gh0strat | 023009a501cb4457ab1262cd0ccf4210e651cb3074895de7c7632bcad801b96c

Analysis

max time kernel
148s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Size

197KB
MD5

4bb436e366bc63b6086b415a931a7d1c
SHA1

e650151697cabf8a8e97bf1fc413c8e6d1e88478
SHA256

023009a501cb4457ab1262cd0ccf4210e651cb3074895de7c7632bcad801b96c
SHA512

e8b4bafa1cee858dcae8843f77d5b86b2661159d336226a1258312ab72e4759929924005935a45f96670638350fe244045cdefa1f341a6bcafc5b47ee8b47f7f
SSDEEP

6144:gOVLnWFcvFtsFkVRTl0QdTmNPPYhVUeqPT:g8LWF++kV1KIo+pYT

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 13 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023c67-2.dat	family_gh0strat
behavioral2/files/0x000c000000023c67-8.dat	family_gh0strat
behavioral2/files/0x000e000000023c67-14.dat	family_gh0strat
behavioral2/files/0x0010000000023c67-20.dat	family_gh0strat
behavioral2/files/0x0012000000023c67-26.dat	family_gh0strat
behavioral2/files/0x0014000000023c67-32.dat	family_gh0strat
behavioral2/files/0x0016000000023c67-38.dat	family_gh0strat
behavioral2/files/0x0018000000023c67-44.dat	family_gh0strat
behavioral2/files/0x001a000000023c67-50.dat	family_gh0strat
behavioral2/files/0x001c000000023c67-56.dat	family_gh0strat
behavioral2/files/0x001e000000023c67-62.dat	family_gh0strat
behavioral2/files/0x0020000000023c67-68.dat	family_gh0strat
behavioral2/files/0x0020000000023c67-69.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 34 IoCs

pid	Process
1892	svchost.exe
1876	svchost.exe
3932	svchost.exe
2028	svchost.exe
3048	svchost.exe
3372	svchost.exe
4728	svchost.exe
3624	svchost.exe
3096	svchost.exe
3988	svchost.exe
2884	svchost.exe
4604	svchost.exe
1404	svchost.exe
4480	svchost.exe
4436	svchost.exe
1956	svchost.exe
4408	svchost.exe
4244	svchost.exe
3844	svchost.exe
5044	svchost.exe
3972	svchost.exe
2164	svchost.exe
656	svchost.exe
1636	svchost.exe
3872	svchost.exe
2704	svchost.exe
4088	svchost.exe
3540	svchost.exe
4616	svchost.exe
3148	svchost.exe
4872	svchost.exe
1528	svchost.exe
1300	svchost.exe
3436	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\%SESSIONNAME%\eemgy.pic	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe

Program crash 33 IoCs

pid	pid_target	Process	procid_target
4800	1892	WerFault.exe	84
2384	1876	WerFault.exe	88
5064	3932	WerFault.exe	91
1580	2028	WerFault.exe	94
2848	3048	WerFault.exe	97
3120	3372	WerFault.exe	100
2184	4728	WerFault.exe	103
2176	3624	WerFault.exe	106
4664	3096	WerFault.exe	109
1796	3988	WerFault.exe	113
3432	2884	WerFault.exe	116
1772	4604	WerFault.exe	119
1960	1404	WerFault.exe	122
2136	4480	WerFault.exe	125
4340	4436	WerFault.exe	128
3768	1956	WerFault.exe	131
1448	4408	WerFault.exe	134
1768	4244	WerFault.exe	137
4144	3844	WerFault.exe	140
3656	5044	WerFault.exe	143
3824	3972	WerFault.exe	146
5028	2164	WerFault.exe	149
336	656	WerFault.exe	152
4612	1636	WerFault.exe	155
4664	3872	WerFault.exe	158
5024	2704	WerFault.exe	161
2192	4088	WerFault.exe	164
3612	3540	WerFault.exe	167
4928	4616	WerFault.exe	170
1960	3148	WerFault.exe	173
2640	4872	WerFault.exe	176
5112	1528	WerFault.exe	179
4012	1300	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeBackupPrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
Token: SeRestorePrivilege	1096	JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 592
  2⤵
  - Program crash
  PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1892 -ip 1892
1⤵
PID:3980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 600
  2⤵
  - Program crash
  PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1876 -ip 1876
1⤵
PID:1692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 592
  2⤵
  - Program crash
  PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3932 -ip 3932
1⤵
PID:4292

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 592
  2⤵
  - Program crash
  PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2028 -ip 2028
1⤵
PID:4432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 592
  2⤵
  - Program crash
  PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3048 -ip 3048
1⤵
PID:1548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 592
  2⤵
  - Program crash
  PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3372 -ip 3372
1⤵
PID:4528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 592
  2⤵
  - Program crash
  PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4728 -ip 4728
1⤵
PID:2724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 592
  2⤵
  - Program crash
  PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3624 -ip 3624
1⤵
PID:4632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 592
  2⤵
  - Program crash
  PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3096 -ip 3096
1⤵
PID:3480

