gh0strat | 12611f1a00199c0c42390a3aa760633cddf25de3b691e8f1c3050f3d525e1f71

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Size

197KB
MD5

449f46a89b69413481670d6139f113a4
SHA1

c18b6bfdc25cdb96485e01fe7c4001b95c636714
SHA256

12611f1a00199c0c42390a3aa760633cddf25de3b691e8f1c3050f3d525e1f71
SHA512

e972ba878a6d6cca45eab01ca1fb7bc6b0acb8809f36588c29cc5ce3c1af4ebface23020772a800628bba766ae0a4ba9cc02f1da65df069c55df2ff31f20b371
SSDEEP

6144:oOVLnWFcOFtsFkVRTl0QdTmNPPYhLUgP4:o8LWFd+kV1KIo+74

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral2/files/0x0059000000023b67-3.dat	family_gh0strat
behavioral2/memory/3420-5-0x0000000000400000-0x0000000000432000-memory.dmp	family_gh0strat
behavioral2/files/0x005d000000023b67-10.dat	family_gh0strat
behavioral2/files/0x005f000000023b67-16.dat	family_gh0strat
behavioral2/files/0x0061000000023b67-22.dat	family_gh0strat
behavioral2/files/0x0063000000023b67-28.dat	family_gh0strat
behavioral2/files/0x000c000000021ed4-34.dat	family_gh0strat
behavioral2/files/0x000e000000021ed4-40.dat	family_gh0strat
behavioral2/files/0x0004000000000707-46.dat	family_gh0strat
behavioral2/files/0x0006000000000707-52.dat	family_gh0strat
behavioral2/files/0x0008000000000707-58.dat	family_gh0strat
behavioral2/files/0x000a000000000707-64.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe

Loads dropped DLL 33 IoCs

pid	Process
216	svchost.exe
3004	svchost.exe
2196	svchost.exe
4804	svchost.exe
2732	svchost.exe
1296	svchost.exe
1752	svchost.exe
1688	svchost.exe
2476	svchost.exe
5036	svchost.exe
2072	svchost.exe
4424	svchost.exe
4860	svchost.exe
652	svchost.exe
4972	svchost.exe
3424	svchost.exe
2516	svchost.exe
2208	svchost.exe
4252	svchost.exe
5068	svchost.exe
4960	svchost.exe
3356	svchost.exe
1984	svchost.exe
1968	svchost.exe
5036	svchost.exe
3460	svchost.exe
3276	svchost.exe
4496	svchost.exe
4832	svchost.exe
1604	svchost.exe
4200	svchost.exe
2264	svchost.exe
2208	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\NetMeeting\%SESSIONNAME%\hbsgh.pic	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
3460	216	WerFault.exe	87
4460	3004	WerFault.exe	92
4380	2196	WerFault.exe	95
2524	4804	WerFault.exe	109
1120	2732	WerFault.exe	112
2236	1296	WerFault.exe	115
1600	1752	WerFault.exe	121
2248	1688	WerFault.exe	124
3844	2476	WerFault.exe	127
5052	5036	WerFault.exe	130
2416	2072	WerFault.exe	133
3376	4424	WerFault.exe	136
4496	4860	WerFault.exe	139
2372	652	WerFault.exe	142
4452	4972	WerFault.exe	145
3740	3424	WerFault.exe	148
4796	2516	WerFault.exe	151
1624	2208	WerFault.exe	154
4436	4252	WerFault.exe	157
820	5068	WerFault.exe	160
1512	4960	WerFault.exe	163
3568	3356	WerFault.exe	166
2548	1984	WerFault.exe	169
1912	1968	WerFault.exe	172
2544	5036	WerFault.exe	175
4580	3460	WerFault.exe	178
3052	3276	WerFault.exe	181
4360	4496	WerFault.exe	184
2056	4832	WerFault.exe	187
2572	1604	WerFault.exe	190
4388	4200	WerFault.exe	193
4916	2264	WerFault.exe	196
1584	2208	WerFault.exe	199

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5108	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeBackupPrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
Token: SeRestorePrivilege	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 5108	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe	83
PID 3420 wrote to memory of 5108	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe	83
PID 3420 wrote to memory of 5108	3420	JaffaCakes118_449f46a89b69413481670d6139f113a4.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_449f46a89b69413481670d6139f113a4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_449f46a89b69413481670d6139f113a4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ZhuDongFangYu.exe /t
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5108

