gh0strat | 1eec291949e0aa22852762eaf632c848a8f5bae0f1976a1b9b8a9b9169cd13eb

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Size

198KB
MD5

494aed20768299da1a0871ee4c0481d7
SHA1

78ed4147ff3a9f2767ea977a047d0c97e8ab7a02
SHA256

1eec291949e0aa22852762eaf632c848a8f5bae0f1976a1b9b8a9b9169cd13eb
SHA512

e0f7ed4de2d60fdf02036259ef5dd31f8b3db2a7638305a83959b52e97c9793023d92d08e88a098ba309d40bad92490d3092f85266a3cc6a22a86f4f760f9f24
SSDEEP

6144:/OVLnWFc2FtsFkVRTl0QdTmNPPYhzU6zPh:/8LWFR+kV1KIo+fTh

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral2/files/0x000d00000001e4cf-2.dat	family_gh0strat
behavioral2/files/0x000f00000001e4cf-8.dat	family_gh0strat
behavioral2/files/0x000500000001e731-14.dat	family_gh0strat
behavioral2/files/0x000700000001e731-20.dat	family_gh0strat
behavioral2/files/0x000900000001e731-26.dat	family_gh0strat
behavioral2/files/0x000b00000001e731-32.dat	family_gh0strat
behavioral2/files/0x000d00000001e731-38.dat	family_gh0strat
behavioral2/files/0x000f00000001e731-44.dat	family_gh0strat
behavioral2/files/0x001100000001e731-50.dat	family_gh0strat
behavioral2/files/0x001300000001e731-56.dat	family_gh0strat
behavioral2/files/0x001500000001e731-62.dat	family_gh0strat
behavioral2/files/0x001700000001e731-68.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 34 IoCs

pid	Process
956	svchost.exe
5096	svchost.exe
2216	svchost.exe
564	svchost.exe
4064	svchost.exe
3640	svchost.exe
436	svchost.exe
2656	svchost.exe
2864	svchost.exe
4520	svchost.exe
704	svchost.exe
2512	svchost.exe
2044	svchost.exe
1556	svchost.exe
4008	svchost.exe
2436	svchost.exe
2408	svchost.exe
4604	svchost.exe
4732	svchost.exe
3016	svchost.exe
4788	svchost.exe
4264	svchost.exe
3784	svchost.exe
3876	svchost.exe
3776	svchost.exe
4372	svchost.exe
1596	svchost.exe
4864	svchost.exe
4408	svchost.exe
4604	svchost.exe
556	svchost.exe
2912	svchost.exe
808	svchost.exe
3112	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\StormII\%SESSIONNAME%\hlsnf.pic	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe

Program crash 34 IoCs

pid	pid_target	Process	procid_target
1584	956	WerFault.exe	93
2064	5096	WerFault.exe	98
3316	2216	WerFault.exe	101
4336	564	WerFault.exe	106
3972	4064	WerFault.exe	109
372	3640	WerFault.exe	112
1860	436	WerFault.exe	116
4516	2656	WerFault.exe	119
1820	2864	WerFault.exe	122
4424	4520	WerFault.exe	134
1532	704	WerFault.exe	137
2732	2512	WerFault.exe	140
636	2044	WerFault.exe	143
964	1556	WerFault.exe	146
4100	4008	WerFault.exe	149
4856	2436	WerFault.exe	152
1104	2408	WerFault.exe	156
3492	4604	WerFault.exe	159
4964	4732	WerFault.exe	162
2516	3016	WerFault.exe	165
4568	4788	WerFault.exe	168
4540	4264	WerFault.exe	171
3616	3784	WerFault.exe	174
3836	3876	WerFault.exe	177
1612	3776	WerFault.exe	180
3768	4372	WerFault.exe	183
5048	1596	WerFault.exe	186
4172	4864	WerFault.exe	189
1740	4408	WerFault.exe	192
4064	4604	WerFault.exe	195
3680	556	WerFault.exe	198
812	2912	WerFault.exe	201
4832	808	WerFault.exe	204
2668	3112	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeBackupPrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
Token: SeRestorePrivilege	492	JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_494aed20768299da1a0871ee4c0481d7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 604
  2⤵
  - Program crash
  PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 956 -ip 956
1⤵
PID:1840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 592
  2⤵
  - Program crash
  PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5096 -ip 5096
1⤵
PID:2612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 592
  2⤵
  - Program crash
  PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2216 -ip 2216
1⤵
PID:2684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 592
  2⤵
  - Program crash
  PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 564 -ip 564
1⤵
PID:1240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 592
  2⤵
  - Program crash
  PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4064 -ip 4064
1⤵
PID:1256

