gh0strat | 2281e2bff2d96092d625a0001e8f896453157c284aee5d3de314a5f5d3ad2166

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe
Size

316KB
MD5

38a0165cbec945f4e455c58ef95181a2
SHA1

132fc6685d5f0334a10d1d7048558170a5f44434
SHA256

2281e2bff2d96092d625a0001e8f896453157c284aee5d3de314a5f5d3ad2166
SHA512

74c4d20a84be87bee7b850928c0fff29dcee0747e081ed5bec160a9a31be9e8ba9ec39403ba0eb351fc8a1f11b53b40b7090efeab0f92afd0ccde4d6215bd9c6
SSDEEP

6144:eQq/4k9wm+bdTpPw/+V3NU3wOs0DutQe4y7c1PESIJ/EPuUrC:rdNNn8utQRgcpEL/E/W

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral2/files/0x0007000000021fba-17.dat	family_gh0strat
behavioral2/files/0x0009000000021fba-23.dat	family_gh0strat
behavioral2/files/0x000b000000021fba-29.dat	family_gh0strat
behavioral2/files/0x000d000000021fba-35.dat	family_gh0strat
behavioral2/files/0x000f000000021fba-41.dat	family_gh0strat
behavioral2/files/0x0011000000021fba-47.dat	family_gh0strat
behavioral2/files/0x0013000000021fba-53.dat	family_gh0strat
behavioral2/files/0x0015000000021fba-59.dat	family_gh0strat
behavioral2/files/0x0017000000021fba-65.dat	family_gh0strat
behavioral2/files/0x0006000000022775-71.dat	family_gh0strat
behavioral2/files/0x001000000001da19-77.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe

Deletes itself 1 IoCs

pid	Process
3832	install140785875.exe

Executes dropped EXE 2 IoCs

pid	Process
3832	install140785875.exe
3180	PPTV_2[1].5.5.0003_forqd234.exe

Loads dropped DLL 33 IoCs

pid	Process
3512	svchost.exe
4668	svchost.exe
2316	svchost.exe
2272	svchost.exe
1056	svchost.exe
4388	svchost.exe
5064	svchost.exe
2384	svchost.exe
2296	svchost.exe
4816	svchost.exe
1624	svchost.exe
3640	svchost.exe
3928	svchost.exe
2128	svchost.exe
3060	svchost.exe
2664	svchost.exe
2388	svchost.exe
4724	svchost.exe
2244	svchost.exe
3776	svchost.exe
640	svchost.exe
5104	svchost.exe
2424	svchost.exe
512	svchost.exe
3628	svchost.exe
3960	svchost.exe
4912	svchost.exe
3008	svchost.exe
5004	svchost.exe
1460	svchost.exe
332	svchost.exe
3548	svchost.exe
4740	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Realtek\Driver\Date\Is%SESSIONNAME%\kuopj.cc3	install140785875.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
3436	3512	WerFault.exe	95
2436	4668	WerFault.exe	100
4752	2316	WerFault.exe	103
2992	2272	WerFault.exe	108
556	1056	WerFault.exe	111
632	4388	WerFault.exe	114
3340	5064	WerFault.exe	118
3624	2384	WerFault.exe	122
5088	2296	WerFault.exe	125
3604	4816	WerFault.exe	128
1104	1624	WerFault.exe	131
2832	3640	WerFault.exe	134
4740	3928	WerFault.exe	137
3180	2128	WerFault.exe	140
1940	3060	WerFault.exe	143
4000	2664	WerFault.exe	146
3300	2388	WerFault.exe	149
4500	4724	WerFault.exe	152
4808	2244	WerFault.exe	155
3472	3776	WerFault.exe	158
2832	640	WerFault.exe	161
332	5104	WerFault.exe	164
1056	2424	WerFault.exe	167
5092	512	WerFault.exe	170
4600	3628	WerFault.exe	173
3052	3960	WerFault.exe	176
4268	4912	WerFault.exe	179
5104	3008	WerFault.exe	188
224	5004	WerFault.exe	191
2476	1460	WerFault.exe	194
1828	332	WerFault.exe	205
4588	3548	WerFault.exe	208
2124	4740	WerFault.exe	211

