Overview

overview

10

Static

static

3

880ce9982e...18.exe

windows7-x64

10

880ce9982e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe

  • Size

    871KB

  • MD5

    880ce9982e3158e07734f267a74ab877

  • SHA1

    73dbc461b9b8c20b8218859a050c2496be7dba5a

  • SHA256

    fdd31379f377aa417dd3bf8950bbdca7d021ef8d45b61a450d1ab2bdabd9e977

  • SHA512

    30460fd533da4ed19c5ce715f077f21b8395e90bafa52a43b4ffa02145b47aca545bf32fb944e24ecea16cd64dff5a6f617516b21f288ae10e5eaccdf2fee259

  • SSDEEP

    24576:K/uc//////ahbQkHZoFhdgTZP3Jk4CDS7ZX+:rc//////ahRHZoFATZP3Jk3SFX+

Score
10/10
gh0stratmodiloaderdiscoveryrattrojan

Malware Config

Signatures

  • Gh0st RAT payload 13 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 34 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 33 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Users\Admin\AppData\Local\Temp\880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4028
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4028 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:220
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "c:\setup.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2248
      • \??\c:\setup.exe
        c:\setup.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4752
        • C:\Users\Admin\AppData\Roaming\install18709125.exe
          C:\Users\Admin\AppData\Roaming\install18709125.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3872
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "c:\DS1.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:760
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:3596
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 600
      2⤵
      • Program crash
      PID:1812
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3596 -ip 3596
    1⤵
      PID:1984
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 592
        2⤵
        • Program crash
        PID:4816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3412 -ip 3412
      1⤵
        PID:3508
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3048
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 592
          2⤵
          • Program crash
          PID:4672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3048 -ip 3048
        1⤵
          PID:4240
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
          1⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2864
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 592
            2⤵
            • Program crash
            PID:1620
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2864 -ip 2864
          1⤵
            PID:4836
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
            1⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:736
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 592
              2⤵
              • Program crash
              PID:4528
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 736 -ip 736
            1⤵
              PID:4524
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
              1⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1868
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 592
                2⤵
                • Program crash
                PID:1100
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1868 -ip 1868
              1⤵
                PID:5012
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
                1⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1848
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 592
                  2⤵
                  • Program crash
                  PID:3084
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1848 -ip 1848
                1⤵
                  PID:5048
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
                  1⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:4492
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 592
                    2⤵
                    • Program crash
                    PID:4380
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4492 -ip 4492
                  1⤵
                    PID:3780
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
                    1⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:4356
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 592
                      2⤵
                      • Program crash
                      PID:1592
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4356 -ip 4356
                    1⤵
                      PID:3412
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
                      1⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:3664
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 592
                        2⤵
                        • Program crash
                        PID:4444
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3664 -ip 3664
                      1⤵
                        PID:3344
                      • C:\Windows\SysWOW64\svchost.exe
                        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
                        1⤵
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:1532
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 592
                          2⤵
                          • Program crash
                          PID:4752
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1532 -ip 1532
                        1⤵
                          PID:560
                        • C:\Windows\SysWOW64\svchost.exe
                          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
                          1⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:1016
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 592
                            2⤵
                            • Program crash
                            PID:2300
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1016 -ip 1016
                          1⤵
                            PID:736
                          • C:\Windows\SysWOW64\svchost.exe
                            C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
                            1⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:1476
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 592
                              2⤵
                              • Program crash
                              PID:1940
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1476 -ip 1476
                            1⤵
                              PID:3384
                            • C:\Windows\SysWOW64\svchost.exe
                              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
                              1⤵
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              PID:4700
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 592
                                2⤵
                                • Program crash
                                PID:4508
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4700 -ip 4700
                              1⤵
                                PID:2232
                              • C:\Windows\SysWOW64\svchost.exe
                                C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
                                1⤵
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                PID:660
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 592
                                  2⤵
                                  • Program crash
                                  PID:1904
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 660 -ip 660
                                1⤵
                                  PID:2536
                                • C:\Windows\SysWOW64\svchost.exe
                                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
                                  1⤵
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  PID:4356
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 592
                                    2⤵
                                    • Program crash
                                    PID:1484
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4356 -ip 4356
                                  1⤵
                                    PID:3576
                                  • C:\Windows\SysWOW64\svchost.exe
                                    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
                                    1⤵
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:3612
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 592
                                      2⤵
                                      • Program crash
                                      PID:1580
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3612 -ip 3612
                                    1⤵
                                      PID:3248
                                    • C:\Windows\SysWOW64\svchost.exe
                                      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
                                      1⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:4836
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 592
                                        2⤵
                                        • Program crash
                                        PID:4464
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4836 -ip 4836
                                      1⤵
                                        PID:2088
                                      • C:\Windows\SysWOW64\svchost.exe
                                        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
                                        1⤵
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:1988
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 592
                                          2⤵
                                          • Program crash
                                          PID:1200
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1988 -ip 1988
                                        1⤵
                                          PID:3908
                                        • C:\Windows\SysWOW64\svchost.exe
                                          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
                                          1⤵
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:3732
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 592
                                            2⤵
                                            • Program crash
                                            PID:2248
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3732 -ip 3732
                                          1⤵
                                            PID:1288
                                          • C:\Windows\SysWOW64\svchost.exe
                                            C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