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 592
  2⤵
  - Program crash
  PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3988 -ip 3988
1⤵
PID:3604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 592
  2⤵
  - Program crash
  PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2884 -ip 2884
1⤵
PID:1476

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 592
  2⤵
  - Program crash
  PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4604 -ip 4604
1⤵
PID:776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 592
  2⤵
  - Program crash
  PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1404 -ip 1404
1⤵
PID:4788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 592
  2⤵
  - Program crash
  PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4480 -ip 4480
1⤵
PID:2776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 592
  2⤵
  - Program crash
  PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4436 -ip 4436
1⤵
PID:2572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 592
  2⤵
  - Program crash
  PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1956 -ip 1956
1⤵
PID:2928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 600
  2⤵
  - Program crash
  PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4408 -ip 4408
1⤵
PID:2420

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 592
  2⤵
  - Program crash
  PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4244 -ip 4244
1⤵
PID:4316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 592
  2⤵
  - Program crash
  PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3844 -ip 3844
1⤵
PID:1172

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 592
  2⤵
  - Program crash
  PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5044 -ip 5044
1⤵
PID:2008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 592
  2⤵
  - Program crash
  PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3972 -ip 3972
1⤵
PID:1548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 592
  2⤵
  - Program crash
  PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2164 -ip 2164
1⤵
PID:3372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 592
  2⤵
  - Program crash
  PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 656 -ip 656
1⤵
PID:2188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 592
  2⤵
  - Program crash
  PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1636 -ip 1636
1⤵
PID:2276

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 592
  2⤵
  - Program crash
  PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3872 -ip 3872
1⤵
PID:3680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 592
  2⤵
  - Program crash
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2704 -ip 2704
1⤵
PID:4764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 592
  2⤵
  - Program crash
  PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4088 -ip 4088
1⤵
PID:4912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 592
  2⤵
  - Program crash
  PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3540 -ip 3540
1⤵
PID:1776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 592
  2⤵
  - Program crash
  PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4616 -ip 4616
1⤵
PID:3608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 592
  2⤵
  - Program crash
  PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3148 -ip 3148
1⤵
PID:4224

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 592
  2⤵
  - Program crash
  PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4872 -ip 4872
1⤵
PID:4356

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 592
  2⤵
  - Program crash
  PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1528 -ip 1528
1⤵
PID:4372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 604
  2⤵
  - Program crash
  PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1300 -ip 1300
1⤵
PID:2568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\%SESSIONNAME%\eemgy.pic

Filesize
15.9MB

MD5
76d84eebda17b73e08808f2a242d5587

SHA1
60ba625bb9da9d334e8c2d304c041d2cf0f34a5c

SHA256
9facc7ba2623fe4747764194c0eb5af66995e83bb0b6558070e29b4ea44c57e7

SHA512
e6665debb1c00964d793a35cad91f07c03df2a1af98c5a8354eea9810526ec01598ee64671baed9a1a4748f39fef3533cd84a5278da31b85e76831f0e7944c68

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
23.1MB

MD5
935d0b487f58ec058ce8430350a7cbde

SHA1
adacedb63fbc630400121b6a2ebb1678ae9a7c40

SHA256
4d94b993277dd726c976ce6af24a1381d9d6990a3c70a6aa9896dbcf0a7eb45b

SHA512
b463971eb69b53d5c19afa483df99388a27418f50c07ac3915b9ec97db44eb69ae55fa9ff95dbf79815ed4af3c9054f0328264730c51c10deac03c27ac5d5ecf

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
21.1MB

MD5
9c2bc76960b29e712edc8e2933e94698

SHA1
16ce2d60194e54f6a1aad1889e2979c74b1e6eab

SHA256
8d7858c8ca8abff01fa04a786929bfc3cac1559e534fb53bee1aadbb9bde005d

SHA512
c8c3f3b8cb9cc16bf772b3b1ac44aeea60d03177033aed69b51558f9495e73e3f3ebc2ee980e85856392b35c1a8e104e4ae20cd00ccd1efaa5fd848e986039cb

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
20.0MB

MD5
9a004566674d2305218d84c91688c663

SHA1
25a929c0808ca8088e529c9c0ca30c7e1b755a8b

SHA256
a7ef48c3da150e8c90ea64d92630c63346ad533cad232fb52cadf0f05748e1cb

SHA512
a9542fec4fa81cb397e8d1655977b86f66e9beedbb251c943a100a012f496b08900f24f6ad61dbc85c3b6a15faec0610926f61f093b7ab13ff1b8fd8a2374cbd

