gh0strat | 3e8cc60745e9f927533721ebe6cb480b69c884656154a3b73758920d7a01275b

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Size

192KB
MD5

4cc864f606390d06fec82486754341ae
SHA1

93d2758444a6eda0936b9137d880117cc564604c
SHA256

3e8cc60745e9f927533721ebe6cb480b69c884656154a3b73758920d7a01275b
SHA512

2d910268876fce6a7ec0a2cadfe2ddcfdbe380949a5d0146db28d59159e07b9f2bf17b074f19c707aa2dcc578fc6a977862eedcf854a13b1a2fc81a96bcca16f
SSDEEP

3072:OQk3DH+bK+snWjvUJFMKkj8aPBHA40qcVWhUXYvpSVxoTVrbMzYiw/mEFVc:OQkTH+bpsnWjvEkrPadqc6UIvK6jtm

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022a03-2.dat	family_gh0strat
behavioral2/files/0x0007000000022a03-8.dat	family_gh0strat
behavioral2/files/0x0011000000023c0f-14.dat	family_gh0strat
behavioral2/files/0x0013000000023c0f-20.dat	family_gh0strat
behavioral2/files/0x0015000000023c0f-26.dat	family_gh0strat
behavioral2/files/0x0017000000023c0f-32.dat	family_gh0strat
behavioral2/files/0x0019000000023c0f-38.dat	family_gh0strat
behavioral2/files/0x001b000000023c0f-44.dat	family_gh0strat
behavioral2/files/0x0006000000022a08-50.dat	family_gh0strat
behavioral2/files/0x0008000000022a08-56.dat	family_gh0strat
behavioral2/files/0x000a000000022a08-62.dat	family_gh0strat
behavioral2/files/0x000f00000001e5cd-68.dat	family_gh0strat
behavioral2/files/0x000f00000001e5cd-70.dat	family_gh0strat
behavioral2/files/0x000f00000001e5cd-71.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 35 IoCs

pid	Process
3676	svchost.exe
4812	svchost.exe
3632	svchost.exe
2748	svchost.exe
2064	svchost.exe
3356	svchost.exe
3128	svchost.exe
4112	svchost.exe
1948	svchost.exe
2388	svchost.exe
3208	svchost.exe
3580	svchost.exe
836	svchost.exe
3948	svchost.exe
3816	svchost.exe
1012	svchost.exe
2024	svchost.exe
452	svchost.exe
1456	svchost.exe
3936	svchost.exe
752	svchost.exe
3200	svchost.exe
3464	svchost.exe
4996	svchost.exe
1432	svchost.exe
464	svchost.exe
3292	svchost.exe
1788	svchost.exe
4892	svchost.exe
1160	svchost.exe
2212	svchost.exe
2592	svchost.exe
5084	svchost.exe
5008	svchost.exe
1220	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vmdij.cc3	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe

Program crash 35 IoCs

pid	pid_target	Process	procid_target
940	3676	WerFault.exe	91
4596	4812	WerFault.exe	95
4608	3632	WerFault.exe	98
4980	2748	WerFault.exe	104
2636	2064	WerFault.exe	107
3576	3356	WerFault.exe	110
2644	3128	WerFault.exe	114
3384	4112	WerFault.exe	117
3152	1948	WerFault.exe	120
3916	2388	WerFault.exe	124
2340	3208	WerFault.exe	127
1076	3580	WerFault.exe	130
1476	836	WerFault.exe	133
3812	3948	WerFault.exe	136
2944	3816	WerFault.exe	139
3168	1012	WerFault.exe	142
4752	2024	WerFault.exe	145
2752	452	WerFault.exe	148
3496	1456	WerFault.exe	151
4956	3936	WerFault.exe	154
2316	752	WerFault.exe	157
4736	3200	WerFault.exe	160
264	3464	WerFault.exe	163
4180	4996	WerFault.exe	166
1904	1432	WerFault.exe	180
3160	464	WerFault.exe	183
1428	3292	WerFault.exe	186
3436	1788	WerFault.exe	189
1528	4892	WerFault.exe	192
2068	1160	WerFault.exe	195
3928	2212	WerFault.exe	198
4488	2592	WerFault.exe	201
2280	5084	WerFault.exe	207
5020	5008	WerFault.exe	210
1856	1220	WerFault.exe	213

