gh0strat | c40f2596b6424e31dbaf29e1cf3157ce819149a29b2e0cdafe6c17e7eb6c25c7

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 08:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Size

164KB
MD5

77970a954e8e00bca768f6913831b915
SHA1

45ae0952d04610479762340533060f158aca0da5
SHA256

c40f2596b6424e31dbaf29e1cf3157ce819149a29b2e0cdafe6c17e7eb6c25c7
SHA512

50893270517685fa2e329b8d49e14bbeed9e33146f62e1963870e8a5000fe27db8fd4310e945be0e0f11d88ac82e29cc333ad78d1c9d1a6b95b9712b1f2a1f18
SSDEEP

3072:k240YbRv/nl8glGi6KkWUR6qev3S6q+WDtDOUeGCIrF1j6iJxb:/Y1v/nCpbWUR6qePxqh4UeGCIrbeiJx

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 13 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022ab3-4.dat	family_gh0strat
behavioral2/files/0x0004000000022ab3-10.dat	family_gh0strat
behavioral2/files/0x000d0000000234d6-16.dat	family_gh0strat
behavioral2/files/0x000f00000002340a-22.dat	family_gh0strat
behavioral2/files/0x001100000002340a-29.dat	family_gh0strat
behavioral2/files/0x001300000002340a-34.dat	family_gh0strat
behavioral2/files/0x001500000002340a-40.dat	family_gh0strat
behavioral2/files/0x001700000002340a-46.dat	family_gh0strat
behavioral2/files/0x0006000000022ab4-52.dat	family_gh0strat
behavioral2/files/0x0008000000022ab4-58.dat	family_gh0strat
behavioral2/files/0x000a000000022ab4-64.dat	family_gh0strat
behavioral2/files/0x000c000000022ab4-70.dat	family_gh0strat
behavioral2/files/0x000c000000022ab4-71.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 34 IoCs

pid	Process
1436	svchost.exe
624	svchost.exe
3032	svchost.exe
4576	svchost.exe
4344	svchost.exe
3656	svchost.exe
3372	svchost.exe
1672	svchost.exe
3136	svchost.exe
1924	svchost.exe
2948	svchost.exe
4840	svchost.exe
692	svchost.exe
1148	svchost.exe
1256	svchost.exe
1568	svchost.exe
1372	svchost.exe
3008	svchost.exe
5104	svchost.exe
1260	svchost.exe
2364	svchost.exe
1496	svchost.exe
4716	svchost.exe
1728	svchost.exe
5096	svchost.exe
3264	svchost.exe
3140	svchost.exe
4876	svchost.exe
1180	svchost.exe
4748	svchost.exe
3516	svchost.exe
4264	svchost.exe
1440	svchost.exe
4988	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xmdle.cc3	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe

Program crash 33 IoCs

pid	pid_target	Process	procid_target
4516	1436	WerFault.exe	92
4916	624	WerFault.exe	96
4996	3032	WerFault.exe	100
3472	4576	WerFault.exe	105
2244	4344	WerFault.exe	108
60	3656	WerFault.exe	111
2340	3372	WerFault.exe	115
5020	1672	WerFault.exe	118
1704	3136	WerFault.exe	122
4304	1924	WerFault.exe	126
3708	2948	WerFault.exe	129
2044	4840	WerFault.exe	132
1748	692	WerFault.exe	135
2304	1148	WerFault.exe	138
4084	1256	WerFault.exe	141
1076	1568	WerFault.exe	145
3144	1372	WerFault.exe	148
3432	3008	WerFault.exe	151
4328	5104	WerFault.exe	154
1808	1260	WerFault.exe	157
1912	2364	WerFault.exe	160
3516	1496	WerFault.exe	163
3012	4716	WerFault.exe	166
1168	1728	WerFault.exe	169
2756	5096	WerFault.exe	179
1372	3264	WerFault.exe	182
4940	3140	WerFault.exe	185
2168	4876	WerFault.exe	188
864	1180	WerFault.exe	191
1848	4748	WerFault.exe	194
4032	3516	WerFault.exe	197
4788	4264	WerFault.exe	200
3064	1440	WerFault.exe	203

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeBackupPrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
Token: SeRestorePrivilege	3172	77970a954e8e00bca768f6913831b915_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\77970a954e8e00bca768f6913831b915_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77970a954e8e00bca768f6913831b915_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 592
  2⤵
  - Program crash
  PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1436 -ip 1436
1⤵
PID:700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 592
  2⤵
  - Program crash
  PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 624 -ip 624
1⤵
PID:456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 592
  2⤵
  - Program crash
  PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3032 -ip 3032
1⤵
PID:532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 592
  2⤵
  - Program crash
  PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4576 -ip 4576
1⤵
PID:1148

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 592
  2⤵
  - Program crash
  PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4344 -ip 4344
1⤵
PID:656