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install140785875.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PPTV_2[1].5.5.0003_forqd234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SidTid = "103001.14"	PPTV_2[1].5.5.0003_forqd234.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3832	install140785875.exe
3832	install140785875.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeBackupPrivilege	3832	install140785875.exe
Token: SeRestorePrivilege	3832	install140785875.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3180	PPTV_2[1].5.5.0003_forqd234.exe
3180	PPTV_2[1].5.5.0003_forqd234.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3832	2320	JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe	88
PID 2320 wrote to memory of 3832	2320	JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe	88
PID 2320 wrote to memory of 3832	2320	JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe	88
PID 2320 wrote to memory of 3180	2320	JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe	90
PID 2320 wrote to memory of 3180	2320	JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe	90
PID 2320 wrote to memory of 3180	2320	JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\install140785875.exe
  "C:\Users\Admin\AppData\Roaming\install140785875.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe" -sC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38a0165cbec945f4e455c58ef95181a2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Users\Admin\AppData\Roaming\PPTV_2[1].5.5.0003_forqd234.exe
  "C:\Users\Admin\AppData\Roaming\PPTV_2[1].5.5.0003_forqd234.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3180

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 592
  2⤵
  - Program crash
  PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3512 -ip 3512
1⤵
PID:2388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 596
  2⤵
  - Program crash
  PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4668 -ip 4668
1⤵
PID:5084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 592
  2⤵
  - Program crash
  PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2316 -ip 2316
1⤵
PID:3692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 592
  2⤵
  - Program crash
  PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2272 -ip 2272
1⤵
PID:1780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 592
  2⤵
  - Program crash
  PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1056 -ip 1056
1⤵
PID:2424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 592
  2⤵
  - Program crash
  PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4388 -ip 4388
1⤵
PID:3448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 592
  2⤵
  - Program crash
  PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5064 -ip 5064
1⤵
PID:448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 592
  2⤵
  - Program crash
  PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2384 -ip 2384
1⤵
PID:2108

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 592
  2⤵
  - Program crash
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2296 -ip 2296
1⤵
PID:2380

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 592
  2⤵
  - Program crash
  PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4816 -ip 4816
1⤵
PID:3024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 592
  2⤵
  - Program crash
  PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1624 -ip 1624
1⤵
PID:2212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 592
  2⤵
  - Program crash
  PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3640 -ip 3640
1⤵
PID:4264

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 592
  2⤵
  - Program crash
  PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3928 -ip 3928
1⤵
PID:1056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 592
  2⤵
  - Program crash
  PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2128 -ip 2128
1⤵
PID:4840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 592
  2⤵
  - Program crash
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3060 -ip 3060
1⤵
PID:1716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 592
  2⤵
  - Program crash
  PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2664 -ip 2664
1⤵
PID:4980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 592
  2⤵
  - Program crash
  PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2388 -ip 2388
1⤵
PID:1776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 592
  2⤵
  - Program crash
  PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4724 -ip 4724
1⤵
PID:3692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 592
  2⤵
  - Program crash
  PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2244 -ip 2244
1⤵
PID:3412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 592
  2⤵
  - Program crash
  PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3776 -ip 3776
1⤵
PID:2556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 592
  2⤵
  - Program crash
  PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 640 -ip 640
1⤵
PID:4212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 592
  2⤵
  - Program crash
  PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5104 -ip 5104
1⤵
PID:2236

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 592
  2⤵
  - Program crash
  PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2424 -ip 2424
1⤵
PID:4804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 600
  2⤵
  - Program crash
  PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 512 -ip 512
1⤵
PID:3928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 592
  2⤵
  - Program crash
  PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3628 -ip 3628
1⤵
PID:2784

