gh0strat | 3a62c25407891f069edbfd3c218ff8cccd611d71e2da0bee71cecc68924cec42

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Size

197KB
MD5

561bb28056f61048faf596d137adff1f
SHA1

832e1db0361c6983c0867c7b1bfb50af72ac1383
SHA256

3a62c25407891f069edbfd3c218ff8cccd611d71e2da0bee71cecc68924cec42
SHA512

0fe8de8c0e4163ca9d9a718c4d48dc30cff2f799977bbb01336907e6e7b1602b663d99e54843bbd9fea7ddb0a39967bcfdd116690b4a88f08d173a10c57ecf5e
SSDEEP

6144:nOVLnWFc/FtsFkVRTl0QdTmNPPYhtUeqPZ:n8LWFq+kV1KIo+hYZ

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023b95-2.dat	family_gh0strat
behavioral2/files/0x000b000000023b95-8.dat	family_gh0strat
behavioral2/files/0x000f000000023b2d-14.dat	family_gh0strat
behavioral2/files/0x0011000000023b2d-20.dat	family_gh0strat
behavioral2/files/0x0013000000023b2d-26.dat	family_gh0strat
behavioral2/files/0x0005000000022b07-32.dat	family_gh0strat
behavioral2/files/0x0007000000022b07-38.dat	family_gh0strat
behavioral2/files/0x0009000000022b07-44.dat	family_gh0strat
behavioral2/files/0x000b000000022b07-51.dat	family_gh0strat
behavioral2/files/0x000600000001e52e-56.dat	family_gh0strat
behavioral2/files/0x000a00000001e52e-62.dat	family_gh0strat
behavioral2/files/0x000c00000001e52e-68.dat	family_gh0strat
behavioral2/files/0x000c00000001e52e-69.dat	family_gh0strat
behavioral2/files/0x000c00000001e52e-70.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 34 IoCs

pid	Process
1772	svchost.exe
4404	svchost.exe
4340	svchost.exe
3792	svchost.exe
2668	svchost.exe
544	svchost.exe
212	svchost.exe
4612	svchost.exe
4504	svchost.exe
2704	svchost.exe
5016	svchost.exe
568	svchost.exe
264	svchost.exe
3248	svchost.exe
1052	svchost.exe
4824	svchost.exe
2576	svchost.exe
1508	svchost.exe
2980	svchost.exe
4500	svchost.exe
2084	svchost.exe
1716	svchost.exe
3384	svchost.exe
4196	svchost.exe
2828	svchost.exe
3624	svchost.exe
2252	svchost.exe
3356	svchost.exe
4536	svchost.exe
2792	svchost.exe
5012	svchost.exe
5016	svchost.exe
2584	svchost.exe
1748	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\%SESSIONNAME%\dowjl.pic	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe

Program crash 35 IoCs

pid	pid_target	Process	procid_target
3804	1772	WerFault.exe	92
2092	4404	WerFault.exe	96
2060	4340	WerFault.exe	100
2036	3792	WerFault.exe	105
2664	2668	WerFault.exe	108
2652	544	WerFault.exe	111
4628	212	WerFault.exe	115
3804	4612	WerFault.exe	118
3356	4504	WerFault.exe	121
2012	2704	WerFault.exe	125
4516	5016	WerFault.exe	128
4000	568	WerFault.exe	131
3976	264	WerFault.exe	134
4880	3248	WerFault.exe	137
1392	1052	WerFault.exe	140
4612	4824	WerFault.exe	143
3532	2576	WerFault.exe	146
1820	1508	WerFault.exe	149
4772	2980	WerFault.exe	152
5012	4500	WerFault.exe	155
5016	2084	WerFault.exe	158
2176	1716	WerFault.exe	161
4456	3384	WerFault.exe	164
704	4196	WerFault.exe	167
1640	2828	WerFault.exe	170
2448	3624	WerFault.exe	173
1584	2252	WerFault.exe	176
3900	3356	WerFault.exe	179
4340	4536	WerFault.exe	182
2260	2792	WerFault.exe	185
388	5012	WerFault.exe	188
4948	5016	WerFault.exe	191
2060	2584	WerFault.exe	194
1436	1748	WerFault.exe	197
4464	2664	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeBackupPrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
Token: SeRestorePrivilege	552	JaffaCakes118_561bb28056f61048faf596d137adff1f.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_561bb28056f61048faf596d137adff1f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_561bb28056f61048faf596d137adff1f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 604
  2⤵
  - Program crash
  PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1772 -ip 1772
1⤵
PID:1628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 592
  2⤵
  - Program crash
  PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4404 -ip 4404
1⤵
PID:3984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 592
  2⤵
  - Program crash
  PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4340 -ip 4340
1⤵
PID:764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 592
  2⤵
  - Program crash
  PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3792 -ip 3792
1⤵
PID:3236

