gh0strat | e0d62485b5250ab63c4c802a409181a2031e3d2c2a7ba47ef48acfd12ea70ff1

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Size

192KB
MD5

289a6da47bae0e135fadb98818eac301
SHA1

c6768e4ef401fcd33e4baa7f9f896f1f8957db57
SHA256

e0d62485b5250ab63c4c802a409181a2031e3d2c2a7ba47ef48acfd12ea70ff1
SHA512

d66e0649dab97f28b49ff7eec488dd95b6638632f41bda9001b3e6b42d05e9e337d45b7309f238abc43c80be8fcd96bd4ff0bf47bf32c377c29a484f127bb21d
SSDEEP

3072:OQk3DH+bK+snWjvUJfQA3f2CaxQpLlLOdnHmvJR8oIUqtY7Ovih0iT0b:OQkTH+bpsnWjvo/v2lQpUHmrlH6

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral2/files/0x00060000000006cf-2.dat	family_gh0strat
behavioral2/files/0x00080000000006cf-8.dat	family_gh0strat
behavioral2/files/0x0016000000023bbc-14.dat	family_gh0strat
behavioral2/files/0x0006000000022af2-20.dat	family_gh0strat
behavioral2/files/0x0008000000022af2-26.dat	family_gh0strat
behavioral2/files/0x000a000000022af2-32.dat	family_gh0strat
behavioral2/files/0x000c000000022af2-38.dat	family_gh0strat
behavioral2/files/0x000e000000022af2-44.dat	family_gh0strat
behavioral2/files/0x0010000000022af2-50.dat	family_gh0strat
behavioral2/files/0x0012000000022af2-56.dat	family_gh0strat
behavioral2/files/0x0014000000022af2-62.dat	family_gh0strat
behavioral2/files/0x0016000000022af2-68.dat	family_gh0strat
behavioral2/files/0x0016000000022af2-70.dat	family_gh0strat
behavioral2/files/0x0016000000022af2-71.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 35 IoCs

pid	Process
3224	svchost.exe
4136	svchost.exe
1080	svchost.exe
2052	svchost.exe
4300	svchost.exe
3076	svchost.exe
2484	svchost.exe
2504	svchost.exe
2820	svchost.exe
2588	svchost.exe
3848	svchost.exe
4432	svchost.exe
4952	svchost.exe
4784	svchost.exe
3152	svchost.exe
4328	svchost.exe
2348	svchost.exe
4768	svchost.exe
3596	svchost.exe
4596	svchost.exe
3576	svchost.exe
3140	svchost.exe
3176	svchost.exe
4188	svchost.exe
4728	svchost.exe
2700	svchost.exe
3164	svchost.exe
2564	svchost.exe
4524	svchost.exe
1952	svchost.exe
2844	svchost.exe
3640	svchost.exe
776	svchost.exe
2348	svchost.exe
4192	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wkxix.cc3	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe

Program crash 35 IoCs

pid	pid_target	Process	procid_target
3104	3224	WerFault.exe	86
2964	4136	WerFault.exe	90
776	1080	WerFault.exe	93
3516	2052	WerFault.exe	96
1004	4300	WerFault.exe	99
4076	3076	WerFault.exe	102
1272	2484	WerFault.exe	107
1616	2504	WerFault.exe	110
4568	2820	WerFault.exe	114
436	2588	WerFault.exe	117
3960	3848	WerFault.exe	120
2104	4432	WerFault.exe	123
1572	4952	WerFault.exe	126
656	4784	WerFault.exe	129
3104	3152	WerFault.exe	132
2440	4328	WerFault.exe	135
1128	2348	WerFault.exe	138
5036	4768	WerFault.exe	141
4928	3596	WerFault.exe	144
2264	4596	WerFault.exe	147
3524	3576	WerFault.exe	150
1576	3140	WerFault.exe	153
2504	3176	WerFault.exe	156
2820	4188	WerFault.exe	159
372	4728	WerFault.exe	162
3428	2700	WerFault.exe	165
4996	3164	WerFault.exe	168
2528	2564	WerFault.exe	171
980	4524	WerFault.exe	174
1564	1952	WerFault.exe	177
1724	2844	WerFault.exe	180
3688	3640	WerFault.exe	183
1196	776	WerFault.exe	186
2052	2348	WerFault.exe	189
840	4192	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 600
  2⤵
  - Program crash
  PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3224 -ip 3224
1⤵
PID:4316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 592
  2⤵
  - Program crash
  PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4136 -ip 4136
1⤵
PID:2824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 592
  2⤵
  - Program crash
  PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1080 -ip 1080
1⤵
PID:216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 592
  2⤵
  - Program crash
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2052 -ip 2052
1⤵
PID:5080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 592
  2⤵
  - Program crash
  PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4300 -ip 4300
1⤵
PID:368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 592
  2⤵
  - Program crash
  PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3076 -ip 3076
1⤵
PID:4064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 596
  2⤵
  - Program crash
  PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2484 -ip 2484
1⤵
PID:2644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 592
  2⤵
  - Program crash
  PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2504 -ip 2504
1⤵
PID:1688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 592
  2⤵
  - Program crash
  PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2820 -ip 2820
1⤵
PID:2032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 580
  2⤵
  - Program crash
  PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2588 -ip 2588
1⤵
PID:3428

