Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 04:31
Static task
static1
Behavioral task
behavioral1
Sample
81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
-
Size
197KB
-
MD5
81a67bf2a59b953f9c0f0204b2e1f3a8
-
SHA1
a680768c148b963a6b605f3ee53a1db7b77a5e4f
-
SHA256
21d3aab64f92f25bdfa45d4fae4d292bef24b086797099bed54e9d13fcfd11a6
-
SHA512
2ff6b45b26db7665ce46b024aa6c2b1db14826bf9a83440ebef194f537fb0b9358a2e85b50d3df703bc9c63096ec1ba5caa49cd8d034eec01f80a7810fd26074
-
SSDEEP
6144:nOVLnWFcxFtsFkVRTl0QdTmNPPYhnUeqP4:n8LWFc+kV1KIo+PY4
Malware Config
Signatures
-
Gh0st RAT payload 19 IoCs
resource yara_rule behavioral2/files/0x0008000000023c97-2.dat family_gh0strat behavioral2/files/0x000a000000023c97-8.dat family_gh0strat behavioral2/files/0x000d000000023cad-14.dat family_gh0strat behavioral2/files/0x000e000000023b48-20.dat family_gh0strat behavioral2/files/0x0010000000023b48-26.dat family_gh0strat behavioral2/files/0x0012000000023b48-32.dat family_gh0strat behavioral2/files/0x0014000000023b48-38.dat family_gh0strat behavioral2/files/0x0016000000023b48-44.dat family_gh0strat behavioral2/files/0x00080000000229c5-50.dat family_gh0strat behavioral2/files/0x000a0000000229c5-56.dat family_gh0strat behavioral2/files/0x000a0000000229c5-59.dat family_gh0strat behavioral2/files/0x0011000000023b51-63.dat family_gh0strat behavioral2/files/0x0011000000023b51-62.dat family_gh0strat behavioral2/files/0x0011000000023b51-64.dat family_gh0strat behavioral2/files/0x0011000000023b51-65.dat family_gh0strat behavioral2/files/0x000c0000000229c5-69.dat family_gh0strat behavioral2/files/0x000c0000000229c5-68.dat family_gh0strat behavioral2/files/0x000c0000000229c5-70.dat family_gh0strat behavioral2/files/0x000c0000000229c5-71.dat family_gh0strat -
Gh0strat family
-
Loads dropped DLL 31 IoCs
pid Process 2440 svchost.exe 1268 svchost.exe 4660 svchost.exe 696 svchost.exe 3508 svchost.exe 4516 svchost.exe 1488 svchost.exe 4688 svchost.exe 5116 svchost.exe 1000 svchost.exe 3016 svchost.exe 4204 svchost.exe 4700 svchost.exe 3684 svchost.exe 828 svchost.exe 3656 svchost.exe 2448 svchost.exe 688 svchost.exe 2572 svchost.exe 4660 svchost.exe 1724 svchost.exe 4392 svchost.exe 4352 svchost.exe 2908 svchost.exe 444 svchost.exe 1292 svchost.exe 3308 svchost.exe 4668 svchost.exe 4564 svchost.exe 4700 svchost.exe 1352 svchost.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe -
Program crash 35 IoCs
pid pid_target Process procid_target 2648 2440 WerFault.exe 92 3412 1268 WerFault.exe 97 876 4660 WerFault.exe 102 3744 696 WerFault.exe 109 5060 3508 WerFault.exe 112 5072 4516 WerFault.exe 115 3668 1488 WerFault.exe 120 1516 4688 WerFault.exe 123 3852 5116 WerFault.exe 126 1732 1000 WerFault.exe 131 2616 3016 WerFault.exe 134 2388 4204 WerFault.exe 137 3652 4700 WerFault.exe 140 2716 3684 WerFault.exe 143 2660 828 WerFault.exe 146 3292 3656 WerFault.exe 151 4144 2448 WerFault.exe 154 3324 688 WerFault.exe 157 808 2572 WerFault.exe 160 3520 4660 WerFault.exe 163 5104 1724 WerFault.exe 166 4960 4392 WerFault.exe 169 2228 4352 WerFault.exe 172 3652 2908 WerFault.exe 175 4840 444 WerFault.exe 187 4528 1292 WerFault.exe 190 2968 3308 WerFault.exe 193 2380 4668 WerFault.exe 196 1920 4564 WerFault.exe 199 2908 4700 WerFault.exe 202 900 1352 WerFault.exe 208 3852 3760 WerFault.exe 211 2588 4940 WerFault.exe 214 2852 1640 WerFault.exe 217 4656 1908 WerFault.exe 220 -
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 4828 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 6002⤵
- Program crash
PID:2648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2440 -ip 24401⤵PID:1196
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 5922⤵
- Program crash
PID:3412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1268 -ip 12681⤵PID:4988