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeBackupPrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
Token: SeRestorePrivilege	3224	JaffaCakes118_4cc864f606390d06fec82486754341ae.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cc864f606390d06fec82486754341ae.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cc864f606390d06fec82486754341ae.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 592
  2⤵
  - Program crash
  PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3676 -ip 3676
1⤵
PID:1648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 592
  2⤵
  - Program crash
  PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4812 -ip 4812
1⤵
PID:4976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 592
  2⤵
  - Program crash
  PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3632 -ip 3632
1⤵
PID:5028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 596
  2⤵
  - Program crash
  PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2748 -ip 2748
1⤵
PID:1428

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 592
  2⤵
  - Program crash
  PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2064 -ip 2064
1⤵
PID:3292

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 592
  2⤵
  - Program crash
  PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3356 -ip 3356
1⤵
PID:5048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 580
  2⤵
  - Program crash
  PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3128 -ip 3128
1⤵
PID:4692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 592
  2⤵
  - Program crash
  PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4112 -ip 4112
1⤵
PID:3960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 592
  2⤵
  - Program crash
  PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1948 -ip 1948
1⤵
PID:4896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 592
  2⤵
  - Program crash
  PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2388 -ip 2388
1⤵
PID:1812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 592
  2⤵
  - Program crash
  PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3208 -ip 3208
1⤵
PID:4492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 596
  2⤵
  - Program crash
  PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3580 -ip 3580
1⤵
PID:4696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 596
  2⤵
  - Program crash
  PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 836 -ip 836
1⤵
PID:1444

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 596
  2⤵
  - Program crash
  PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3948 -ip 3948
1⤵
PID:740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 592
  2⤵
  - Program crash
  PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3816 -ip 3816
1⤵
PID:2840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 592
  2⤵
  - Program crash
  PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1012 -ip 1012
1⤵
PID:3372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 596
  2⤵
  - Program crash
  PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2024 -ip 2024
1⤵
PID:3128

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 592
  2⤵
  - Program crash
  PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 452 -ip 452
1⤵
PID:996

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 592
  2⤵
  - Program crash
  PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1456 -ip 1456
1⤵
PID:4532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 592
  2⤵
  - Program crash
  PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3936 -ip 3936
1⤵
PID:2916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 592
  2⤵
  - Program crash
  PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 752 -ip 752
1⤵
PID:4612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 592
  2⤵
  - Program crash
  PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3200 -ip 3200
1⤵
PID:2040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 588
  2⤵
  - Program crash
  PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3464 -ip 3464
1⤵
PID:1312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 592
  2⤵
  - Program crash
  PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4996 -ip 4996
1⤵
PID:2372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 592
  2⤵
  - Program crash
  PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1432 -ip 1432
1⤵
PID:1148

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 592
  2⤵
  - Program crash
  PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 464 -ip 464
1⤵
PID:2056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 592
  2⤵
  - Program crash
  PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3292 -ip 3292
1⤵
PID:1476

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 600
  2⤵
  - Program crash
  PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1788 -ip 1788
1⤵
PID:1688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 576
  2⤵
  - Program crash
  PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4892 -ip 4892
1⤵
PID:992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 592
  2⤵
  - Program crash
  PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1160 -ip 1160
1⤵
PID:1392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 592
  2⤵
  - Program crash
  PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2212 -ip 2212
1⤵
PID:2704

