gh0strat | 3e5a324a654e7c46ca6bf9bc70a50233d880bc096e0e00e01b3dc25c1b7207c4

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Size

198KB
MD5

46e075ff0edcba5a0195553abc04c9af
SHA1

15de1b73fa01ad97099ad2090100ba837a60d0ee
SHA256

3e5a324a654e7c46ca6bf9bc70a50233d880bc096e0e00e01b3dc25c1b7207c4
SHA512

83a852c67fb0a1c633b415271d6886c034095ef094277e36cac1693080960f5a4c431f7fdf6530ec9385ebeccd156c6e6ca8e7aee4135e8ea50151205eda1789
SSDEEP

6144:4OVLnWFcAFtsFkVRTl0QdTmNPPYh7x32m:48LWFv+kV1KIo+Um

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 13 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023c48-2.dat	family_gh0strat
behavioral2/files/0x000d000000023c48-8.dat	family_gh0strat
behavioral2/files/0x000800000001e6da-14.dat	family_gh0strat
behavioral2/files/0x000a00000001e6da-20.dat	family_gh0strat
behavioral2/files/0x000c00000001e6da-26.dat	family_gh0strat
behavioral2/files/0x000400000001e6a5-32.dat	family_gh0strat
behavioral2/files/0x000600000001e6a5-38.dat	family_gh0strat
behavioral2/files/0x000800000001e6a5-44.dat	family_gh0strat
behavioral2/files/0x000a00000001e6a5-50.dat	family_gh0strat
behavioral2/files/0x000c00000001e6a5-56.dat	family_gh0strat
behavioral2/files/0x000e00000001e6a5-62.dat	family_gh0strat
behavioral2/files/0x000e00000001e6a5-64.dat	family_gh0strat
behavioral2/files/0x000e00000001e6a5-65.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe

Loads dropped DLL 33 IoCs

pid	Process
936	svchost.exe
3836	svchost.exe
1548	svchost.exe
3568	svchost.exe
4924	svchost.exe
336	svchost.exe
5068	svchost.exe
516	svchost.exe
612	svchost.exe
3552	svchost.exe
4268	svchost.exe
4456	svchost.exe
3308	svchost.exe
2492	svchost.exe
1448	svchost.exe
2568	svchost.exe
4032	svchost.exe
4116	svchost.exe
1860	svchost.exe
1064	svchost.exe
4512	svchost.exe
1328	svchost.exe
4152	svchost.exe
2864	svchost.exe
2148	svchost.exe
5032	svchost.exe
1804	svchost.exe
3624	svchost.exe
1344	svchost.exe
3044	svchost.exe
5056	svchost.exe
3416	svchost.exe
4384	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\NetMeeting\%360SD%NNAME%\xfbsb.cip	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
2560	936	WerFault.exe	99
1208	3836	WerFault.exe	103
628	1548	WerFault.exe	106
2644	3568	WerFault.exe	109
4504	4924	WerFault.exe	112
4328	336	WerFault.exe	115
2644	5068	WerFault.exe	127
1668	516	WerFault.exe	130
2920	612	WerFault.exe	133
4172	3552	WerFault.exe	136
3668	4268	WerFault.exe	139
1096	4456	WerFault.exe	142
1576	3308	WerFault.exe	145
4596	2492	WerFault.exe	148
2148	1448	WerFault.exe	151
4012	2568	WerFault.exe	156
3624	4032	WerFault.exe	159
2504	4116	WerFault.exe	162
4408	1860	WerFault.exe	165
2548	1064	WerFault.exe	168
3000	4512	WerFault.exe	171
3332	1328	WerFault.exe	174
552	4152	WerFault.exe	177
3460	2864	WerFault.exe	180
4164	2148	WerFault.exe	184
720	5032	WerFault.exe	187
1544	1804	WerFault.exe	190
2156	3624	WerFault.exe	193
4868	1344	WerFault.exe	196
772	3044	WerFault.exe	199
4352	5056	WerFault.exe	205
1820	3416	WerFault.exe	208
3100	4384	WerFault.exe	211

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
3580	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeBackupPrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
Token: SeRestorePrivilege	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3580	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe	89
PID 2536 wrote to memory of 3580	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe	89
PID 2536 wrote to memory of 3580	2536	JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46e075ff0edcba5a0195553abc04c9af.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ZhuDongFangYu.exe /t
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 592
  2⤵
  - Program crash
  PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 936 -ip 936
1⤵
PID:1984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 592
  2⤵
  - Program crash
  PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3836 -ip 3836
1⤵
PID:896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 592
  2⤵
  - Program crash
  PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1548 -ip 1548
1⤵
PID:1648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 592
  2⤵
  - Program crash
  PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3568 -ip 3568
1⤵
PID:1936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 600
  2⤵
  - Program crash
  PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4924 -ip 4924
1⤵
PID:516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 592
  2⤵
  - Program crash
  PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 336 -ip 336
1⤵
PID:788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 592
  2⤵
  - Program crash
  PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5068 -ip 5068
1⤵
PID:4896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 592
  2⤵
  - Program crash
  PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 516 -ip 516
1⤵
PID:1744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 592
  2⤵
  - Program crash
  PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 612 -ip 612
1⤵
PID:2496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 592
  2⤵
  - Program crash
  PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3552 -ip 3552
1⤵
PID:1092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 592
  2⤵
  - Program crash
  PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4268 -ip 4268
1⤵
PID:4124