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 592
  2⤵
  - Program crash
  PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3640 -ip 3640
1⤵
PID:3192

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 592
  2⤵
  - Program crash
  PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 436 -ip 436
1⤵
PID:3016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 592
  2⤵
  - Program crash
  PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2656 -ip 2656
1⤵
PID:4424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 592
  2⤵
  - Program crash
  PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2864 -ip 2864
1⤵
PID:4568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 592
  2⤵
  - Program crash
  PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4520 -ip 4520
1⤵
PID:2516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 592
  2⤵
  - Program crash
  PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 704 -ip 704
1⤵
PID:3372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 592
  2⤵
  - Program crash
  PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2512 -ip 2512
1⤵
PID:1164

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 592
  2⤵
  - Program crash
  PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2044 -ip 2044
1⤵
PID:1148

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 592
  2⤵
  - Program crash
  PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1556 -ip 1556
1⤵
PID:4184

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 592
  2⤵
  - Program crash
  PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4008 -ip 4008
1⤵
PID:1376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 592
  2⤵
  - Program crash
  PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2436 -ip 2436
1⤵
PID:1684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 592
  2⤵
  - Program crash
  PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2408 -ip 2408
1⤵
PID:3892

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 592
  2⤵
  - Program crash
  PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4604 -ip 4604
1⤵
PID:2204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 592
  2⤵
  - Program crash
  PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4732 -ip 4732
1⤵
PID:4496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 592
  2⤵
  - Program crash
  PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3016 -ip 3016
1⤵
PID:2228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 592
  2⤵
  - Program crash
  PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4788 -ip 4788
1⤵
PID:436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 592
  2⤵
  - Program crash
  PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4264 -ip 4264
1⤵
PID:1640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 592
  2⤵
  - Program crash
  PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3784 -ip 3784
1⤵
PID:3044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 592
  2⤵
  - Program crash
  PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3876 -ip 3876
1⤵
PID:4432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 592
  2⤵
  - Program crash
  PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3776 -ip 3776
1⤵
PID:4300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 592
  2⤵
  - Program crash
  PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4372 -ip 4372
1⤵
PID:1984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 444
  2⤵
  - Program crash
  PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1596 -ip 1596
1⤵
PID:4320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 592
  2⤵
  - Program crash
  PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4864 -ip 4864
1⤵
PID:4796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 592
  2⤵
  - Program crash
  PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4408 -ip 4408
1⤵
PID:1068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 592
  2⤵
  - Program crash
  PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4604 -ip 4604
1⤵
PID:564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 592
  2⤵
  - Program crash
  PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 556 -ip 556
1⤵
PID:1060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 592
  2⤵
  - Program crash
  PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2912 -ip 2912
1⤵
PID:2076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 592
  2⤵
  - Program crash
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 808 -ip 808
1⤵
PID:3240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 592
  2⤵
  - Program crash
  PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3112 -ip 3112
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
22.0MB

MD5
41422a4e29c3d69f382c145057d89771

SHA1
a5639facc9fa296f8186d37bf03c7196ddf7eac9

SHA256
60dfae5963164119a3661ce5deb39546f1b7969ed9cee3b17635b064896f3c04

SHA512
baaf86806a5680b362bb88c00fd18c8b94db0452144447af5896c78ec20fedbc22a3c7cf4af56df78da4beb52c0c148d3c6db2939ca3ceb755750d14470a9a09

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
21.0MB

MD5
ed23ea81e31fb2d9fec2e1899ddec0fa

SHA1
944409b008d3a8f307cda124f5749dd7141529f8

SHA256
729b63e6ae807911dd74ddc5b141b9d8ffab0b9717ab4a410ca14be6d531d913

SHA512
e2c457624d1d22890cf6e41ccdcf79d152bfc024d4547795eb8a64fff1371ce4bd54eb82ed71b9b78bb97971abbc11fbcb06cabd47e8bd60457d0893b82415e9

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
24.0MB

MD5
a232848598182d5e90a6807070c10910

SHA1
efe72258c113d3d06056af349fedb0d1fcdd3078

SHA256
4278fb7954d7bcc1f7fca4eaf6814673366cbcc6a831ed33b05034fe6ef963f8

SHA512
5dc68f61dafcfd5e6a984b25a719ee2ce2bce6c2ee6b8a6b77604bd9e4ba3fc755aacb4b4b924c61d864a7104d0aceee47b59c9c6de614d6767d7b4581436546