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 592
  2⤵
  - Program crash
  PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2592 -ip 2592
1⤵
PID:4312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 592
  2⤵
  - Program crash
  PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5084 -ip 5084
1⤵
PID:3484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 592
  2⤵
  - Program crash
  PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5008 -ip 5008
1⤵
PID:4344

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 580
  2⤵
  - Program crash
  PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1220 -ip 1220
1⤵
PID:4404

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vmdij.cc3

Filesize
18.6MB

MD5
9f5549333435bd0793b2642127c37373

SHA1
cdbdc21fe95ed19bfba86846ef12a676d29ba540

SHA256
8b6163b5657fe2e353f0a33e2e4d52cc744a5d07bbc8d9a69423dcc5c04809a3

SHA512
d5879fc63d8846d1102f512f17393642a490b62f92aaf90c279286802cbf080ad1818b24de791c23ee161e4d80c27bc058ded5017f798362b0c64e5e57027394

Download Submit
C:\Windows\SysWOW64\vmdij.cc3

Filesize
2.3MB

MD5
d0a151de5b38a59e977e4c1bd0c784f9

SHA1
4f4702411db0a320372f8fff7f48bc086354434e

SHA256
ddb1d82cd3e1a0607aa5ece5f6e00535d4499a5217c9ac7374867bfcfd706655

SHA512
ff29aad76398653e7ba2db0fde79f5d43f21e236e976680837eb26f92bee36c9caa7a9abe965887d206ef05800530e01d9af4f60db76e634f2eb2d04b1e2db78

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
21.0MB

MD5
1d6643c4c6f0a9256611d9be4b89393f

SHA1
93ed9b7833567f5da96a27fc3b48367d9a16df38

SHA256
7ec84123327421570b770d25e4b3a999d46955d9e82ea543031fae3a6430bba5

SHA512
892f3361530d4bfd412b8f5abfb2fc37e6dac6d10595fa74a6fa8c7d61ba5ced830b71a6bc696df837c9f7a2928a07a75f26a7f9e6a0458ec47ee19c36d1de93

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
22.0MB

MD5
c3465aa94e9b3aff8c1129ad80fc341b

SHA1
c1758e914a4cc3d554642df3eb57e07115403050

SHA256
fb7e445222d2640d9e139be0193150fee8e7141ab0f24372d657917402b93ea9

SHA512
de8814fae2d63eff3d2c66a7014e6efb1add2d88cb2f3d4cdbbaddbdc93be907b1c33f44d7bc375c3dbe74be01532f84082c3510b0bfa30777f6bdff0cdfd0e0

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
20.0MB

MD5
a31f6c360e8e7a497be6b01166e331c1

SHA1
beddecdfa833445dc0f1a04554813bcac3ecf5f4

SHA256
9dff7096e816da82c389e0782dec185109860ab00b9bcd995f6fdf7db7ec0e22

SHA512
36329837557abc9e298515fbdb10c30c0006656dccce00d185faa2c422c6f7af779f34dc258d7f8bb164c352b3359c5f7e402159cc3c2cb26d0de651e4ce2b83

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
24.0MB

MD5
9cbae6efc0e610cdadf530a18c9c1c39

SHA1
21184d22ed6c7b5713c1e6045220131406a9f02b

SHA256
668316aa3e797546b2e814b2e2af6e2b495e5a6c7f6b586fd890e601263137f8

SHA512
c7f7a5cdfe66efa1bd8821d6a065961d9da6ea63448fa759c875b8565e6c4c64d1c3f339ebf7af6cc95e23f5256aad2947568f2ce8822fafc4857c3ff32d0c08

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
24.1MB

MD5
b20bb6262697c98983a0fb56cc65f14a

SHA1
0e8a9c6c2171c5493a5b2bd1863e19dda4fcd65d

SHA256
70a0770e7d0edfa7fb232e6bad715386f4f6fd8dc70b46c6025a68c71d68146e

SHA512
745a1264e90a8e922cfe7fd0f9c6d63d2416ac23539fa04c3d80327e9a27addf5e22d5da0f63098b12ef6eefb26663ba396bdc914d1b1179564897f1129fdb3b