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 5922⤵
- Program crash
PID:876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4660 -ip 46601⤵PID:1680
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 5922⤵
- Program crash
PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 696 -ip 6961⤵PID:4556
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 5922⤵
- Program crash
PID:5060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3508 -ip 35081⤵PID:3652
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 5922⤵
- Program crash
PID:5072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 45161⤵PID:2716
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 5922⤵
- Program crash
PID:3668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1488 -ip 14881⤵PID:1628
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 5922⤵
- Program crash
PID:1516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4688 -ip 46881⤵PID:2276
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 5922⤵
- Program crash
PID:3852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5116 -ip 51161⤵PID:3760
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 5922⤵
- Program crash
PID:1732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1000 -ip 10001⤵PID:4660
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 5922⤵
- Program crash
PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3016 -ip 30161⤵PID:1232
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 5922⤵
- Program crash
PID:2388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4204 -ip 42041⤵PID:4760
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 5922⤵
- Program crash
PID:3652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4700 -ip 47001⤵PID:4308
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 5922⤵
- Program crash
PID:2716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3684 -ip 36841⤵PID:3508
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 5922⤵
- Program crash
PID:2660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 828 -ip 8281⤵PID:3320
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 5922⤵
- Program crash
PID:3292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3656 -ip 36561⤵PID:4688
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 5922⤵
- Program crash
PID:4144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2448 -ip 24481⤵PID:2620
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 5922⤵
- Program crash
PID:3324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 688 -ip 6881⤵PID:3724
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 5922⤵
- Program crash
PID:808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2572 -ip 25721⤵PID:4840
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 5922⤵
- Program crash
PID:3520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4660 -ip 46601⤵PID:4692
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 5922⤵
- Program crash
PID:5104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1724 -ip 17241⤵PID:1972
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 5922⤵
- Program crash
PID:4960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4392 -ip 43921⤵PID:1496
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 5922⤵
- Program crash
PID:2228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4352 -ip 43521⤵PID:5028
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 5922⤵
- Program crash
PID:3652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2908 -ip 29081⤵PID:4264
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 5922⤵
- Program crash
PID:4840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 444 -ip 4441⤵PID:1908
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 6002⤵
- Program crash