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
21.0MB

MD5
8422ad1f05a07a6eb6b54f020329e0a4

SHA1
6f5533f8ca2741b543736c2c14eeedeb4a9d633a

SHA256
e7ba18cec6bcf9046ce1f7dd8cb3b845adb25f5712619ca3d14262db706b7cc5

SHA512
4f077b01baddd0c50f7a0da8a5b583630b2e752d5c460b17613ec0a88c3117340c5383be81dbbca774cbd5f10f52cab41c20d757db894e973071b667348a1540

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
22.1MB

MD5
4de902f6f4dbbd4c51177eee0b66997a

SHA1
e78d0db2873d58df763ae8842143c2ae0bbf4613

SHA256
7c471a13b2f943a2fa6ae06664c7dbba0c4556d573be7e9e3dbb670b4f91c882

SHA512
0bbf8a07053173bb4c73fdd6344df2d3ddb0dedec0f25bffde72e34b0b0901ed0ac6208b9ffe40c6d08e120503cf8d526e5cccfccbc6bebc785e81c342a71af2

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
21.1MB

MD5
5adc82ce4b7a3e9a6719ae37002c10e8

SHA1
47d0e97f8a6ef0101d9f2b5778773699ccb4f3d1

SHA256
a3ed1fff91d3ee23cb3b16120641d99981c2abc2679c373ad4b2177b7f8595fe

SHA512
c4e616cb94c4ddba8462335a7a78f9871ebd5636d1fac9fa9e34de99dbb10d3fdee997ca565c934305f698bfbfa087c34fc53235051cf1304ec852f48659af1a

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
21.0MB

MD5
7da2c5d6beae246ace12e86c4d1b2627

SHA1
6a6294111aae7d2e9116c96d13b075b0013c0651

SHA256
337dd9cf1d819977e339749867430c7bbfa9f709fa0beb5abb45eb47196fc6d8

SHA512
83092cadd4d7116381bce96b0f69d1024cf71ab10af24689fe323290e8fb170440883a87dd5627b7297a66de91f4952ef4625fc0b8e8626b7b338851b795c4c1

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
23.0MB

MD5
1dfe11e64a90995751ef22a5144a76b0

SHA1
a309f1b57a8270ca5f5f375a270401bd665c09c6

SHA256
4d1eb1220afd7bba01ab40d868a299cb4b4744c3f5ecc52e2c61ccc4d61bf483

SHA512
8a0b6ca253ae21f8453dc61d995095cb4f15894190c137b0a99add7f3b85d964004e807420a3216e23eb1b125891cf6acc66c89130620e0a2b71746e8ca93f2a

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
20.1MB

MD5
822a3f90e4afcc08c84dd31bd455e4b3

SHA1
f8931772d75be27401c78e1f63db49045ed0362c

SHA256
e5fbd00e7dacae22f527a45369a024709f9a4ba73fbb038cd8f6b38bb0cab795

SHA512
61a0795be547d9c7d463b6500fe65f3e3557e0593d9eff3d5f12e35b398f6387d96c594c15c6adca1a285c30485f213c3e788554b79db48f6d528c3fc605ea1f

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
23.0MB

MD5
8fa22b62be8c3aa8a1017af7f3eea60c

SHA1
2ac3e4513a24ecbfd87620f0feb82b3504487e38

SHA256
96d23f64eed89937f6a39c8a0296bbc91aa37398e63e5e85d725d23af8274c04

SHA512
dc4157d283d33cf28103a6397eac360329d79fa2e67ef8ce89533d0d3a99242c38e9fdf993842d5e9c5c94b2f15b9b428d414f826742bf4f0586c67378636931

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
19.1MB

MD5
8827ae47928254dc26aeb31c3337ca15

SHA1
e216d0699d160dde91ba7fa90452867434ecaed5

SHA256
758d40978f61aaf6843534842979f2a760f71e7582c7d235a2533831ae1aa159

SHA512
5566a84c31ec7ecfecbdb24d66a53165b6ef8c05869229dcebb33e0106b97fe245c296ceeae9417a240bc450db4758e334f20fdd867a856be99a6779089a6fae

Download Submit
\??\c:\program files (x86)\stormii\%sessionname%\hlsnf.pic

Filesize
19.0MB

MD5
1cfbcfff6e06a8fba64787c903aea93a

SHA1
f5f03d450080fdcf2bab1663e8aa6f4e4fccd1ef

SHA256
2d18852e1a88b0839b8970a987a9dbc4ed86f87664ac9fcba6f75cae33193bc5

SHA512
dfc5776b30bc816cf3c293734a5f92a6c6ce1a4706b114fde703603ec62acb6d3a11b2c6ca6381edfa86ccda91033ed6eaffd46fb69f70c43d9c78c02859a42a

Download Submit