Analysis

  • max time kernel
    135s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 04:31

General

  • Target

    81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe

  • Size

    197KB

  • MD5

    81a67bf2a59b953f9c0f0204b2e1f3a8

  • SHA1

    a680768c148b963a6b605f3ee53a1db7b77a5e4f

  • SHA256

    21d3aab64f92f25bdfa45d4fae4d292bef24b086797099bed54e9d13fcfd11a6

  • SHA512

    2ff6b45b26db7665ce46b024aa6c2b1db14826bf9a83440ebef194f537fb0b9358a2e85b50d3df703bc9c63096ec1ba5caa49cd8d034eec01f80a7810fd26074

  • SSDEEP

    6144:nOVLnWFcxFtsFkVRTl0QdTmNPPYhnUeqP4:n8LWFc+kV1KIo+PY4

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 19 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Loads dropped DLL 31 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Program crash 35 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4828
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2440
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 600
      2⤵
      • Program crash
      PID:2648
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2440 -ip 2440
    1⤵
      PID:1196
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1268
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 592
        2⤵
        • Program crash
        PID:3412
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1268 -ip 1268
      1⤵
        PID:4988
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4660
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 592
          2⤵
          • Program crash
          PID:876
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4660 -ip 4660
        1⤵
          PID:1680
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
          1⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:696
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 592
            2⤵
            • Program crash
            PID:3744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 696 -ip 696
          1⤵
            PID:4556
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
            1⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3508
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 592
              2⤵
              • Program crash
              PID:5060
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3508 -ip 3508
            1⤵
              PID:3652
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
              1⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:4516
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 592
                2⤵
                • Program crash
                PID:5072
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 4516
              1⤵
                PID:2716
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
                1⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1488
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 592
                  2⤵
                  • Program crash
                  PID:3668
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1488 -ip 1488
                1⤵
                  PID:1628
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
                  1⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:4688
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 592
                    2⤵
                    • Program crash
                    PID:1516
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4688 -ip 4688
                  1⤵
                    PID:2276
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
                    1⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:5116
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 592
                      2⤵
                      • Program crash
                      PID:3852
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5116 -ip 5116
                    1⤵
                      PID:3760
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
                      1⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:1000
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 592
                        2⤵
                        • Program crash
                        PID:1732
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1000 -ip 1000
                      1⤵
                        PID:4660
                      • C:\Windows\SysWOW64\svchost.exe
                        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
                        1⤵
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:3016
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 592
                          2⤵
                          • Program crash
                          PID:2616
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3016 -ip 3016
                        1⤵
                          PID:1232
                        • C:\Windows\SysWOW64\svchost.exe
                          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
                          1⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:4204
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 592
                            2⤵
                            • Program crash
                            PID:2388
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4204 -ip 4204
                          1⤵
                            PID:4760
                          • C:\Windows\SysWOW64\svchost.exe
                            C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
                            1⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:4700
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 592
                              2⤵
                              • Program crash
                              PID:3652
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4700 -ip 4700
                            1⤵
                              PID:4308
                            • C:\Windows\SysWOW64\svchost.exe
                              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
                              1⤵
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              PID:3684
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 592
                                2⤵
                                • Program crash
                                PID:2716
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3684 -ip 3684
                              1⤵
                                PID:3508
                              • C:\Windows\SysWOW64\svchost.exe
                                C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
                                1⤵
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                PID:828
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 592
                                  2⤵
                                  • Program crash
                                  PID:2660
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 828 -ip 828
                                1⤵
                                  PID:3320
                                • C:\Windows\SysWOW64\svchost.exe
                                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
                                  1⤵
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  PID:3656
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 592
                                    2⤵
                                    • Program crash
                                    PID:3292
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3656 -ip 3656
                                  1⤵
                                    PID:4688
                                  • C:\Windows\SysWOW64\svchost.exe
                                    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
                                    1⤵
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:2448
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 592
                                      2⤵
                                      • Program crash
                                      PID:4144
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2448 -ip 2448
                                    1⤵
                                      PID:2620
                                    • C:\Windows\SysWOW64\svchost.exe
                                      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
                                      1⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:688
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 592
                                        2⤵
                                        • Program crash
                                        PID:3324
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 688 -ip 688
                                      1⤵
                                        PID:3724
                                      • C:\Windows\SysWOW64\svchost.exe
                                        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
                                        1⤵
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2572
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 592
                                          2⤵
                                          • Program crash
                                          PID:808
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2572 -ip 2572
                                        1⤵
                                          PID:4840
                                        • C:\Windows\SysWOW64\svchost.exe
                                          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
                                          1⤵
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:4660
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 592
                                            2⤵
                                            • Program crash
                                            PID:3520
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4660 -ip 4660
                                          1⤵
                                            PID:4692
                                          • C:\Windows\SysWOW64\svchost.exe
                                            C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
                                            1⤵
                                            • Loads dropped DLL
                                            • System Location Discovery: System Language Discovery
                                            PID:1724
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 592
                                              2⤵
                                              • Program crash
                                              PID:5104
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1724 -ip 1724
                                            1⤵
                                              PID:1972
                                            • C:\Windows\SysWOW64\svchost.exe
                                              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
                                              1⤵
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              PID:4392
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 592
                                                2⤵
                                                • Program crash
                                                PID:4960