                                            1⤵
                                            • Loads dropped DLL
                                            • System Location Discovery: System Language Discovery
                                            PID:3024
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 592
                                              2⤵
                                              • Program crash
                                              PID:2168
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3024 -ip 3024
                                            1⤵
                                              PID:2648
                                            • C:\Windows\SysWOW64\svchost.exe
                                              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
                                              1⤵
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              PID:2232
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 592
                                                2⤵
                                                • Program crash
                                                PID:4700
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2232 -ip 2232
                                              1⤵
                                                PID:4508
                                              • C:\Windows\SysWOW64\svchost.exe
                                                C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
                                                1⤵
                                                • Loads dropped DLL
                                                • System Location Discovery: System Language Discovery
                                                PID:876
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 592
                                                  2⤵
                                                  • Program crash
                                                  PID:1820
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 876 -ip 876
                                                1⤵
                                                  PID:4212
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
                                                  1⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1904
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 592
                                                    2⤵
                                                    • Program crash
                                                    PID:4812
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1904 -ip 1904
                                                  1⤵
                                                    PID:2104
                                                  • C:\Windows\SysWOW64\svchost.exe
                                                    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
                                                    1⤵
                                                    • Loads dropped DLL
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3664
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 592
                                                      2⤵
                                                      • Program crash
                                                      PID:968
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3664 -ip 3664
                                                    1⤵
                                                      PID:3924
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
                                                      1⤵
                                                      • Loads dropped DLL
                                                      • System Location Discovery: System Language Discovery
                                                      PID:4800
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 592
                                                        2⤵
                                                        • Program crash
                                                        PID:4888
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4800 -ip 4800
                                                      1⤵
                                                        PID:4524
                                                      • C:\Windows\SysWOW64\svchost.exe
                                                        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
                                                        1⤵
                                                        • Loads dropped DLL
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2120
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 592
                                                          2⤵
                                                          • Program crash
                                                          PID:2300
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2120 -ip 2120
                                                        1⤵
                                                          PID:1988
                                                        • C:\Windows\SysWOW64\svchost.exe
                                                          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
                                                          1⤵
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3024
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 592
                                                            2⤵
                                                            • Program crash
                                                            PID:4144
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3024 -ip 3024
                                                          1⤵
                                                            PID:776
                                                          • C:\Windows\SysWOW64\svchost.exe
                                                            C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
                                                            1⤵
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            PID:232
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 592
                                                              2⤵
                                                              • Program crash
                                                              PID:2812
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 232 -ip 232
                                                            1⤵
                                                              PID:856
                                                            • C:\Windows\SysWOW64\svchost.exe
                                                              C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
                                                              1⤵
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4060
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 592
                                                                2⤵
                                                                • Program crash
                                                                PID:4344
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4060 -ip 4060
                                                              1⤵
                                                                PID:3600
                                                              • C:\Windows\SysWOW64\svchost.exe
                                                                C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
                                                                1⤵
                                                                • Loads dropped DLL
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2516
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 592
                                                                  2⤵
                                                                  • Program crash
                                                                  PID:2392
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2516 -ip 2516
                                                                1⤵
                                                                  PID:3412
                                                                • C:\Windows\SysWOW64\svchost.exe
                                                                  C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
                                                                  1⤵
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1080
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 592
                                                                    2⤵
                                                                    • Program crash
                                                                    PID:3988
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1080 -ip 1080
                                                                  1⤵
                                                                    PID:456
                                                                  • C:\Windows\SysWOW64\svchost.exe
                                                                    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
                                                                    1⤵
                                                                    • Loads dropped DLL
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3344
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 592
                                                                      2⤵
                                                                      • Program crash
                                                                      PID:1920
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3344 -ip 3344
                                                                    1⤵
                                                                      PID:2980
                                                                    • C:\Windows\SysWOW64\svchost.exe
                                                                      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
                                                                      1⤵
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4160
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4160 -ip 4160
                                                                      1⤵
                                                                        PID:4432