PID:4528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1292 -ip 12921⤵PID:1732
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 5922⤵
- Program crash
PID:2968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3308 -ip 33081⤵PID:1232
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 5922⤵
- Program crash
PID:2380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4668 -ip 46681⤵PID:4480
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 5922⤵
- Program crash
PID:1920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4564 -ip 45641⤵PID:4732
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 5922⤵
- Program crash
PID:2908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4700 -ip 47001⤵PID:1776
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 6042⤵
- Program crash
PID:900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1352 -ip 13521⤵PID:3648
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵PID:3760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 5722⤵
- Program crash
PID:3852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3760 -ip 37601⤵PID:3800
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 5922⤵
- Program crash
PID:2588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4940 -ip 49401⤵PID:3420
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵PID:1640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 6002⤵
- Program crash
PID:2852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1640 -ip 16401⤵PID:3924
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵PID:1908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 5922⤵
- Program crash
PID:4656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1908 -ip 19081⤵PID:3896
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18.8MB
MD548f83d482dcd1d6a4cb4462bf694b631
SHA1515051749d3e095403c60c06db542502ba0bf0f3
SHA256b2c1a6b176c916bf0f34e900bf130f60c7953f0d631bf3c8e7d6aa859f3a0567
SHA512321bdea2347ba403d8a98515f29f579dfc40fb20140a4ab9889cd25be58efd9c40d21cfbce843aab2cfe591ae2db16540a2c5af2168f59e7fc577be0705793aa
-
Filesize
896KB
MD54bc24b415a3878dfdeb5bd4c156e4c4e
SHA10b04e1c192decee2a319408dbfa74eb491984ba1
SHA2565318d606493c88a1c2dc54f2895841e216d30ece2dbf0f58b4b2ee5157c1b3fe
SHA51279509fd9b3f498d55e26cc347c3319fd558fefad0399fa83702732c6994d521d2bf1f6bbed4af46edcee8d2c4b1d82c8367ec481bbaba95db0012e6b7e5927d4
-
Filesize
661KB
MD53918a4b6a6c04df4ca6440e8fdb55c46
SHA12e6a099715a323dd943ee5c9f24b11cdf3818927
SHA2566581b00321f9f20912f2b8655a3653fbfc063c49fb0e75c39b63fdc2fa54022a
SHA512b0c7cfd0f96bdc7ffe4eaba01086fc071bc300256e2fe60a84d87a52fb2e51e6fdffbb648a2991a9a30474551f659111032b30dda10b66885378aaee7a7a82ff
-
Filesize
655KB
MD5c0ffe2de027dd141a222cbe0429fc8f8
SHA17721606e7dec417e827cfd23c9cc6f6055273dd1
SHA2563ad386ace35396e5854f08639cff212df1c985c41fa59087ef59a3e7d5994d6e
SHA512e9adcff986de0724af9dbb2c640ca5dc523d04a0a3d5d28f63c8f4c7114521205e03dba035df52833b61cebdab1d43ccd413bc31f6ed6c07b4f69b604a6ff6fd
-
Filesize
6.1MB
MD53c699587f51a6182334af64228701d66
SHA158e73f623448a8ae739902b4a651286013f689b9
SHA25633f826fb1fce35eaef0cd6aed7725b02e652d217aa76135d80569b0fdeb92ffa
SHA512a975cbad3db8a1ea1fd3570fbaf26c98645da75439766faf4db6ac3cd5729a337d304313d44d308bf49a06be6cc18a41fd3abdf9716e6a3df7aa0a73410dccae
-
Filesize
5.1MB
MD5744a9d84b2b399818c6b9e4cd277e8ac
SHA12a47ca35f641866994e6fd14f781b9664700fa86
SHA2567832b405b498dd9026cc33676f874b2b7e75e8d9d6020126a1b1a8e73057ad85
SHA512591f552138e4fd42a4d2d8a2e11e7b7c407b83e692f5a7fe4e9b2a803b28719240a79fa020d053a2d14d558d85845be0574b98f03217d2db23557864a3f65a54
-
Filesize
5.1MB
MD5f98e5d2d4727e46f2d97d3ea9815fbe9
SHA126cdbc40e69e6b27cda7ce2bcd56248692780b9f
SHA256e22c6b3515013940ef863e29a31a846a15e28dda4a2900a50a6e2e17ee23886a
