f45f2ea070586622834fab0006c4660d590967d7690b1de8c6095a4bad41a0fca6d68e50face12c9e9c411c5521e1e5df99d4041e07380caafb99fab5aac

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
19.0MB

MD5
d60b2e8fe96c5813945afabcc632b63c

SHA1
3ab4294122b9e9af66ed0975ab28cb210ec14d88

SHA256
78462f68881c3bb4aa915c91c28174476b1062613e2a48c0c56c2028e6a395f1

SHA512
a2a05de8d9901b9e43b30b0e6a882b7d9d585db0b6fc591c1f2e4417569bd7af375adc5f387cec47caa9d574a8eb2db9b8a13543bb711eca3c53983806cf74d4

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
24.1MB

MD5
a169cb635222ccb144d0f3b61bea978c

SHA1
5d63f88045290c6798aee878a9ccff8a1ad6bb07

SHA256
3494bd9dc0ec61bdee446d46cb6d9601153a4fd76d748fffcc0ce56f2da87db5

SHA512
56fa77dbbb12241ecc51e82289f6a4999d62cc4c1c04a3ef2ae385de31358afd4c385ad302eb1ff7b6e2430dca37cbb62754716719c55b481bd90a1c616d53f8

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
20.0MB

MD5
ebe28438104e6457e7d7051bdf4ae455

SHA1
fc3dde0736ee06ff6f9f3555ef687dcc9c6e8f71

SHA256
352cfc0a8a0729666794612db4b55ea84d735e386a67f5853512ae6e5d1618d7

SHA512
01b25527f7d208ecab85a3ae45d5621f66a77a3ed7d0893fd2316ccf3c3ada34e58093a6208845b1c5f3782c781d4a1087832f4fd72a83db465096de5137d30f

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
22.0MB

MD5
45b2ecc72a5846044d936617378b3ac9

SHA1
70446c5ac6ea2b7931b3e6558f29a1881b793869

SHA256
13b3c106f63cae713ea86b93c0e70433b5b79b60eaa01908801ee54461386ba3

SHA512
08b44ac849c0eabd38f0afce3b497e6c85e7f653b53754201e25ece3df1c4d5c82311c47f40196cdf1996a1602f71695788e9b72212425eeba5dfd90fdf7f560

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
19.0MB

MD5
7d7f332118eacc37054fee1fabc65fad

SHA1
1cb005660e859f6e3f40f236cd5c5d8ffb2fbf92

SHA256
d64c3c1c052987c4e64c229d2470014897f5faf99af84f1c74a4de0c00691caa

SHA512
17d2460ea850071f1cd6db40e45d867d087d0ffab58445fb6141cdc571c3a63f0a583c4f1cf7703de3740ca16b241b592c1075505714d880dbf16303dfb697eb

Download Submit
\??\c:\windows\SysWOW64\%sessionname%\myisd.pic

Filesize
19.0MB

MD5
4dca63336098738250c05dcd6c43afd8

SHA1
26578e253a3844b305f1f419ace167082529b70e

SHA256
c618876481668f87afd33b758e9236c96438d878dcf59f45a78a62ef3d39924f

SHA512
e1e0ac10683a424f858c5d03983e49db009132e534732a29fae0da5511223473ee69a258a0909be9c1d502f559f2da582209d2ecd27a3e53350b168d3fd743a2

Download Submit
memory/4916-16-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4916-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4916-15-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4916-2-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4916-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download