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 592
  2⤵
  - Program crash
  PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3656 -ip 3656
1⤵
PID:4956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 592
  2⤵
  - Program crash
  PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3372 -ip 3372
1⤵
PID:5004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 592
  2⤵
  - Program crash
  PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1672 -ip 1672
1⤵
PID:1512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 604
  2⤵
  - Program crash
  PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3136 -ip 3136
1⤵
PID:3432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 592
  2⤵
  - Program crash
  PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1924 -ip 1924
1⤵
PID:3412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 592
  2⤵
  - Program crash
  PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2948 -ip 2948
1⤵
PID:1504

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 592
  2⤵
  - Program crash
  PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4840 -ip 4840
1⤵
PID:4980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 592
  2⤵
  - Program crash
  PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 692 -ip 692
1⤵
PID:540

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 592
  2⤵
  - Program crash
  PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1148 -ip 1148
1⤵
PID:4944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 592
  2⤵
  - Program crash
  PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1256 -ip 1256
1⤵
PID:3228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 596
  2⤵
  - Program crash
  PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1568 -ip 1568
1⤵
PID:5096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 592
  2⤵
  - Program crash
  PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1372 -ip 1372
1⤵
PID:112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 592
  2⤵
  - Program crash
  PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3008 -ip 3008
1⤵
PID:748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 592
  2⤵
  - Program crash
  PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5104 -ip 5104
1⤵
PID:2964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 592
  2⤵
  - Program crash
  PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1260 -ip 1260
1⤵
PID:3544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 592
  2⤵
  - Program crash
  PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2364 -ip 2364
1⤵
PID:1556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 596
  2⤵
  - Program crash
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1496 -ip 1496
1⤵
PID:3020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 596
  2⤵
  - Program crash
  PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4716 -ip 4716
1⤵
PID:888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 592
  2⤵
  - Program crash
  PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1728 -ip 1728
1⤵
PID:3880

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 592
  2⤵
  - Program crash
  PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5096 -ip 5096
1⤵
PID:1076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 592
  2⤵
  - Program crash
  PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3264 -ip 3264
1⤵
PID:3144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 592
  2⤵
  - Program crash
  PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3140 -ip 3140
1⤵
PID:1160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 596
  2⤵
  - Program crash
  PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4876 -ip 4876
1⤵
PID:2040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 592
  2⤵
  - Program crash
  PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1180 -ip 1180
1⤵
PID:2604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 592
  2⤵
  - Program crash
  PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4748 -ip 4748
1⤵
PID:1028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 592
  2⤵
  - Program crash
  PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3516 -ip 3516
1⤵
PID:1772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 592
  2⤵
  - Program crash
  PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4264 -ip 4264
1⤵
PID:2344

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 592
  2⤵
  - Program crash
  PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1440 -ip 1440
1⤵
PID:5032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4988 -ip 4988
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xmdle.cc3

Filesize
19.4MB

MD5
0f426f0c7e956a8d124e44752caa85ba

SHA1
62938cbfde78fd7093ad830f31be20bc26463e08

SHA256
5a33b864449031e1349b11ff0709fb0d71e28161a4c63c3cc9b6e8c6abee20fb

SHA512
a9f3242b02ff5d3986db62d4bc1e0380e2cb3df079f2e3e4163b6d4b7bf25af6dc979fec8d1fd889b2eb3a777cafdb004216c2c66cca35e2667aede71c0d9639

Download Submit
C:\Windows\SysWOW64\xmdle.cc3

Filesize
20.0MB

MD5
15e3caf0c8c491dcfdeab056cae5e6f9

SHA1
53ad09a5f7c1adcadd244ebdbb2907bc4c11b54f

SHA256
59cb6a4f8e42772539b31c9cf787625f559fba2b15421dda47169abbaf9adbe8

SHA512
daea48398ee6816136b076787838ac16b1fb2072ac8c463ddc65a7e40b570390a9d3fe1c0dbef73426e83fc8bcc8b3b76dad4074ce57e2020b3f96f017488361

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
24.0MB

MD5
4ee3b5f7ef4bca31d4971648334f3625

SHA1
2f158bdd172f2c2c1c351d7fcdb03cab7cb6a8e6

SHA256
3c725fa388a727e8fd634e40d4fa0ca234dcdd5a711379f79717cc026e957adc

SHA512
d4538496228282886e8e52d29e3ca1a2e2fa0d8eac66942e9a29607273562d021925246d6ce3ecfca3da82870a2834e2cec677b29ebefb07966461da13eb2750

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
22.0MB

MD5
e070dbdce61e76a925f7acec1e6c3ebf

SHA1
8bf790e6515f8f0f75229f6acb17fad46bd72ce1

SHA256
cfb6e9c450c9f07dd535824541e4efa573d74169edfc07016f55c2bddb61312b

SHA512
afa93a1fe2848f6738902b2436a586258c10171fa69d4b703552184d088ee95879f2613cc53d235d0f362647dd2c71a8d12a82e5a56e91e7c0a985e0b307f06a