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 596
  2⤵
  - Program crash
  PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3848 -ip 3848
1⤵
PID:4124

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 592
  2⤵
  - Program crash
  PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4432 -ip 4432
1⤵
PID:3588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 592
  2⤵
  - Program crash
  PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4952 -ip 4952
1⤵
PID:4524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 592
  2⤵
  - Program crash
  PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4784 -ip 4784
1⤵
PID:1460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 592
  2⤵
  - Program crash
  PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3152 -ip 3152
1⤵
PID:2984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 592
  2⤵
  - Program crash
  PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4328 -ip 4328
1⤵
PID:5092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 592
  2⤵
  - Program crash
  PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2348 -ip 2348
1⤵
PID:3416

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 592
  2⤵
  - Program crash
  PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4768 -ip 4768
1⤵
PID:3516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 592
  2⤵
  - Program crash
  PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3596 -ip 3596
1⤵
PID:4300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 592
  2⤵
  - Program crash
  PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4596 -ip 4596
1⤵
PID:1360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 592
  2⤵
  - Program crash
  PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3576 -ip 3576
1⤵
PID:4032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 592
  2⤵
  - Program crash
  PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3140 -ip 3140
1⤵
PID:3932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 592
  2⤵
  - Program crash
  PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3176 -ip 3176
1⤵
PID:1616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 592
  2⤵
  - Program crash
  PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4188 -ip 4188
1⤵
PID:4568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 596
  2⤵
  - Program crash
  PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4728 -ip 4728
1⤵
PID:404

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 592
  2⤵
  - Program crash
  PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2700 -ip 2700
1⤵
PID:2132

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 592
  2⤵
  - Program crash
  PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3164 -ip 3164
1⤵
PID:2588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 596
  2⤵
  - Program crash
  PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2564 -ip 2564
1⤵
PID:4544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 592
  2⤵
  - Program crash
  PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4524 -ip 4524
1⤵
PID:1472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 592
  2⤵
  - Program crash
  PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1952 -ip 1952
1⤵
PID:2904

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 604
  2⤵
  - Program crash
  PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2844 -ip 2844
1⤵
PID:4676

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 592
  2⤵
  - Program crash
  PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3640 -ip 3640
1⤵
PID:3280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 600
  2⤵
  - Program crash
  PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 776 -ip 776
1⤵
PID:4112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 592
  2⤵
  - Program crash
  PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2348 -ip 2348
1⤵
PID:3572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 592
  2⤵
  - Program crash
  PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4192 -ip 4192
1⤵
PID:1252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wkxix.cc3

Filesize
10.6MB

MD5
b45114fd97b6d902d8996020cf0f2aee

SHA1
de37d3ee5ed163b98f44e207e13235370c91101d

SHA256
e8194de0d5806ec16bc9dc061a7012fb65343a7659b8d0135570997c360ea4cb

SHA512
de73db6be89d4208e9081d21eabd4e5395d46073eecc4e0bf6c9a00ec4ac2bf9f9b355245fe3434feb8c2f91a4c28e6df51322000e339b486591b4f8608db5a2

Download Submit
C:\Windows\SysWOW64\wkxix.cc3

Filesize
1.0MB

MD5
bba43fd7c29d77a0a43a7ae4136d01e0

SHA1
55304f5802c37db99fb91d169a558bfb86ae2e40

SHA256
42ab7b078a72a022baac99031b74431baf7b5cda98212acba4de18ca41232020

SHA512
539262b8b801fd720c505038e8eadd35aaffa309cfe60ffb606ef1bf4502f2443138ecd6165c65630ca171ccd3889a1c63fc4ac9b3c89aaf24b85592727baf1e

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
22.1MB

MD5
73c4c356d831284c1bbd703f4725f928

SHA1
3dea4640be3bdf90ec1eb9743bea594ed8c700ce

SHA256
5cb8c88beee727d6ba150d00397d6add35346f3975213a4875fda972c2ae8e71

SHA512
8dc827505c02e861e5646a238dde695c13a2b6bcf99da1a5e12f1c6f599cc04114b7b2dca68ca2d99405b781236fb2813661b328192f84b4853863a2dfabafac

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
21.0MB

MD5
71a6737f6c675bbbd3cb65b59ab0149d

SHA1
2fdd9de7fe26f069e2dea5893ca7834dcc9c6399

SHA256
1cb41b178efd5568954aca7205f249526e7a17c378390596a77bc7fff9284d7e

SHA512
f6119829a3c07d6d92989d4988dfefd8c8c178ab22f5f3962abaecf0eb8b5bef85cd022a6d8760fb08a6afb8a4b3c9f5b3d105028b76e470006ea1abd26729d7