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 596
  2⤵
  - Program crash
  PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3960 -ip 3960
1⤵
PID:1364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 592
  2⤵
  - Program crash
  PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4912 -ip 4912
1⤵
PID:4708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 592
  2⤵
  - Program crash
  PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3008 -ip 3008
1⤵
PID:2112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 592
  2⤵
  - Program crash
  PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5004 -ip 5004
1⤵
PID:2364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 592
  2⤵
  - Program crash
  PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1460 -ip 1460
1⤵
PID:4828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 600
  2⤵
  - Program crash
  PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 332 -ip 332
1⤵
PID:4636

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 592
  2⤵
  - Program crash
  PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3548 -ip 3548
1⤵
PID:2840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 600
  2⤵
  - Program crash
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4740 -ip 4740
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PPTV_2[1].5.5.0003_forqd234.exe

Filesize
344KB

MD5
b60805b0785d078f8c9aeaa20e572ba4

SHA1
e5956931e0f4959fd73f88cff679ad384b116dd6

SHA256
55ab0a5b7f933096f638b0de7d6a01e4a0cc9e9a3d8d633386a0d37eaac43b0e

SHA512
06d74ea0116ffd79fa10c4fc7653a56693c2cc67917eefd5032a63ade45a08a82cd590064143ea8d433f4106b9ebb90fa44eaa2f7dc378adf041a1bddddd1ce0

Download Submit
C:\Users\Admin\AppData\Roaming\install140785875.exe

Filesize
21.1MB

MD5
b888ee89fee7dedb526a5e3f654c1dfa

SHA1
626f5cee1004a19e3b62782172b7654c6a9a48ef

SHA256
367528262cf8abb5fbaf2e3991a644bcab809dde56806c1ba205b56dbd8d08f5

SHA512
cc60074dc4a3a53a07106e375d8ce9cc981c8b8ada8527a6d3fdbf1ebb953fc9f99918fcc8938b55fe2bdc2d3bdadaff8717e9d46fec0e369a81daaae242434f

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
20.1MB

MD5
88e8bee3f5327637a95e5545330b2ce3

SHA1
b163fd138ac3ea5bd2e5af0585f2b4619de0ddb9

SHA256
bf557f2249693ce7885e935c24e2023282dd8e94b196ba65bf0bc4e2728da876

SHA512
69660a96569d6ae92c43070b4122df4f413876e643856e802ba2c5275a29e0d10025128c5bb6d57abe8a497e914fdd03ebea45cf5d3a29c0ee89f1da4d7d0638

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
22.0MB

MD5
285b1221caa5a6c090afcc96683409cf

SHA1
71a6fbab954d54a0544de4c30b2f3a05c673f812

SHA256
7c577c770f02ad1fbfe64faecb10c43379d20ce1b83f1c4ff424552f682a2e10

SHA512
d3d8eed6a20bc73c6ec9723ee9ad3527d2505b4edb778b4beabb943b06d463516bdfc69cbda27ab2eaf2c0241fadc5249ccc8477eeaa8479459a866a9dbb49dd

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
21.0MB

MD5
eac7df6769b0ec6f50cac2254ac2d0d5

SHA1
f9858c345aabbbced373a8e94f118883f5b6c716

SHA256
6179b551ffd7b789be633beb1b0a189f2f4010fa1358fd96b8947f83192bb4e9

SHA512
bdfc71f586bb18bb050ef617532bde61606f20b30f36887db18c3a1ff09ab6c1746bc6fbab79a7d516ba246766e0713a84431b45ba30990c8a55dd7e61e39c28

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
19.1MB

MD5
5b328b604533611772d27062ed496bd9

SHA1
aa95432fd6e529c55bf68f53260825518c7c139d

SHA256
f46ce1292d530e051c3367b7681cf5f332edf00d845fcc729fbc53eefd22c555

SHA512
d8d5fcfbebc5c3f07141149938caf7eb71829aaae4dce49253d07dbbc9a9c637e2958bf49a25afdd698b7cc48031463bf8daf1c3dfa4cce865fd614149b02349