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4392 -ip 4392
                                              1⤵
                                                PID:1496
                                              • C:\Windows\SysWOW64\svchost.exe
                                                C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
                                                1⤵
                                                • Loads dropped DLL
                                                • System Location Discovery: System Language Discovery
                                                PID:4352
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 592
                                                  2⤵
                                                  • Program crash
                                                  PID:2228
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4352 -ip 4352
                                                1⤵
                                                  PID:5028
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
                                                  1⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2908
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 592
                                                    2⤵
                                                    • Program crash
                                                    PID:3652
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2908 -ip 2908
                                                  1⤵
                                                    PID:4264
                                                  • C:\Windows\SysWOW64\svchost.exe
                                                    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
                                                    1⤵
                                                    • Loads dropped DLL
                                                    • System Location Discovery: System Language Discovery
                                                    PID:444
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 592
                                                      2⤵
                                                      • Program crash
                                                      PID:4840
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 444 -ip 444
                                                    1⤵
                                                      PID:1908
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
                                                      1⤵
                                                      • Loads dropped DLL
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1292
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 600
                                                        2⤵
                                                        • Program crash
                                                        PID:4528
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1292 -ip 1292
                                                      1⤵
                                                        PID:1732
                                                      • C:\Windows\SysWOW64\svchost.exe
                                                        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
                                                        1⤵
                                                        • Loads dropped DLL
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3308
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 592
                                                          2⤵
                                                          • Program crash
                                                          PID:2968
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3308 -ip 3308
                                                        1⤵
                                                          PID:1232
                                                        • C:\Windows\SysWOW64\svchost.exe
                                                          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
                                                          1⤵
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4668
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 592
                                                            2⤵
                                                            • Program crash
                                                            PID:2380
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4668 -ip 4668
                                                          1⤵
                                                            PID:4480
                                                          • C:\Windows\SysWOW64\svchost.exe
                                                            C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
                                                            1⤵
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4564
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 592
                                                              2⤵
                                                              • Program crash
                                                              PID:1920
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4564 -ip 4564
                                                            1⤵
                                                              PID:4732
                                                            • C:\Windows\SysWOW64\svchost.exe
                                                              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
                                                              1⤵
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4700
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 592
                                                                2⤵
                                                                • Program crash
                                                                PID:2908
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4700 -ip 4700
                                                              1⤵
                                                                PID:1776
                                                              • C:\Windows\SysWOW64\svchost.exe
                                                                C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
                                                                1⤵
                                                                • Loads dropped DLL
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1352
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 604
                                                                  2⤵
                                                                  • Program crash
                                                                  PID:900
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1352 -ip 1352
                                                                1⤵
                                                                  PID:3648
                                                                • C:\Windows\SysWOW64\svchost.exe
                                                                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
                                                                  1⤵
                                                                    PID:3760
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 572
                                                                      2⤵
                                                                      • Program crash
                                                                      PID:3852
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3760 -ip 3760
                                                                    1⤵
                                                                      PID:3800
                                                                    • C:\Windows\SysWOW64\svchost.exe
                                                                      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
                                                                      1⤵
                                                                        PID:4940
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 592
                                                                          2⤵
                                                                          • Program crash
                                                                          PID:2588
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4940 -ip 4940
                                                                        1⤵
                                                                          PID:3420
                                                                        • C:\Windows\SysWOW64\svchost.exe
                                                                          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
                                                                          1⤵
                                                                            PID:1640
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 600
                                                                              2⤵
                                                                              • Program crash
                                                                              PID:2852
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1640 -ip 1640
                                                                            1⤵
                                                                              PID:3924
                                                                            • C:\Windows\SysWOW64\svchost.exe
                                                                              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
                                                                              1⤵
                                                                                PID:1908
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 592
                                                                                  2⤵
                                                                                  • Program crash
                                                                                  PID:4656
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1908 -ip 1908
                                                                                1⤵
                                                                                  PID:3896
                                                                                • C:\Windows\SysWOW64\svchost.exe
                                                                                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
                                                                                  1⤵
                                                                                    PID:2364