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
22.1MB

MD5
a120585294beaa8028137a2da212da60

SHA1
90ae44d8de16262de055fc464026b83556e0cd5c

SHA256
fe1891616b8b0550cc5b52e67200d55a4c8401405e53c1f3e43aa96fa8834d2a

SHA512
1d509c9d9fbf4c0dd5f3be4f30889c9e212ef95d991cd5f1c6141d9cc87e7e57f0c98c0c853283ced10abd494de514219af809baf93d682c23fe0243fa203e5d

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
24.1MB

MD5
6e30be06f47b2ce96b7618fe6131699f

SHA1
d84432345c56346cf39f39e7a66a0970fc8f5073

SHA256
2b9f50ae2fc57e40f56bdca4e5a3b3f337742ac55a18e6f269ea9eae64c230b7

SHA512
6823f60e062ae54e0418939d1f4a8c5a71743b3adeecf19b270d619bfad653d5267683b06aa6c427a1aac66774cd917c9c6cd98d8c8eec633cdb771c24192427

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
20.1MB

MD5
5f3f896f7ceb6e8ec72bb66b95c546ce

SHA1
8f90070e0ce6bdbc8791687c424e564b8e60c9d0

SHA256
3982407608b64748277aaf74caf7fbdfdb3405106b49b464dcc81e0091904c13

SHA512
c4eed4d21b88570d44424772c4b9c303078f6ea386525c9962caae3ba1d613e6af21a5d78038a81c53f1076ee1bff6d5b760936f8f15a6db73423d13c2ca3a4d

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
23.1MB

MD5
6521dedd1f6d551dedeb2672e2d05e6a

SHA1
037254a426399ef7beaca2509d55bd154c131fd4

SHA256
69dd6cdb6d8091755b4852ca6ed2e6bb413b987ac3108243f330ff32d7d8317b

SHA512
bf0a0ca1a4618f8e4f45193b03450b263d6a1861a7670db60cfafb4725a06818a4705aeee39a22e58ca91f9e8d051aa73d0b6d85687b3ce3458986cc9f06d2dc

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
21.0MB

MD5
415a7704578ec598876de5ad6f319e20

SHA1
8ee7628058f1d4be8b8f6bf21143908b5435878c

SHA256
b99301c07b0e09b25058b6645df32e4cb4d6cc34cac2057c7ffdbcbc4a9ac359

SHA512
b9d1b340149726988065a9c406da8743b940314d8b9228e67fc994a4a81693402ccb79b2097117167d496761daff6d8dd2390950495d3ea6aa5b2cf67a89dffb

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
22.1MB

MD5
7235913071f46bd1aa2be2d2d058af8c

SHA1
543829e6106ecf1f46d846a6b2599deb355865ef

SHA256
e9834cc2be912ea466e9dcae658784e399dc6ac71ca42d0ce1336b7aa3c680c0

SHA512
177e5355ff1ee1076c4fbcc54f9f71a26c4fc75565402da010f1d9a8f20dd44f7d76ff19e28383d101a7bc843f65212f7e2f2f78f97f04a9b2936260dd161bcf

Download Submit
\??\c:\windows\SysWOW64\vmdij.cc3

Filesize
23.1MB

MD5
9547148566019b3a605427a136b5422c

SHA1
b69f0861a6da73704eb1f3fbc1f74f282906f43d

SHA256
0201920f6e638d94e34cf344a14f47164b0fd6ff4ed2265802ebd0fef3e5a415

SHA512
e16883c933842d7db2361c7f755cfaca757ad6519a747486a2440a74514674084249e835ecf076861f905661a8a5431d9a368f8ddfac41e687ffc3cdcef869ff

Download Submit