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\DS1.exe
                                                                        MD5

                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                        SHA1

                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                        SHA256

                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                        SHA512

                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                                        Filesize

                                                                        471B

                                                                        MD5

                                                                        fc8856535e3bc8916e8ba168541e5e4e

                                                                        SHA1

                                                                        6aec8d612d823f6b2579e822e04c95a41fe4d50b

                                                                        SHA256

                                                                        8b02c3ca024f175678196dd201e9b86170f403597411708e6f3781d0be3a213d

                                                                        SHA512

                                                                        11cc850c4ee3c3a002f770745092fd483b3b5a256f10f654e72579722f08c8ea5e44dc6d1ed674fd136e19c8f56924387b664312accf444308e18e716995ae5c

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                                        Filesize

                                                                        404B

                                                                        MD5

                                                                        a75f9c202789bec3e1bf338ccdf4c751

                                                                        SHA1

                                                                        ce2fc400cf0ae760723fe647ba925763b8f9f47c

                                                                        SHA256

                                                                        eb8cf9e413035b89d870b3b413f21fb75b21196e0d937cc9a54f19df2880f050

                                                                        SHA512

                                                                        012dbc474b7d735c154ed1820bb744b0eaee740375a5f5867d6df98e9196f606b26cc1cc565b37f0a82d83928bf3a9448c5d09f90dcc92a11e2b41d9618e12ad

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US
                                                                        Filesize

                                                                        17KB

                                                                        MD5

                                                                        5a34cb996293fde2cb7a4ac89587393a

                                                                        SHA1

                                                                        3c96c993500690d1a77873cd62bc639b3a10653f

                                                                        SHA256

                                                                        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                        SHA512

                                                                        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\install18709125.exe
                                                                        Filesize

                                                                        192KB

                                                                        MD5

                                                                        8e0cb2efb3d7491cfccf88862a032d4b

                                                                        SHA1

                                                                        e8b42147091c82fd73ae12cabae4c9ddb2c2d51a

                                                                        SHA256

                                                                        7d69a9cf389a5952d0d612880d431c9cac733b22918d769e64f756ee02b0e2e7

                                                                        SHA512

                                                                        a37fa080d43600477ae83daf569bcff1ce598c5353b5157d36586686c3ca75c12e0ff78b5f176921ccd84e84a3b39a64fa733ffe20cb16fc87191eb2fceb9a51

                                                                        Download Submit

                                                                      • C:\Windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        24.0MB

                                                                        MD5

                                                                        ec85a2fa0f8357cb69fe68e8ab63d15a

                                                                        SHA1

                                                                        d934b6f97fc4cd38275c24cae3d1c0478e86451e

                                                                        SHA256

                                                                        08ae8eaaa69a5917cc9779bf7b8a17c02094c9094e683482f150165849002daf

                                                                        SHA512

                                                                        6e3a55a25b275c925e5fb39e04b6098dd69b31ad86b73b8786fb210f3836988bce98250138c18988571cd04b9189c8bc6628cbb31a1f7b7d5c90751b77acf015

                                                                        Download Submit

                                                                      • C:\Windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        23.0MB

                                                                        MD5

                                                                        57b66afcb34d0aae0b00458badffded4

                                                                        SHA1

                                                                        d1d2d3982e0339ca0b48c7684b4fe5a6de4b97f4

                                                                        SHA256

                                                                        d55b755471a1c752f69476d9395d4481325bc5063a5a1283eeb97b78de24fffc

                                                                        SHA512

                                                                        de32841a40ef7cb2b718ce4548ecc914685dd99c089fe354e101635430ca238d4ca59dfad15199d0d7a3a15d15f12090e5ab6b9afdd919a8b872f7cd6a3e052e