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
19.0MB

MD5
9a98edfe86acbb7ff001eb6f6f431644

SHA1
687f0a2512430fd43931e04f26a03615c12e2b9d

SHA256
dab911ed9154bf61c86882191c05212df9231e813d486f580d284192535d4723

SHA512
6fb9a9295f559b6ae19705ffd691383204fa7240298f1e359718bbaeeab2f21af064d78ca320e86a0509001ee1ae5f3c15a3f7e6431e00315d6aa61a4b70e195

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
19.0MB

MD5
c9ae9208c66c8b4e9733080bfa165cdc

SHA1
a70b6a71392fa394cf2f7b3c94893f4c784f514f

SHA256
288ade248c6b78205494f606c02ac0034efd76254039158997860b0a3907a618

SHA512
d0ac608345339a0cbd171cad91dcec1ed8a28ac91513d70c191f2777462be65dd48a8e02e58edba3fb2fa4cee379bbec37b8d61f3f1ee979ffff648ea7ed3706

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
21.1MB

MD5
d92077948d31889074afa134c67329a9

SHA1
cb40fa4bb28e2bb2851c3bb5eb86b9395fe0f2b2

SHA256
c8231c6f38bed90699785f80200bc75adc2a463050db165daff5c7f2c2b54360

SHA512
f6848f861542935d6e49fc3befb486b1137b6cf7f6f2b02f220578bd2b3f08575c417f84c2783005c79dbfcdc3e926e5be42fd862b0e8e7ed8d8a763986ba350

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
23.1MB

MD5
fc8072c4409b4a384d6268c7a9c6be63

SHA1
394d1730b3ff369dcd12dafc4db1a0ea8fec86de

SHA256
6d9c2ed8f6b4c66e2327d57b6e26b8ff3b7bd5441a6c934175f49c52ccd104ab

SHA512
6a3bf30c091f501c2829e1578119687716a39aa5481f868f6c0f2d40b39f9df7491d17ba967ef18fe3e6ec18186ab250903fee87f972653e745b0b8c683e98ca

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
22.1MB

MD5
6dcdb0c4efdb3e6d0d475de691f439bc

SHA1
27d4858bcb6d20148e2443e3ed938a8d2857bf35

SHA256
7d3abc41f5f8583185cfedcdf7a04446ceee5af2c0d36fc3483bac227c20a1b8

SHA512
8a3c6c34a7fb6af808953e873248a0e793bc8f6d4bb66e23b205aec84604f38da881880e07428b6c085b74559531fdcd90ac3dd107fd5dc5f91ed860c1845a04

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
22.1MB

MD5
072c82e8bc0d52582bcf49bd1ba0c94c

SHA1
b4f71800427d7d15e1b26ae9850835dd5f4bad80

SHA256
d9c07fd5a5feb8d8a49df618187f281e18f6e1c668902ad65ad93bb9af9eb9fd

SHA512
bc0b684ea163d11a38212dca337bd773c3df5d0ed2ecc925f51d66f9167aa5f362aa0438a7e5a56002a46d9131a72130a7c9e1034b2136657f4acac41e84504b

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
21.0MB

MD5
2c84624ec7de90dbeb4eee1ee95cab6a

SHA1
3cb666bd994601c9bd001fbad5a13812106f48f1

SHA256
c80ea40f145f45535d6ba3cbea6ad1e8ed8841bd3341ed2325201808b416f794

SHA512
64dd65e68e6a380543d91851d3a4cd45997d4fd330be84f61e7d0b63d0e8c0fa627f2e4230603e06eb499f5886b37ea055ff0ab201c9ef0c8130f2b9582cc7e5

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
20.1MB

MD5
e3c9bce5a893b2f1deba90b65828001a

SHA1
85d348e4792d8bd5744db63f0be3696123fac07e

SHA256
73953a1d282233f99216b611bf6e751bb7593236d9c48d364bd1b7c737e6f060

SHA512
3af6d17c543a26e241cebd14ad93897ede25690f3ae66a743a4f9caee376467e212149876b1a23316a9295b509f75649cc0f519eb3bef8615a00d3fe13da6b4d

Download Submit
\??\c:\program files (x86)\%sessionname%\eemgy.pic

Filesize
18.6MB

MD5
5bb5929edbd7f1be3a3ee6010789b4a5

SHA1
9fffc1c1bed03a8a2a75a2354e7a39c898666f2d

SHA256
33b7faa9069000eebb0236b92b79852e4b79a65a3ece52ee4b7fb06084def604

SHA512
61d5c17de815c312e0fad9c4a32d84d81e30fa0f7a21741b7a3df3aeb0d87fbf7fa09160d500eafca7ff538cb3d6c26188f7da1a8d6b9d408508ba60800d3b93

Download Submit