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 592
  2⤵
  - Program crash
  PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4456 -ip 4456
1⤵
PID:2224

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 592
  2⤵
  - Program crash
  PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3308 -ip 3308
1⤵
PID:3704

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 592
  2⤵
  - Program crash
  PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2492 -ip 2492
1⤵
PID:2680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 592
  2⤵
  - Program crash
  PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1448 -ip 1448
1⤵
PID:716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 592
  2⤵
  - Program crash
  PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2568 -ip 2568
1⤵
PID:5100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 592
  2⤵
  - Program crash
  PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4032 -ip 4032
1⤵
PID:4852

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 592
  2⤵
  - Program crash
  PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4116 -ip 4116
1⤵
PID:4392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 592
  2⤵
  - Program crash
  PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1860 -ip 1860
1⤵
PID:3348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 592
  2⤵
  - Program crash
  PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1064 -ip 1064
1⤵
PID:1352

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 592
  2⤵
  - Program crash
  PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4512 -ip 4512
1⤵
PID:1800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 592
  2⤵
  - Program crash
  PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1328 -ip 1328
1⤵
PID:3024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 592
  2⤵
  - Program crash
  PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4152 -ip 4152
1⤵
PID:4984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 592
  2⤵
  - Program crash
  PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2864 -ip 2864
1⤵
PID:4460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 592
  2⤵
  - Program crash
  PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2148 -ip 2148
1⤵
PID:2232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 592
  2⤵
  - Program crash
  PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5032 -ip 5032
1⤵
PID:964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 592
  2⤵
  - Program crash
  PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1804 -ip 1804
1⤵
PID:4328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 592
  2⤵
  - Program crash
  PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3624 -ip 3624
1⤵
PID:948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 592
  2⤵
  - Program crash
  PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1344 -ip 1344
1⤵
PID:3400

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 516
  2⤵
  - Program crash
  PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3044 -ip 3044
1⤵
PID:4432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 592
  2⤵
  - Program crash
  PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5056 -ip 5056
1⤵
PID:1728

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 592
  2⤵
  - Program crash
  PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3416 -ip 3416
1⤵
PID:4208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 592
  2⤵
  - Program crash
  PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4384 -ip 4384
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NetMeeting\%360SD%NNAME%\xfbsb.cip

Filesize
19.5MB

MD5
0a96b7cb003e8a257570badefa132d63

SHA1
f4881515f3830dd3f740cffb5a121179a016240f

SHA256
97308a62852fa2ce77d21bbbb5cd285e5b81bad6ce39f919ba17039366f3520f

SHA512
cfbe466fce47068d6d6e154d0e24f176a040fbf4c260d6cbc4dc8f3a18f8521f0a87f89bceaa058716fedfc2b01fa42e0428ddb9013cd4a9ba5d3c52e8f6dfb9

Download Submit
C:\Program Files (x86)\NetMeeting\%360SD%NNAME%\xfbsb.cip

Filesize
17.7MB

MD5
3d95eb03a41c799a058eace633ca8e41

SHA1
4e3f8a0649f072f358a69289cba0f63e3c803f87

SHA256
78b737148a0b81b035be7d66578bacc3cda885b6e638b083c8faeac7b04d2eb9

SHA512
bb795f341b21a1dbb2e14c3f0b0f07e599ea159fb85a74453ff8737910328f24f6bf00dac34618055926bdb2d48e82636646358fc1f17b3dd81d40194acdc255

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
24.0MB

MD5
0cae1fb7c2d6ac11785c830aa3061314

SHA1
dea61a3e868dcd7f1e644189739e99b831e56abc

SHA256
62fd795d4b1ea665c2f50778b7418ded496d3542c3f35fc811c60d04d556a51f

SHA512
c500844ae1ad8709261f241d6d147c57c07e80041254f89700d5c70543927d4fdf177783161bcc4ac809bebdcb9fa9201ab682fcfce0ca0f625a9617f20e5f4b

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
23.1MB

MD5
7a27934b5262f2303bae2afe767e3d82

SHA1
79080976fa75f713eac3a0e36199472445baa4a9

SHA256
864bb434706738018a367d92ec9f58240fd3d5ce078350d1254f54d59f3198b6

SHA512
427d20fe1317f351a6933581353efb47c7415710962a1910a755b7f6a16031c0e4459b99967d75281000eacf717eb0d982abbde9109ae278bbaba687ea317202