                                                                        Download Submit

                                                                      • C:\Windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        17.4MB

                                                                        MD5

                                                                        90196fab26afbcc8cb87aec7c1cb0efe

                                                                        SHA1

                                                                        1531e7e2ae680396099fb1496b3a2ff1d27ecd75

                                                                        SHA256

                                                                        c451c8d0a51f73a7ab87925e7c3ec8c475a8b82e98991e4e6e2a7f4dabce073a

                                                                        SHA512

                                                                        72bb6b95e16de0f073f139e31a9bbadfbf6b5bb74d1129353148eb333f667aa4c94c875aed3a1fad0cc3d95023102db03d0ff34945234203ee7ec623895d0109

                                                                        Download Submit

                                                                      • C:\Windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        23.1MB

                                                                        MD5

                                                                        375a9164f87a7b7dc8b2ca078eac0845

                                                                        SHA1

                                                                        78c56fcaaac3d6bc042bbd2eb0cf3354e97775c0

                                                                        SHA256

                                                                        9970704801cd29a837ed16aafd13f8bbd268311c1820684824684f51ea32f75b

                                                                        SHA512

                                                                        a1af8ac55008b4a473edf641c2e5445802c3ac83aa9008dbbc204414127ee170dd4df88fc2d9d0aa1cd56ead2bcdbc0777b5f37c5bb3f94d541f8d066aac6395

                                                                        Download Submit

                                                                      • \??\c:\setup.exe
                                                                        Filesize

                                                                        117KB

                                                                        MD5

                                                                        71b8cd2a83ab6909f6521c25ccb2af4a

                                                                        SHA1

                                                                        0c6f6a4aeed1309addc997f6ef531aab50a9721e

                                                                        SHA256

                                                                        17ca171d429cc9985a9ca79acbf612fadda3ee592935d77e8c64082ce1adabd9

                                                                        SHA512

                                                                        6b13c105b477fcf19e8153d88a52e5007aedc1cc4cdd92c3d72b2ac938240880731f466063cd9bebfc0e567aaf3acb3160b850360f1956c0c1606b8ec34b6bed

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        23.1MB

                                                                        MD5

                                                                        e26860bf09f37a8869778b77d30f3693

                                                                        SHA1

                                                                        9aa52b4bc540640607fe0287dc1551cabd520587

                                                                        SHA256

                                                                        245fb761ac05b6d51159b52f553f7ad4d7a89f0a8c3da7391890eca4f7b1c8d2

                                                                        SHA512

                                                                        06012f1abc57c0a4929fc3ba60fb05b0592eabce4c9e88b6b1bfdd468501759b53154d1b688c535efc3d79bd27f14e0ab7519491cbac72e73ab94a2e150ef949

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        19.0MB

                                                                        MD5

                                                                        6c26b9f0177370f32fadb67e95feaa42

                                                                        SHA1

                                                                        ad80fdd47d9db7a1ab0a5bfbade9910feb27b118

                                                                        SHA256

                                                                        12443087e455b94c0900efe684af3690d7f7f23a2f084267b1903c8c0f1b9a81

                                                                        SHA512

                                                                        4a924293f9f9e78cec9fd426614af52a0bc6e2ef7505efe33773c0c4e15f68da9e9eee9f664ee8882ed8efc65901e704dfabd4bbbe4f307067f6307e90e6cc04

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        19.0MB

                                                                        MD5

                                                                        1eb1eed6888ae8f808e5cada694db284

                                                                        SHA1

                                                                        a1cfcf3bbd94fb19cb5129a6b30cdcd51a885fa9

                                                                        SHA256

                                                                        feb6bdb661dbb109b1f295d88e93b403c84b80a6e1d39ecf03a96f35f06033d9

                                                                        SHA512

                                                                        d1d338aef6056e1eef0a50ff2a44e6b71f0198050c9e4c74a79cdc5499bb75bf8c0c55a866c13a7a6dbe20d20bebeab49d2614436937c4aaea9d9ff8a92741a1