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
24.1MB

MD5
0d36986335276d3af149e0b8a70af7d7

SHA1
43987152dbd407b308c2c9424b072699d3b9a417

SHA256
8ef4c697e6d887e8e3197996d886792ba475c0884fa85486f217e82878f1ea21

SHA512
5fc3193342ba90e8ddba6e255a9b1591a082ca7e3a19db988ecdf701b08c7d4543a047916a5c4d9b1f1e5bf1b553bf5ff0b1c4e9e8c516ebdf6057c0c06c81de

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
20.1MB

MD5
7bde7a0aa00501bb5bb3b46e02fa8c22

SHA1
12fb6580b35cca644bfdcd6cd8d5e2740310c0e0

SHA256
8ffc201fad826c192adcd52f088e41a2c6e5e891caaf52f3b280a95553cf3990

SHA512
36a274ad61c01467cb4e9f8c13d9e0357dbbe566678fa3e1af425cf6452c1507d5e96786a20d67b09b5e775f5c0f8825718fd04d479c64cafd5d004c476581bc

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
19.1MB

MD5
cbddc35b390598a51c3375939edfd016

SHA1
a12134ec24d9e14a8022957722428bf18788179b

SHA256
e6601a0c0446760721f1c946915f3ffcf7cc6dcd8ebd9dc5a9803743d483a6f7

SHA512
951257d5fcd18666c272eda86856b6cc9a84f4287e288fa069913ba1cafb39e93a96afb74205bc84de8354a7a48d254f00a8885e655c6e3a18004f5114e27952

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
21.1MB

MD5
3000fc3cb04b7f2cb153c1bf8a74028f

SHA1
48cf9be2550b2bd7cf32d18a82bf5beeea2a6d65

SHA256
f183777484f465afb9d9e814c19882c46b172d0543f5fa90d275174c7c010b54

SHA512
79f66b5177112dcd7d8fe791ff1822ca96cbc786b1c3b71987a3796ea954b79c7e1f967b77a83b6d32fd148d1f35921604eb740993981561f7d5f1cf62bc10dc

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
19.1MB

MD5
c2d4349fea6d12eee61052106ab700a4

SHA1
cff9b5f67044d51497453efdb21eec347097070b

SHA256
62204a3da123c0ad90d071b6a666d1ef2ab1abaa2c34ea2a7ebe1fc260bb8acf

SHA512
a8164b69f36f5e4008da0601c22cd77991dd20fc51c9ba62e7aa6ba1f867ce6384d5333f48bf7402471b3dd8a9b7993b70e7f8a5b80ce7b0374fae8b8bd1224c

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
19.1MB

MD5
e84470ff6c069037505442c11c397f62

SHA1
fa072b34dc5a3e9063af89b6b091eae76c04e4e3

SHA256
59e4c9fbdbffb1fe8af96133aba0b530bb549e4ef453a41dfc480429e3968b30

SHA512
317c7e1b9bc6543a90696948515c2f35c001964de7a404d3fc2dcc0081fc542253ca34406c5e8e22603844f84688b7ce929d2e0134d9da0c9c5ad870cede522a

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
19.0MB

MD5
efd2ba1b74ff7fb7f07a2da834172d41

SHA1
4c428246178b169f2c4baafc86928039fe41f25f

SHA256
7483ab3b68d0a06018ca8f7531e38b308422a0b67f01d91c9cf5e0257572dc8e

SHA512
fbdbc4229d7993c60cf12487ba6951d7bd2f046fa65d05f101c434df9f182ef64b21a0e19c042a36d89c39333de194f79e768c2df5b8005871c48830606f3660

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
22.0MB

MD5
e239e9a38d033d382f7b6f209af1b4d4

SHA1
a4ff95f0ba60b28a11b35037f07010d06963ff1c

SHA256
18421a4a96895c3f98962ace85d2c04b0c43cdd99a8cf71a3ae69cca5c26aa32

SHA512
b5cf878f89e115984557ecf9a413c63ec8b66415c8b4ab8388d00a361dc7d9da61996d8ce4b5c6abe93c2276fa8dd40ea2e5313684e62ca8c184e04a1798e4dc

Download Submit
\??\c:\windows\SysWOW64\xmdle.cc3

Filesize
22.1MB

MD5
3c7c39608d722569a2bf64ba1acfc6ff

SHA1
39969f88918e165732da32db8619e437efee14e4

SHA256
e6399236a1479a726b0f469c72ae7c89d60fb639036cab49e8484f704e8bef0f

SHA512
284b7d20b1dd4edd99b8857db72c978f92ab26401cd5db00bf9eeb46497e269f40ce8132f906c917da5945a0faf047fbfe06482946915b1f5279fbb7c6c5ff04

Download Submit
memory/3172-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3172-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download