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
24.0MB

MD5
ea08a291081875f3a6e8bd47a1087e09

SHA1
bb8a6a993e836285e51df1b6152101e354f1216e

SHA256
5f677170a6eb775015f6c07db7eaf215b3d832d2feb8bad39ffe8b0333eeac0b

SHA512
c0c7d731c8df2ce6c9d1047f5d231b8a1c55366f526b6e3c51ad66393e82437b8b74766c01082e261ed5aa4da1bad43fd23333cb73aaca8a5f0e5c084f5cdc54

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
23.1MB

MD5
280ea32b3ff9f90211b134eb752c73d1

SHA1
df3c13cbb84679671bbf6cd9b72e43e36ac8074e

SHA256
6b30d0a7cc509ff7a8519fea30e2dd1c0d05390003ddc396db4dddcecda3cc8f

SHA512
39449dc543122dd6007e70f67dd7ee8992574532143fb3968809f0e32741453760062d43df6956afb761e095292889a6001a63ab82322bad93cb8c89d80a407a

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
22.0MB

MD5
d9212d012510789a008c2abe931bd509

SHA1
9efbcb025a2d6e5add52c9adb01058750dcc9c1d

SHA256
25233d32d4951e31cf275251216b0676cf69088f4d2c571d7bb2634995e4acf0

SHA512
d44d8342a529dcbcf5d143850ad094a8fef1a5c125ccb409eb45ff1c7c1f316aae3c14cb9c154adec24ba584b1970f7a7a4654dc517076259479d9e71949e520

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
23.0MB

MD5
8f266ed47669abd00210a974a1998e68

SHA1
6b839247c5b1041ad440ea3aee930e0e21d19b41

SHA256
b0e96bc2bd0957c3120117c06315593b07fac0175544c310c7476079be033559

SHA512
1a6b1cf1ab42b0079daee8048f32b4995344beab1b1de0aaac7aeb93a3ddd97a1cca1086a6cc3bb913c88d7f6fba03864de53ef942db92a9a921df29dbf24c80

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
24.0MB

MD5
ef66669df3f3d4d473b5d99b3ad31939

SHA1
187d77fb2e2d0d65528e3b8c990f5f18bab3ce4d

SHA256
862b3c05e4cf978a232ab9068c3bc7a915c1c52b37452477f8ba3e264b75f41b

SHA512
71ec1fd344c2c9fb94a2bb65e8fb2ad69636815b7867941169d4959a65aa9de422d4fc83fa583616ea01c8fefff392b26689e675e2fdc08f306bf274fb707652

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
23.0MB

MD5
ece122a52aaa08efe7cf854ab6285402

SHA1
6a891cae9d5d794d97f58cf41df75a0d35ddee8d

SHA256
c8d7c60488521126defee65be4e90032865e6458aa834dcc0ac3df67246c4ff5

SHA512
681952d1c8b2c30b0f29178ea34b9323b4991a68ca558d6d418927fe3129b9a2af011d01af8cc2f91bf1938beba047512171af8467f0260a6d2f460c63d621f1

Download Submit
\??\c:\program files (x86)\realtek\driver\date\is%sessionname%\kuopj.cc3

Filesize
19.0MB

MD5
c43a12a885f6738a375f39c6ffe3c622

SHA1
68e0f511ab0c34499b8c2508399cfa6b22712559

SHA256
11eef653016e0ea4df73480362734d0b2fc82d48c011da7daa9d599a347986e8

SHA512
0e11113735ef378ce821c15061f84785f0854ca8e6a05a92af7eabe7b5505e5de8cc2c681d43a915e4a0421ab63f5576ecbed22d8b0ca8dda42377929ba5cb5a

Download Submit