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        17.5MB

                                                                        MD5

                                                                        f59e9d8b984f2ae78f7f521893d4aa4c

                                                                        SHA1

                                                                        99b8dc92cb4d7ec8aa62b25065e7de42bf243ea7

                                                                        SHA256

                                                                        775196a332726e668495a98e8254e3726e9793d2f2c892752960a63c0ac3884b

                                                                        SHA512

                                                                        b627b462fa4214d76923657070633853372ddcf6f468e34a73884ed6199e4258b14640ac851c71dcf2045d2dd0590ff9855295cf6399de30635496bb8f846280

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        24.0MB

                                                                        MD5

                                                                        190e686ad211b89e7f49d3a0cc1c3e20

                                                                        SHA1

                                                                        7ad8da7027d08ccb1aa63f011cf73e8da0815f54

                                                                        SHA256

                                                                        d24f0b288c73c5734293bcc5eae7d6eadfe6712ebf3f2d6a762ab5a516c2d5b6

                                                                        SHA512

                                                                        7e2d78e6256eb34217ca8eecde6ce726d55653d19109e07b225727b8f5cd5a6d0dea0e0894ec0b91534402e9fa3ecf9f3d4eea3589461ef515e1a272c112fb16

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        20.0MB

                                                                        MD5

                                                                        cc0a12647d52b9c47f05517e0a8d73aa

                                                                        SHA1

                                                                        d9dac765681df4a3f62aeeffe629e577c2f3bafa

                                                                        SHA256

                                                                        82f017b31612d31195bc5cdd68c545042ac9b65ae9933e3b5b5c3aaaa5b0a799

                                                                        SHA512

                                                                        065ab319e4a1093850e483f7d27f94225c4fcc8c0ac9a58099f16b6c265ff27698f41d0610e8085348f8f445dcb2591875f9b7451a3bdeadc2051663ec783ce6

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        20.0MB

                                                                        MD5

                                                                        ba41c96985409fc795c21ff5b1020a7f

                                                                        SHA1

                                                                        b9696c62337f5fa7079413d8d524e72e21f2704f

                                                                        SHA256

                                                                        7dfda13b064298820136dc86d6395db1fb98aebd3ce962ead8b9873ba25145e5

                                                                        SHA512

                                                                        e39529053bb2acfe68a7c0dadd7e86700889356032269c5740d07b04f22558d1375b74b2f7d03a580dcb6cda69dfa09b39411cff857a697bec17f3551415cba7

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        21.0MB

                                                                        MD5

                                                                        4b5b48f2b0f0e2cb6820b2841fa82bf8

                                                                        SHA1

                                                                        00132d613a4d4da0a713084340b34d2ee0c49c40

                                                                        SHA256

                                                                        eb2d4dc12f5b1641f2c50e951069756b8250f6bb63f460784b3d710fccdc5563

                                                                        SHA512

                                                                        73832576993a5825966ba3e5fe88b5fe4f7a5d725ab6e6f321e1a5e484bcec562cd52dd38c0370d344c2d7fcc3eb909da915b8c935f00f6f6da7ce6585c08b55

                                                                        Download Submit

                                                                      • \??\c:\windows\SysWOW64\kftsd.cc3
                                                                        Filesize

                                                                        24.0MB

                                                                        MD5

                                                                        9bd65bc1eddb9ba70efb71d75acaa59b

                                                                        SHA1

                                                                        94933af77bd711806626c661a25ba569333c99c2

                                                                        SHA256

                                                                        ad2b8a6e3bc1da76cfdacb9c0aca1e3b6800c47bd33a8a53658c70eef303fdfd

                                                                        SHA512

                                                                        24418c6b17d3f6152b2b628b3728e6bf2a0f5bd3ea0e0441cd14c73efa832fb526d728b80ce71cdabffe8671773f92e9ab94a6412aaf30c5df0a44b21cfa4af0

                                                                        Download Submit

                                                                      • memory/1288-12-0x0000000000400000-0x00000000004DF000-memory.dmp

                                                                        Filesize

                                                                        892KB

                                                                        Download

                                                                      • memory/1648-1-0x0000000000400000-0x00000000004BA000-memory.dmp

                                                                        Filesize

                                                                        744KB

                                                                        Download

                                                                      • memory/3820-4-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                                        Filesize

                                                                        752KB

                                                                        Download

                                                                      • memory/4028-2-0x0000000000070000-0x000000000014F000-memory.dmp

                                                                        Filesize

                                                                        892KB

                                                                        Download