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 592
  2⤵
  - Program crash
  PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 216 -ip 216
1⤵
PID:1452

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 592
  2⤵
  - Program crash
  PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3004 -ip 3004
1⤵
PID:4424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 592
  2⤵
  - Program crash
  PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2196 -ip 2196
1⤵
PID:3028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 592
  2⤵
  - Program crash
  PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4804 -ip 4804
1⤵
PID:2788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 592
  2⤵
  - Program crash
  PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2732 -ip 2732
1⤵
PID:4800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 592
  2⤵
  - Program crash
  PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1296 -ip 1296
1⤵
PID:4284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 592
  2⤵
  - Program crash
  PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1752 -ip 1752
1⤵
PID:1916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 592
  2⤵
  - Program crash
  PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1688 -ip 1688
1⤵
PID:3752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 592
  2⤵
  - Program crash
  PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2476 -ip 2476
1⤵
PID:936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 592
  2⤵
  - Program crash
  PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5036 -ip 5036
1⤵
PID:5096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 592
  2⤵
  - Program crash
  PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2072 -ip 2072
1⤵
PID:2996

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 592
  2⤵
  - Program crash
  PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4424 -ip 4424
1⤵
PID:3024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 592
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4860 -ip 4860
1⤵
PID:3960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 592
  2⤵
  - Program crash
  PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 652 -ip 652
1⤵
PID:1104

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 592
  2⤵
  - Program crash
  PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4972 -ip 4972
1⤵
PID:4248

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 592
  2⤵
  - Program crash
  PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3424 -ip 3424
1⤵
PID:3584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 592
  2⤵
  - Program crash
  PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2516 -ip 2516
1⤵
PID:4244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 592
  2⤵
  - Program crash
  PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2208 -ip 2208
1⤵
PID:2584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 592
  2⤵
  - Program crash
  PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4252 -ip 4252
1⤵
PID:2108

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 592
  2⤵
  - Program crash
  PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5068 -ip 5068
1⤵
PID:4332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 592
  2⤵
  - Program crash
  PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4960 -ip 4960
1⤵
PID:4836

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 592
  2⤵
  - Program crash
  PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3356 -ip 3356
1⤵
PID:3856

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 592
  2⤵
  - Program crash
  PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1984 -ip 1984
1⤵
PID:2768

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 592
  2⤵
  - Program crash
  PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1968 -ip 1968
1⤵
PID:3628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 592
  2⤵
  - Program crash
  PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5036 -ip 5036
1⤵
PID:4764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 592
  2⤵
  - Program crash
  PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3460 -ip 3460
1⤵
PID:1988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 592
  2⤵
  - Program crash
  PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3276 -ip 3276
1⤵
PID:4584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 592
  2⤵
  - Program crash
  PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4496 -ip 4496
1⤵
PID:4120

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 592
  2⤵
  - Program crash
  PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4832 -ip 4832
1⤵
PID:3416

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 592
  2⤵
  - Program crash
  PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1604 -ip 1604
1⤵
PID:1092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 592
  2⤵
  - Program crash
  PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4200 -ip 4200
1⤵
PID:4244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 608
  2⤵
  - Program crash
  PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2264 -ip 2264
1⤵
PID:2952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 608
  2⤵
  - Program crash
  PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2208 -ip 2208
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
22.0MB

MD5
1e3548284be8e3496672be119fa719e7

SHA1
7cf4988dcd2fe74088386bcf845973153918a360

SHA256
4f557d3b975abaacf9b0dc5b1d3454307460dc3af018853e855a5c3cf5f33522

SHA512
360f7fb74d0855fac67393858ab9503512e5a373cab01e29282d6389d41952847ae04daf428251aa2e8eac884b1f5f53169bf5af9661715d7f0484af55c65e7b

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
22.1MB

MD5
daed346038bf5cf2589721858d47423d

SHA1
b98df03f15a49632d9041f713a367c8663a95ad7

SHA256
f6e2deef5679bedb1abd64f3190272035d54d65030f5921d42e3a0ea02e86250

SHA512
25f46288f8327ea1385a5c3691c025381eb94723aa5b3e212c1b96ac12b568bcd9fec3c4312f1e37de8eec7658603ee18bdb424f7527d2d604abb6286f4530f5

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
24.0MB

MD5
16cd3c9d4ff9180dbf765896626dac12

SHA1
2a3cd31dd30e21ca0e475bba395c35916da27421

SHA256
4319755352ab48a44e0406b94a490c1f1cfca71f94eb9b20f51e773eb5a28d56

SHA512
f598ac62ffe0d1ab98a56034f6048e540562359633c5641948b0db2f2ac815b81c821ba0447918786f3fefeb45090d61d02ab5401b0afba594f2a37f3f0a0bcc