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
24.1MB

MD5
38f962d60e5a112e78836753739d0406

SHA1
d4ce0e1601bbe6c651b0313edcaf630e4bb3c0fa

SHA256
96f0356afb4a0a587582c2b62268cb2b7e85e1e3f40f255efdd552ce2bb228a5

SHA512
a5a1dd9121f53dbdef2af4e9857a5cc54ee405066e92186287db4b950f5f699be7fc330b71efe4a41b53e301cb41ff2a3693985cc16b39539f912c6e284a5bb5

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
19.1MB

MD5
56ffc74ac09f7701d1b2b5418eda737d

SHA1
33c0f738fbf3712700dbb8ecc987a9136be0c99a

SHA256
041165ecf515853c41da86daed2ee035895978f7212260ba4c59fa22e0417feb

SHA512
4bcabd55ecf4c5a9f90e71f58167aaf7ddceef9bdd5cea3b7e7af28d0978f8b2f7a05eb67f7eea8e915b37bdcf898ffc6a1ac591c19a77e40f3e5c1b8ed00212

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
23.0MB

MD5
758d3a104c65fa0009ba68c6e641b2bb

SHA1
1ae15de746af060d7b0282aed5cd2ab8a32b000f

SHA256
c88e1cc4da1602970fb34802acb7ac4ef5ab33cfdb93845f88cafbbf334a12be

SHA512
388e2e1d59c66429c403d315bd252d7d0bad3e6b79c68b6bd4bbe4bef9f5110bf17133942aed345530168354162a87fa1de3be6d0256645df9de3edcd218345e

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
21.0MB

MD5
83f7d2b8265613a55981726bfe7685ce

SHA1
22226220c702a0b3048388b2fd1f5da148ee34e5

SHA256
2b970b05ce44723aa02818546c9375c85e6b1485d4ba30207edf63b272bdc851

SHA512
5fe70e43456b6e62fa3117356c331e7ee9230204044cb7ee8c363544391235d77d40eb62a30877da81979f6843580c8749a27edbf093095dc043d2a4e2d5a6df

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
21.1MB

MD5
63724d083f91c3532d889899f9c1eeed

SHA1
9ae18282621c5681f157d1234fa2edd654beb6aa

SHA256
6d313ea05856e3dc1a29f4c703d22c719bf9e6c9db98186177d42fb3ee326599

SHA512
89f4583b212fa84842d5ed8fa7024cabf175ce6444f8a4c506bc1a102fb00c6428b2a11199d8c66adab5f091c1c377cbb5ca791147767a1bf0d6062d7cc4c698

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
21.1MB

MD5
cb9ba2f4a0e648e041cc4980b1ca4c30

SHA1
e1dd50518fa5bd1283fa43ff5840233dad855b98

SHA256
bc54be588727beacda4f1c2852c7cccfa238425bca8df760f4c194a686b23151

SHA512
447363e89031fb3143bfcf1210b178ec7a02754d9fc9c1ff172979017bc0110d89ac25568322685c8aad1066e02f5e91abbdb7142c0a9d3322b8a8e1624c32fe

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
20.1MB

MD5
870c1861cd8c56b64ea0a9ff9f44a41b

SHA1
205cf926d2b5c282a71d9117b19b7730eb70f0d1

SHA256
089750acff46d08e2ee5197cf7ccfb519ceec0572261dcc8521713c95d356a70

SHA512
9b8ce46b2069517628c834ee284303221bac26970689c064c12be6a0c5fb46a46c6ed1aeab609d42f571166904a8331cb1c6634d5ed7f8122be40314ae1dd015

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
23.0MB

MD5
7297a642b67b3b73f35aa70ab6155e4c

SHA1
f7ec2dd4cba91e38a7e94833347401771e4ca177

SHA256
ad2e7eda894387b6f3f57d40a54e58760e803cc344e1691c9fb374268502049d

SHA512
1c3e90558a896999b5751204ca6d301d17e53ac82157c55fb757f095e8f16a2a5cf13db7be7dfb53ac6387910074f173100d40a4927b80319e7ec8117d46e03d

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
24.0MB

MD5
e06a87a30889adb20bab578494ea5347

SHA1
48562fe8fa319e4919a17fb8d6f6339409abfd89

SHA256
45cd4fa4971aa62a23b9fe932372e2e45cb9cf16628bafcdacb6f8b50aae25ca

SHA512
2bedf58736b3978137ffe0e56cf25a919be1bfc54209b483f95f549a58cddddd5af1f4f307fc4e1245bb1379a0075e7d0faab630bbafd111f33a92d0d1a35b21

Download Submit
\??\c:\windows\SysWOW64\wkxix.cc3

Filesize
19.0MB

MD5
1bc28e9dff426964fe6ce039709af90b

SHA1
5a57cdb6cb34148f1000634c0a2cfb19fd66fedd

SHA256
59132101d23eef6eacc99e1e3a0e3f9012fa101619d850951608fbe09275bec3

SHA512
06d6109586fa8fcb3d7a7c9af62609dc6ae7014014fa60c4e0670a8f1fec834710a39f3901926bba04f0a700a8fbefb3474da068e5a719d69dff75ef197571af

Download Submit