                                                                                  Network

                                                                                        MITRE ATT&CK Enterprise v15

                                                                                        Replay Monitor

                                                                                        Loading Replay Monitor...

                                                                                        Downloads

                                                                                        • C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

                                                                                          Filesize

                                                                                          18.8MB

                                                                                          MD5

                                                                                          48f83d482dcd1d6a4cb4462bf694b631

                                                                                          SHA1

                                                                                          515051749d3e095403c60c06db542502ba0bf0f3

                                                                                          SHA256

                                                                                          b2c1a6b176c916bf0f34e900bf130f60c7953f0d631bf3c8e7d6aa859f3a0567

                                                                                          SHA512

                                                                                          321bdea2347ba403d8a98515f29f579dfc40fb20140a4ab9889cd25be58efd9c40d21cfbce843aab2cfe591ae2db16540a2c5af2168f59e7fc577be0705793aa

                                                                                        • C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

                                                                                          Filesize

                                                                                          896KB

                                                                                          MD5

                                                                                          4bc24b415a3878dfdeb5bd4c156e4c4e

                                                                                          SHA1

                                                                                          0b04e1c192decee2a319408dbfa74eb491984ba1

                                                                                          SHA256

                                                                                          5318d606493c88a1c2dc54f2895841e216d30ece2dbf0f58b4b2ee5157c1b3fe

                                                                                          SHA512

                                                                                          79509fd9b3f498d55e26cc347c3319fd558fefad0399fa83702732c6994d521d2bf1f6bbed4af46edcee8d2c4b1d82c8367ec481bbaba95db0012e6b7e5927d4

                                                                                        • C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

                                                                                          Filesize

                                                                                          661KB

                                                                                          MD5

                                                                                          3918a4b6a6c04df4ca6440e8fdb55c46

                                                                                          SHA1

                                                                                          2e6a099715a323dd943ee5c9f24b11cdf3818927

                                                                                          SHA256

                                                                                          6581b00321f9f20912f2b8655a3653fbfc063c49fb0e75c39b63fdc2fa54022a

                                                                                          SHA512

                                                                                          b0c7cfd0f96bdc7ffe4eaba01086fc071bc300256e2fe60a84d87a52fb2e51e6fdffbb648a2991a9a30474551f659111032b30dda10b66885378aaee7a7a82ff

                                                                                        • C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

                                                                                          Filesize

                                                                                          655KB

                                                                                          MD5

                                                                                          c0ffe2de027dd141a222cbe0429fc8f8

                                                                                          SHA1

                                                                                          7721606e7dec417e827cfd23c9cc6f6055273dd1

                                                                                          SHA256

                                                                                          3ad386ace35396e5854f08639cff212df1c985c41fa59087ef59a3e7d5994d6e

                                                                                          SHA512

                                                                                          e9adcff986de0724af9dbb2c640ca5dc523d04a0a3d5d28f63c8f4c7114521205e03dba035df52833b61cebdab1d43ccd413bc31f6ed6c07b4f69b604a6ff6fd

                                                                                        • C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

                                                                                          Filesize

                                                                                          6.1MB

                                                                                          MD5

                                                                                          3c699587f51a6182334af64228701d66

                                                                                          SHA1

                                                                                          58e73f623448a8ae739902b4a651286013f689b9

                                                                                          SHA256

                                                                                          33f826fb1fce35eaef0cd6aed7725b02e652d217aa76135d80569b0fdeb92ffa

                                                                                          SHA512

                                                                                          a975cbad3db8a1ea1fd3570fbaf26c98645da75439766faf4db6ac3cd5729a337d304313d44d308bf49a06be6cc18a41fd3abdf9716e6a3df7aa0a73410dccae