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
24.1MB

MD5
33d0dd691ec6beb3250906b3e37b43b2

SHA1
9e4d7b0a2a95e57fff9db43e0ed20e24c67a15eb

SHA256
cbe86d8801b7ef2e3934235b9f91c483d3eacc674cd2c1ecc13cfa1067d4383c

SHA512
305776c3c070a11db08c94c73b1abe782c0a5b937c0f5daf6c674febab46a338270d6718344e9a016d54fef6577c8d3f831490e28a736daef547e6ac97fa6df0

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
21.0MB

MD5
fcc68289ca5bec6ae60749eb9a0a045c

SHA1
703b46b0b91d1f41e719e15c0b6afab6e07c9867

SHA256
784acdca1cab7d7b90c55022ac3989054cd570607a1ecd731f5eff4d2ed586fb

SHA512
6a73cfe92972bd05dde4928ca0b3d05eab74ed348db510c5df49eaa9133b92e3b8f5dfa48234365a56719290f601cabc38a5092885e8a9f94d2c5690d2141f62

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
24.0MB

MD5
31f0d152d37b6fc6ac602607556cfd4f

SHA1
1a3fe3580dfc7ff1afdd13b0726c47a97cd66d95

SHA256
cf139ddfc569e2e0e14807ecc6ca1cf5fa3444518289d07125ce477a8b2cca22

SHA512
85423a1531cc46cc305a48d67e30fbf67eb2a0cbc7b6be4b816c390f56890f281692e3414fe44294d9c3589662e355a860015e47596f52cf4af2ce048a06c404

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
22.1MB

MD5
dbbce8f0ed675678a7cd02b8a10032d4

SHA1
212a417828aef41be1ca46cf637933d043ea71ff

SHA256
2d9d85f37986a378e023c3026b3f228ec40b0621e0a8396863f8a394e0749854

SHA512
733ac668a8cd946a2ec8714d750248bbecc19d2eebe5a5b05ca406e109a7dacd94b2fb066e5e25eaab0bbc39c5188458423a743d5a9efa04991407914fedad2c

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
23.0MB

MD5
ad2d4211f45554f992d4d1b93bd0acc7

SHA1
d94d06fdcb2311cdc6c5d54e50a49685e2f5d400

SHA256
ecdac5efdc96997a23b495cb4f2b9c24497abc9eb575fa0d9485cc372b318694

SHA512
0e88b86be997204da159e088e76660037d8dc0466e9cb20d3f9903a00aae606e6d387542ab65e0a756711207e944a402d703e7aa2b98e4e3341914569469bc5b

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
21.0MB

MD5
24f84249bcc1d32b68533d8d12735bca

SHA1
dbe4d9e7cf78a9ed64d6648fde3b2a9b49fbef88

SHA256
c33cb7cd4fab5bf06fe7b5b8045362409b09bd45a9d4bf7b2bf1d5bab7cb9429

SHA512
f666647e12dfa7ed6f4a0122e977f71c87713d54a76c722f0d0e01b3835fdc297481b3c54ddc27c0cb1da76dc03514e13c49af7410992b60a0ba3debfec1db77

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
19.1MB

MD5
292349e6181e684056c7c32815d914b0

SHA1
baf351b14e48b90daa0ef91073ee29fc35aa1f41

SHA256
f8399dfc4a6912d928ed5d2690fa2f3740745385408c021c7183d045133cabc3

SHA512
c376de9178e880d6c8568c99d0233bd7cd4dad0e02d71292cdbb2e9b8edb395f08db0c7e1e5637fbd054f6c7ff8037413bea12295a3ab118dffbcc4e09cf050c

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\hbsgh.pic

Filesize
21.1MB

MD5
45263da9f8b110c5adec77d6c1882ed9

SHA1
2ddadfb6586ba0884fdc05fb64ebeb96689cd840

SHA256
9b540046f39aee98d6ac4317b3a8585a42a7b24a8f8dd2d80684eb53b5668c29

SHA512
ae57932be8df6e7f2aa6101243c230799d4b311e39255c5a9ae831774780ecbd7746b11a834afed3c90358977ab9e18e297bf35fac11223461b2cb49ddce0de9

Download Submit
memory/3420-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3420-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download