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 592
  2⤵
  - Program crash
  PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2668 -ip 2668
1⤵
PID:1048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 592
  2⤵
  - Program crash
  PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 544 -ip 544
1⤵
PID:4016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 592
  2⤵
  - Program crash
  PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 212 -ip 212
1⤵
PID:3752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 592
  2⤵
  - Program crash
  PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4612 -ip 4612
1⤵
PID:4824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 592
  2⤵
  - Program crash
  PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4504 -ip 4504
1⤵
PID:4884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 592
  2⤵
  - Program crash
  PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2704 -ip 2704
1⤵
PID:4772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 592
  2⤵
  - Program crash
  PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5016 -ip 5016
1⤵
PID:4984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 592
  2⤵
  - Program crash
  PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 568 -ip 568
1⤵
PID:388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 592
  2⤵
  - Program crash
  PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 264 -ip 264
1⤵
PID:1476

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 592
  2⤵
  - Program crash
  PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3248 -ip 3248
1⤵
PID:2532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 592
  2⤵
  - Program crash
  PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1052 -ip 1052
1⤵
PID:456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 592
  2⤵
  - Program crash
  PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4824 -ip 4824
1⤵
PID:1772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 592
  2⤵
  - Program crash
  PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2576 -ip 2576
1⤵
PID:4092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 592
  2⤵
  - Program crash
  PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1508 -ip 1508
1⤵
PID:1968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 592
  2⤵
  - Program crash
  PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2980 -ip 2980
1⤵
PID:2092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 592
  2⤵
  - Program crash
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4500 -ip 4500
1⤵
PID:2888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 592
  2⤵
  - Program crash
  PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2084 -ip 2084
1⤵
PID:4516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 592
  2⤵
  - Program crash
  PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1716 -ip 1716
1⤵
PID:2148

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 592
  2⤵
  - Program crash
  PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3384 -ip 3384
1⤵
PID:3560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 592
  2⤵
  - Program crash
  PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4196 -ip 4196
1⤵
PID:5060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 592
  2⤵
  - Program crash
  PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2828 -ip 2828
1⤵
PID:2604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 592
  2⤵
  - Program crash
  PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3624 -ip 3624
1⤵
PID:4244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 592
  2⤵
  - Program crash
  PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2252 -ip 2252
1⤵
PID:1432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 592
  2⤵
  - Program crash
  PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3356 -ip 3356
1⤵
PID:4024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 592
  2⤵
  - Program crash
  PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4536 -ip 4536
1⤵
PID:788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 592
  2⤵
  - Program crash
  PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2792 -ip 2792
1⤵
PID:2512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 592
  2⤵
  - Program crash
  PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5012 -ip 5012
1⤵
PID:4860

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 600
  2⤵
  - Program crash
  PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5016 -ip 5016
1⤵
PID:2864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 592
  2⤵
  - Program crash
  PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2584 -ip 2584
1⤵
PID:1648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 592
  2⤵
  - Program crash
  PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1748 -ip 1748
1⤵
PID:4836

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- System Location Discovery: System Language Discovery
PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 592
  2⤵
  - Program crash
  PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2664 -ip 2664
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\%SESSIONNAME%\dowjl.pic

Filesize
21.1MB

MD5
fc1723ab2e89746b0e576db6a9599b52

SHA1
001f860ac2fd034ddcc8e9144068e7e16de9718d

SHA256
150c793b1ae468faab3c2a548fcaf46189f7c09b3808e6a3979d4df4210f673c

SHA512
f1d3b4783b0fbb91b957f32a3d3164d5c3bf2d83ed6c9ae9918fb90197405c08529a9b6aadbac019aaa3075313d430e3598818f7098630b10d3c8b22eb79cf00

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\dowjl.pic

Filesize
10.1MB

MD5
98d4d3aeaaa3b465a770f98ed77f7dd4

SHA1
02997aae81ceace762094e8fe92d2693756dc5e6

SHA256
2de386c2312bcd9ab5891804b94407120d27843a6cbead8eb877783acd87685c

SHA512
aaa2a85b8b0c21da0502d3a1e2cbfcd8e5d1739fc4602d6353316d707a7679208684bc0e491aaba58c1e68aeb5d585b76b7ad286fb30cb93168c9cb49846e37d

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\dowjl.pic

Filesize
3.7MB

MD5
f482eb04c874e7071feafef22f5f649f

SHA1
e62b744a3f531a6da1a89042af18f34620784ce7

SHA256
f155aae5800760163ba3c95eadc989923501158ce1ae65fc5ce5c2fd46d510a3

SHA512
3e4ef676c5fcedf32767638c6d186d2f23fb897ab684bb162400de7c15882879504fa4f1781e54eec0e083b716c74fc8f05e64ab14b27ccae0b92eb01df83e0a

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
19.0MB

MD5
38a0574814a05f045892c4c6649acd15

SHA1
84f2c7e60d5d19f874dfd9ef7767b69bd5d220b8

SHA256
29a552d25b8f881376f5024e4a7a632bb90777e131c29bf18938661986b45a20

SHA512
434d08c3971015d2c6c80c138d225e7d9fda8a2567f60182f6b2fa0f24b1a6fdaccaa875d9e2c0d14d9fdfe96b76a96ba6f58762fa2bef9394c4c3b81882f1f2