SHA5120bae853ecc0346d242dd7c2920aecc2c58ef0c1cbcac1ecea777ba4f41557f718ec9c7e1608381e5e255c03e37f4f9167b077287f805016dccaa0d37218a67d6
-
Filesize
20.0MB
MD5b552eeec2afb5f1619701856c70e8ea9
SHA15991137d65c2da2ef839a9ef8c091b7424f4ae55
SHA256b7fd720b3dde68cebb19180814117be025bcd0b71dda67a091e664fe80275dcf
SHA51253f637cd54a5d6a30da608e689b8a9071755f00c8714b653025c942302160a37ff1dc17590024859cd7ed2d91a34eab8a595367574a44fcefeb145948eadd7c8
-
Filesize
19.0MB
MD5e5790c9d694995eb65d1ae7b582a3642
SHA12295fe5640536ce6fd56050d4a55d61cf7d84d20
SHA256083bf7a33394df14c8afb129c31a3bc325d144f9096a7546e0d6195ce20a61eb
SHA5128af9c80d96c68c11635d910ce60cfcad6378c318f0eaca75fe625b310ae0ee0596fecb012ca74df028aeabd34f840aeedb3d10254e1a0bc904eb094359b0e36b
-
Filesize
20.0MB
MD53f0052f17e264cf849f3c9ea3128ad9b
SHA140b3b67addb0a5345648d212e56a532f2a006239
SHA2563e5ea6fdb31c675c09f08257229c5811cb1f1d32f4fa0559d2ebf597c24932af
SHA51203e88f1278d4b8d1099db547aefae919d00cc3d450ca390e2b73380e30dc20ff0e5ae6092c1ced02612753ae62a73de4191b0613ad391b8f37dc0783a096e049
-
Filesize
24.1MB
MD5d00e951c26a08be1872143d005418897
SHA13330f3c1b252730ee031b8201e9e36faa15e5982
SHA2565566d2a16b0ae69c351ffd0a6fb52d3f66e1fd42046ff4b1412fa14f059f3384
SHA512b85b056034c5499e9b7431f7658492e9577cbbd148631aa3d3a6e3aa2feca1fbdbb0c0b72ea3304fef9afacface3f4dae87385b143f0d11a3123f1601d34b5dc
-
Filesize
405KB
MD56b58acf5ae439fd5c732e09d786bf1ea
SHA11030327b631ade4590954ed6ede90f26e5b34182
SHA2564f81c06183c190b2ea92a26832a06fae715e24da089aa2cf91e8904b25d8deb0
SHA5128f153621484f82abfb4badf1caf19fb8372aa604d7f2b6ef25c82968e07b7597ebbe00884568d84095523679043c5860b888a65447613164a6687d5fce78a0eb
-
Filesize
24.1MB
MD509d5481f0453125d447bcfdb927f0b83
SHA1341243b3b523d525b59e6dfa889e09ce797ab917
SHA25604e81170784885963b0719793f804dd7ebe7f125ab58629ceb526edfb9db1735
SHA512f8182eb3d3a813ffabde59aef87414e25ac74fe679fe14c2b16e79a4a3b1e496636bfaf5fb309ec0bdd2313b49fd93e344f144fef1e17aa605a9253bcb79f3dd
-
Filesize
21.1MB
MD5f6d462095763613c7244f03bf5e096eb
SHA1fc30a4bb6d6b3b843835d30df288980cf9cc1a50
SHA2560223b8a2641ac1b3e912594ceafcd173f5309299e88204d7f0e4020f2d1ec6c2
SHA5127eed545209897c1a3ed597f0c14ee1ad85a530cf0058b950304c2cfce653d0646025b485f19f0c75d7d1125705f735a3c9aa45b63398d1507e7bbcaddc636559
-
Filesize
22.1MB
MD57edd50a0fd68c825c02c035f45340d21
SHA1eecb86a1355c5acd63f1dcdd1e1ba3cf6353f2e1
SHA2563443d45e8c424f97703245c0e07ea478467bc2f3a77e5a2e46ae53a0b7e82a1e
SHA5125e65400b518735263b76c622c88dd8f366e03192883954363e7e613b9a110029138848148116f5d6cb46c99d434c870dce78d4a253d2255248e6f3c862c42653
-
Filesize
5.9MB
MD5d2113ebe12373f7bbc82590a4eec78b6
SHA1c887fd1ad065d9db4f52235ab82164f18bce97f7
SHA256cf62499f848a5e181a9f1657b38a75a688ad4c1f7e1286ac3ce91e32642deb14
SHA51211b83e39ed52437aaa473914e71fbe552211dd480ffeb9325125f869d2c22d31d21459a4db6ad20f4765fc1e7d95b01e60dda8e8229db9d32042f0acf08e66bf
-
Filesize
23.0MB
MD5e92e3bcef586319411d591b578e9ae8f
SHA1c232a6eb6aa3a91f288b73388dcfb01537735e86
SHA256496427694f4586adc57d9eaadd4be55db978df7aa4545a4c8e9b4c772b67fd3d
SHA512fa2b7b6e1eabcc216e229d168dbf0bcd3d53f252edb9075c5eb8f868bb0c129aae65a905d72bf9c73435cfc3eb0e30c80c53f66960baf6a635d30bab38127312
-
Filesize
19.1MB
MD588cd2aedc28a070bcf311ab25779a725
SHA1077f3b100a2abcbdb39b068b547921d15ded7722
SHA2562f84a24f561f75420f10e2ebd77edd0f8e15e0c8bb59f6d703c3129dc64de298
SHA512c52f83627ba34271e88b5c573bedb5b0c8949d9790ebd97ed0caf55db0d6f12a8991bc0a1c5ed1d77479ec9e6336cfc4ee32e3a31512df34e285890de9224294
-
Filesize
19.1MB
MD5d7f20b7d821f244cdad277fc906229a4
SHA1dea7ef8baae7b7080a760acc94d6c553a6ee407a
SHA25677b484f9ac31b4e1e8df5158dff2ba37ab3a4037e28597ba772c13bf7f502417
SHA512c7af461c0275b14965847dd8c4961bd85d5ada18e23866cec1dc02a5b43bfecc087e7c7955bf39adc05f221dfe4a6099b94d0fb6acb47ee7809e626b053c8430