                                                                                        • C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

                                                                                          Filesize

                                                                                          5.1MB

                                                                                          MD5

                                                                                          744a9d84b2b399818c6b9e4cd277e8ac

                                                                                          SHA1

                                                                                          2a47ca35f641866994e6fd14f781b9664700fa86

                                                                                          SHA256

                                                                                          7832b405b498dd9026cc33676f874b2b7e75e8d9d6020126a1b1a8e73057ad85

                                                                                          SHA512

                                                                                          591f552138e4fd42a4d2d8a2e11e7b7c407b83e692f5a7fe4e9b2a803b28719240a79fa020d053a2d14d558d85845be0574b98f03217d2db23557864a3f65a54

                                                                                        • C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

                                                                                          Filesize

                                                                                          5.1MB

                                                                                          MD5

                                                                                          f98e5d2d4727e46f2d97d3ea9815fbe9

                                                                                          SHA1

                                                                                          26cdbc40e69e6b27cda7ce2bcd56248692780b9f

                                                                                          SHA256

                                                                                          e22c6b3515013940ef863e29a31a846a15e28dda4a2900a50a6e2e17ee23886a

                                                                                          SHA512

                                                                                          0bae853ecc0346d242dd7c2920aecc2c58ef0c1cbcac1ecea777ba4f41557f718ec9c7e1608381e5e255c03e37f4f9167b077287f805016dccaa0d37218a67d6

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          20.0MB

                                                                                          MD5

                                                                                          b552eeec2afb5f1619701856c70e8ea9

                                                                                          SHA1

                                                                                          5991137d65c2da2ef839a9ef8c091b7424f4ae55

                                                                                          SHA256

                                                                                          b7fd720b3dde68cebb19180814117be025bcd0b71dda67a091e664fe80275dcf

                                                                                          SHA512

                                                                                          53f637cd54a5d6a30da608e689b8a9071755f00c8714b653025c942302160a37ff1dc17590024859cd7ed2d91a34eab8a595367574a44fcefeb145948eadd7c8

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          19.0MB

                                                                                          MD5

                                                                                          e5790c9d694995eb65d1ae7b582a3642

                                                                                          SHA1

                                                                                          2295fe5640536ce6fd56050d4a55d61cf7d84d20

                                                                                          SHA256

                                                                                          083bf7a33394df14c8afb129c31a3bc325d144f9096a7546e0d6195ce20a61eb

                                                                                          SHA512

                                                                                          8af9c80d96c68c11635d910ce60cfcad6378c318f0eaca75fe625b310ae0ee0596fecb012ca74df028aeabd34f840aeedb3d10254e1a0bc904eb094359b0e36b

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          20.0MB

                                                                                          MD5

                                                                                          3f0052f17e264cf849f3c9ea3128ad9b

                                                                                          SHA1

                                                                                          40b3b67addb0a5345648d212e56a532f2a006239

                                                                                          SHA256

                                                                                          3e5ea6fdb31c675c09f08257229c5811cb1f1d32f4fa0559d2ebf597c24932af

                                                                                          SHA512

                                                                                          03e88f1278d4b8d1099db547aefae919d00cc3d450ca390e2b73380e30dc20ff0e5ae6092c1ced02612753ae62a73de4191b0613ad391b8f37dc0783a096e049

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          24.1MB

                                                                                          MD5

                                                                                          d00e951c26a08be1872143d005418897

                                                                                          SHA1

                                                                                          3330f3c1b252730ee031b8201e9e36faa15e5982

                                                                                          SHA256

                                                                                          5566d2a16b0ae69c351ffd0a6fb52d3f66e1fd42046ff4b1412fa14f059f3384

                                                                                          SHA512

                                                                                          b85b056034c5499e9b7431f7658492e9577cbbd148631aa3d3a6e3aa2feca1fbdbb0c0b72ea3304fef9afacface3f4dae87385b143f0d11a3123f1601d34b5dc

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          405KB

                                                                                          MD5

                                                                                          6b58acf5ae439fd5c732e09d786bf1ea

                                                                                          SHA1

                                                                                          1030327b631ade4590954ed6ede90f26e5b34182

                                                                                          SHA256

                                                                                          4f81c06183c190b2ea92a26832a06fae715e24da089aa2cf91e8904b25d8deb0

                                                                                          SHA512

                                                                                          8f153621484f82abfb4badf1caf19fb8372aa604d7f2b6ef25c82968e07b7597ebbe00884568d84095523679043c5860b888a65447613164a6687d5fce78a0eb