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
21.0MB

MD5
9fae1b8b33944679932004bf349a3ce1

SHA1
4289c4bf7467dab68649d9c657bc014ebdb1a934

SHA256
a53833532fa454713edc8d9d011e2bc0497aa2e9370076d993b121c2d1db9eb3

SHA512
8b775704fecb99eb84f27e3c6484de3eb92013a12471c9b199dc2e8a41294f6156be5ed3cec62868c91cd7e8e6598427f22046abf544df601e626a0df95b7e27

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
24.1MB

MD5
c1dcd6af27c894302cfcb59a03ac45bd

SHA1
dab33f8a1850df68f64eb852fdb6b4e00da8d3aa

SHA256
ed8bc94f8799e1a5bacf6e0b16d460e86e09715d7515ff99e03d273119ec9e2c

SHA512
82dabfb1041a8d0bda3952078724db1856ff6fba72c67b2fd510db0c7d5fa3184e4d5b8e8803309683a525cce7f917252f8d17d3ff2c13348512c16298fea5f2

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
24.0MB

MD5
6cc6b4854075890f7fd32a75ac2945b3

SHA1
dd0dcee08b109742d64b775864945fd4bcf4fec0

SHA256
42e91e4c0e9a64cb0f857085f3728d20707877e2eeab39489476817c7d814022

SHA512
b37a4497b173ad45139b81e36388f4705a9b0b66458961d2a5f23ef705a1bc8fc425063cd5f76c56dcdb009e75260c88cc01f0af9813e65cec107c04758b8c05

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
19.0MB

MD5
e67930d3996ec5d4cb4236601f80268e

SHA1
e1fefe37d42dc235046353b023ef6645fac2814f

SHA256
db3b5dd30d72f505cb16d67c38d2f89bd55e886187090c6d8f50cdd454e361fe

SHA512
c545a365e766c948bc6b2b4a4f1d4415fb1b9efc3b886c8c6a350d445a217f48b7ca099f9823e8249a2c46219d885b6bd5f465c24fb4a1368565c034bd37a7a5

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
22.1MB

MD5
3a366434cb8f1e0daf5d90e2d60fa7f0

SHA1
5e1539b50b8072e3f9071228cda452a50b9b2a9d

SHA256
66a9e7fb7ef68c12a43ae76528256cdc148839832441618a153e0c68c5d8c1be

SHA512
f4facf3b80525063d580161bb702e6006a7477d8632272e75f35a9c48ff4db924550c5046a858efab9592ecd4e4edf98e4d2767e7a6fb48899d541778501c638

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
23.0MB

MD5
4ec0a2f1f61a48712aa63c454e9e6870

SHA1
4170f89f907000b7611246267e6690a786f6112c

SHA256
8aa242e3385ce664334ef1f9d460246463430f552c412f17cb46595cdc184d7b

SHA512
fc4c2707235fae8dacd46cab26ee13f40c249c4bb238bd8887f7b7d26b11f19362c91b72fff28912cb9b0e25dd44edda668c136683b98833ccaf6a4253bfa642

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
10.7MB

MD5
5c3ea836b69538ad01017385e092d681

SHA1
9bc979306a0c21796fa77b7641a5760fe98a8f25

SHA256
5a03640408bbb112027a3ce7eaf1865bef4d23a1203aaf5c892b9c4eb76ae6b5

SHA512
f5e109049172fcf155c34b2b52812eea1142e8b14fb218caa8dae89b73d59de64d5c312b3a69e3c9cfe6136c48d7f0098cf82fe5de60d91766ad8c344452c90a

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
21.0MB

MD5
2850e519e8884ec8b91a535bbc0269d0

SHA1
367b6ca07bd12b1012ac3230f5e00198da459f01

SHA256
5ee70450b41a4350d1b96c4f5cf12d14b71b2a93103c36742938d1c7c9c8f9b1

SHA512
aa246aab1b9c402dbccd6b2fe521dedc46dfb4c331286b60e3ad7478532454ee12d9bb70a2d347ab4efa69c7bfc7a50aa88e2653848a167f432713a4116a07e2

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
19.1MB

MD5
d1f1e448ad2d6a10f08ebf4808dba18f

SHA1
0e01ebd46c392cfa9b848b325d22f4700588c3af

SHA256
fd1c2d21ab3ad72f4335fcbdd3cd737729e895d0cfc52222066f9e9050d27f8c

SHA512
598e32bb18afce87fa3ceab0db98dcb18356f13ae48bc693d481368488c2beca9f83d77d0fe2db721efb871c23fddffff844f851d7a8a6d2ce7f02dcde31c585

Download Submit
\??\c:\program files (x86)\%sessionname%\dowjl.pic

Filesize
20.0MB

MD5
2a7a4711ea42674b2de100e07eab802f

SHA1
968294104a4554805d19d68e54bfa1fd63b8e802

SHA256
ad802bf2b46902263fd201aed288c67ba878dd4fb2e9595dfed5a93ee7c1b1cd

SHA512
36b86496338734ba751fe420e663a4f0fa71b3d1e885e2d3bbf42a06ae974ae0cc26b67e45eea9934e860e7291c4bf333953794f959c48b5de6a2b5fbf7dfd23

Download Submit