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
21.1MB

MD5
20aca15ff2266d41149eea249aa2dec3

SHA1
12a5ac4ec580340c441c247654288ca81fa13b4c

SHA256
f401ee77b171104fd0bb99ddeb135dcef4882bf80f43d65195f9f0a0d63747f8

SHA512
b18c1b104618ad0d733ae70d9a62b7b124467629e1a1f4ce712f50b8ecd220a5f340732d7619d40cbfba291e201157612e6e131cce0b81959837b6c27ed4b00e

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
21.0MB

MD5
ad4c5b1a621e87c951d44866b93be85b

SHA1
8b041a587e6639310076af2b6ef62f789e80511b

SHA256
8e3f1baa7e8d78d18e80e46614a5526651886c46e1569fb664d581a1c538e1f1

SHA512
4efe0674339d7eb28ab0dc522e20f209edbbe01a88ec969d828051dcb729e8ed467b3359893fccfd1e8898188d7889c00317c02bec9f17e6c314452fdb1449f2

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
22.1MB

MD5
2c97c431e622baefa010527e459e982c

SHA1
adb7502841c08abd3391d72a76ae923226f93bd2

SHA256
63f6b9b83b724163c1c93c13a02aaaa973188a8aec17fc63e6c330c03eb864c2

SHA512
913c4e59d7cc45884c4a72ac817c8f6fdc9a4448106bc939fbf0cbbb21a58308dec8809252033d43f2bec3280b0e0369dcc5cc4e91a0d8a47f421eb74ee64c1a

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
23.1MB

MD5
e397002da88824d3d487e5eed315f979

SHA1
fbebd378290b8fc3f042b819cce49f500d96a9b0

SHA256
4046c3ff0ea25161b803bd96b0e9d3f31b3218bf270541fc2d7fc5c124404289

SHA512
b2507cc5431f932b22d10e010be72f9c6d2d6bdc7e1ddd5d7fffcb97630013bc2f2746fbb65aad3488e406e4594d07fd3e6d53526e60fb9cac3e54472763f72e

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
21.0MB

MD5
2172cd42381dbb2a64bca42854146d76

SHA1
47ab0cb5ba8071cd4379245718c66ff1ebfc7f68

SHA256
e80edd617da633e985ef7af9307a4546e766e114488bb4e4ed791d42447356a6

SHA512
655486f397335e16c8a68e5604f0c0a0acbc67dc6d22e6c8e9a3ba415e9e34952ec3898e3bdf532e860f81a44f95974eea5cee60937c62b1ce50a675e3c8df05

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
22.0MB

MD5
e811e4f88684d23df65bc0516b5326d7

SHA1
6e3a7ea61ce3b7acb5b526a6fd2ef30762bd9181

SHA256
91b35260bebd4194a8943a29b465c90bc9b885badfc1cd616f58411e3cbaa3f1

SHA512
297c0592badb6df95f4237e22552dec7de83905b392f27d1ad369de478990efdd7adbd0078a0d52f4d50bbc9acff288f6bb6c186bc7ab85bd97a80f958a5214b

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
20.1MB

MD5
84350b735d9eedc085569948d6a5e8e0

SHA1
50006e0eb2503fca81d2893305dbc2ec67c63361

SHA256
c4aea048d696e36ec1a78db83c558921c7fda030d1d0cc4db771eb77b41f6cd3

SHA512
36ec090a4baf42ee58deae48ab092c7eea70e721b9c6679b13e2b9302d841b1d325c9f56d7244632f3df5f4be00ce9fd6aeb53effaa8eb9a0d8cde54288ada8d

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
19.0MB

MD5
daf04016513b16a5d6da4c14f491dbfa

SHA1
1a2aa71bea7f4dcf10e1b83f72490b70de06f92e

SHA256
49dfa1d47cf940f7354210a07d14a3b177aebd7defae5944c52025cb2c7f8044

SHA512
87b7262f24760e4791597bd192074d6fc634c5a4c56d3fdfeae55b917b5ffcd06afdabb5c94909a32d23f64c6b68bdaabc5c08bd491abc152c2958f2a311dec5

Download Submit
\??\c:\program files (x86)\netmeeting\%360sd%nname%\xfbsb.cip

Filesize
24.1MB

MD5
e0c3e3acef73785ebc92bb29c7750ee3

SHA1
4958603dd564547a280ab70f9df7cf6477513c68

SHA256
761c576194a5522a5585fed0fc48014d060c8b08816d9ceea6e34d37e2c6a08b

SHA512
e49ed1c346588371c107d3204519dc595a721816c324c91a20ad47732e848f4c7488df2c2b0408ae7e9df24f16bd80d5e55a7deaec5203db3339ff6bddb6ef18

Download Submit