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          24.1MB

                                                                                          MD5

                                                                                          09d5481f0453125d447bcfdb927f0b83

                                                                                          SHA1

                                                                                          341243b3b523d525b59e6dfa889e09ce797ab917

                                                                                          SHA256

                                                                                          04e81170784885963b0719793f804dd7ebe7f125ab58629ceb526edfb9db1735

                                                                                          SHA512

                                                                                          f8182eb3d3a813ffabde59aef87414e25ac74fe679fe14c2b16e79a4a3b1e496636bfaf5fb309ec0bdd2313b49fd93e344f144fef1e17aa605a9253bcb79f3dd

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          21.1MB

                                                                                          MD5

                                                                                          f6d462095763613c7244f03bf5e096eb

                                                                                          SHA1

                                                                                          fc30a4bb6d6b3b843835d30df288980cf9cc1a50

                                                                                          SHA256

                                                                                          0223b8a2641ac1b3e912594ceafcd173f5309299e88204d7f0e4020f2d1ec6c2

                                                                                          SHA512

                                                                                          7eed545209897c1a3ed597f0c14ee1ad85a530cf0058b950304c2cfce653d0646025b485f19f0c75d7d1125705f735a3c9aa45b63398d1507e7bbcaddc636559

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          22.1MB

                                                                                          MD5

                                                                                          7edd50a0fd68c825c02c035f45340d21

                                                                                          SHA1

                                                                                          eecb86a1355c5acd63f1dcdd1e1ba3cf6353f2e1

                                                                                          SHA256

                                                                                          3443d45e8c424f97703245c0e07ea478467bc2f3a77e5a2e46ae53a0b7e82a1e

                                                                                          SHA512

                                                                                          5e65400b518735263b76c622c88dd8f366e03192883954363e7e613b9a110029138848148116f5d6cb46c99d434c870dce78d4a253d2255248e6f3c862c42653

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          5.9MB

                                                                                          MD5

                                                                                          d2113ebe12373f7bbc82590a4eec78b6

                                                                                          SHA1

                                                                                          c887fd1ad065d9db4f52235ab82164f18bce97f7

                                                                                          SHA256

                                                                                          cf62499f848a5e181a9f1657b38a75a688ad4c1f7e1286ac3ce91e32642deb14

                                                                                          SHA512

                                                                                          11b83e39ed52437aaa473914e71fbe552211dd480ffeb9325125f869d2c22d31d21459a4db6ad20f4765fc1e7d95b01e60dda8e8229db9d32042f0acf08e66bf

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          23.0MB

                                                                                          MD5

                                                                                          e92e3bcef586319411d591b578e9ae8f

                                                                                          SHA1

                                                                                          c232a6eb6aa3a91f288b73388dcfb01537735e86

                                                                                          SHA256

                                                                                          496427694f4586adc57d9eaadd4be55db978df7aa4545a4c8e9b4c772b67fd3d

                                                                                          SHA512

                                                                                          fa2b7b6e1eabcc216e229d168dbf0bcd3d53f252edb9075c5eb8f868bb0c129aae65a905d72bf9c73435cfc3eb0e30c80c53f66960baf6a635d30bab38127312

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          19.1MB

                                                                                          MD5

                                                                                          88cd2aedc28a070bcf311ab25779a725

                                                                                          SHA1

                                                                                          077f3b100a2abcbdb39b068b547921d15ded7722

                                                                                          SHA256

                                                                                          2f84a24f561f75420f10e2ebd77edd0f8e15e0c8bb59f6d703c3129dc64de298

                                                                                          SHA512

                                                                                          c52f83627ba34271e88b5c573bedb5b0c8949d9790ebd97ed0caf55db0d6f12a8991bc0a1c5ed1d77479ec9e6336cfc4ee32e3a31512df34e285890de9224294

                                                                                        • \??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

                                                                                          Filesize

                                                                                          19.1MB

                                                                                          MD5

                                                                                          d7f20b7d821f244cdad277fc906229a4

                                                                                          SHA1

                                                                                          dea7ef8baae7b7080a760acc94d6c553a6ee407a

                                                                                          SHA256

                                                                                          77b484f9ac31b4e1e8df5158dff2ba37ab3a4037e28597ba772c13bf7f502417

                                                                                          SHA512

                                                                                          c7af461c0275b14965847dd8c4961bd85d5ada18e23866cec1dc02a5b43bfecc087e7c7955bf39adc05f221dfe4a6099b94d0fb6acb47ee7809e626b053c8430