gh0strat | 91deeb74fb0961e69ec3fe459f88abe848516f5dcc9f0548ed64b526cdb24b3c

Analysis

max time kernel
148s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Size

192KB
MD5

5aee9a1d5770657e7f683a013dc4296b
SHA1

f11bf77c5760f6d7dd702d4cee9f6319ac193128
SHA256

91deeb74fb0961e69ec3fe459f88abe848516f5dcc9f0548ed64b526cdb24b3c
SHA512

50e83a038b1177034fa982263a85cfba7e5392df0f9e3eb8871e3e04d2a906a004e0cb5f9914c2d9f6978afa039872a7e453fdad25abba977b9083d6259df327
SSDEEP

3072:mQk3DH+bK+snWjvUJ/0L41j33iVekrC73mdGrqszmE39N7QDQu+3pF:mQkTH+bpsnWjvu0Lg3y0kryeIzkUt3p

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000229a8-2.dat	family_gh0strat
behavioral2/files/0x000a0000000229a8-8.dat	family_gh0strat
behavioral2/files/0x000a000000023d48-14.dat	family_gh0strat
behavioral2/files/0x0005000000022a6e-20.dat	family_gh0strat
behavioral2/files/0x0007000000022a6e-26.dat	family_gh0strat
behavioral2/files/0x000e000000023c0d-32.dat	family_gh0strat
behavioral2/files/0x0010000000023c0d-38.dat	family_gh0strat
behavioral2/files/0x0012000000023c0d-44.dat	family_gh0strat
behavioral2/files/0x0014000000023c0d-50.dat	family_gh0strat
behavioral2/files/0x0016000000023c0d-56.dat	family_gh0strat
behavioral2/files/0x0018000000023c0d-62.dat	family_gh0strat
behavioral2/files/0x001a000000023c0d-68.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 34 IoCs

pid	Process
3400	svchost.exe
3668	svchost.exe
1732	svchost.exe
3756	svchost.exe
2208	svchost.exe
3496	svchost.exe
2316	svchost.exe
4348	svchost.exe
2592	svchost.exe
2696	svchost.exe
3012	svchost.exe
812	svchost.exe
4348	svchost.exe
396	svchost.exe
1020	svchost.exe
1604	svchost.exe
3572	svchost.exe
3660	svchost.exe
1944	svchost.exe
3172	svchost.exe
2440	svchost.exe
3008	svchost.exe
2232	svchost.exe
4272	svchost.exe
4444	svchost.exe
1372	svchost.exe
3208	svchost.exe
4632	svchost.exe
2772	svchost.exe
2932	svchost.exe
4968	svchost.exe
4780	svchost.exe
424	svchost.exe
5064	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ykucb.cc3	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe

Program crash 33 IoCs

pid	pid_target	Process	procid_target
2380	3400	WerFault.exe	91
4736	3668	WerFault.exe	96
2948	1732	WerFault.exe	99
2504	3756	WerFault.exe	104
1840	2208	WerFault.exe	107
1944	3496	WerFault.exe	110
2904	2316	WerFault.exe	114
2100	4348	WerFault.exe	117
3864	2592	WerFault.exe	120
5068	2696	WerFault.exe	131
1612	3012	WerFault.exe	134
3956	812	WerFault.exe	137
4176	4348	WerFault.exe	140
452	396	WerFault.exe	143
3032	1020	WerFault.exe	146
2524	1604	WerFault.exe	150
1588	3572	WerFault.exe	153
2420	3660	WerFault.exe	156
1080	1944	WerFault.exe	159
3588	3172	WerFault.exe	162
4232	2440	WerFault.exe	165
812	3008	WerFault.exe	168
2600	2232	WerFault.exe	171
4208	4272	WerFault.exe	174
3680	4444	WerFault.exe	177
4556	1372	WerFault.exe	180
2216	3208	WerFault.exe	183
2748	4632	WerFault.exe	186
1724	2772	WerFault.exe	189
2272	2932	WerFault.exe	192
532	4968	WerFault.exe	195
4172	4780	WerFault.exe	198
1176	424	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeBackupPrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
Token: SeRestorePrivilege	1632	JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5aee9a1d5770657e7f683a013dc4296b.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 592
  2⤵
  - Program crash
  PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3400 -ip 3400
1⤵
PID:2912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 596
  2⤵
  - Program crash
  PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3668 -ip 3668
1⤵
PID:4564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 592
  2⤵
  - Program crash
  PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1732 -ip 1732
1⤵
PID:2668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 592
  2⤵
  - Program crash
  PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3756 -ip 3756
1⤵
PID:3672

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 592
  2⤵
  - Program crash
  PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2208 -ip 2208
1⤵
PID:2068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 592
  2⤵
  - Program crash
  PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3496 -ip 3496
1⤵
PID:400

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 592
  2⤵
  - Program crash
  PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2316 -ip 2316
1⤵
PID:5064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 592
  2⤵
  - Program crash
  PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4348 -ip 4348
1⤵
PID:2728

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 592
  2⤵
  - Program crash
  PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2592 -ip 2592
1⤵
PID:4740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 592
  2⤵
  - Program crash
  PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2696 -ip 2696
1⤵
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 592
  2⤵
  - Program crash
  PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3012 -ip 3012
1⤵
PID:3076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 592
  2⤵
  - Program crash
  PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 812 -ip 812
1⤵
PID:3008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 592
  2⤵
  - Program crash
  PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4348 -ip 4348
1⤵
PID:3700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 592
  2⤵
  - Program crash
  PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 396 -ip 396
1⤵
PID:1272

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 592
  2⤵
  - Program crash
  PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1020 -ip 1020
1⤵
PID:4444

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 592
  2⤵
  - Program crash
  PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1604 -ip 1604
1⤵
PID:2932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 592
  2⤵
  - Program crash
  PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3572 -ip 3572
1⤵
PID:2340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 592
  2⤵
  - Program crash
  PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3660 -ip 3660
1⤵
PID:4672

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 592
  2⤵
  - Program crash
  PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1944 -ip 1944
1⤵
PID:2412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 592
  2⤵
  - Program crash
  PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3172 -ip 3172
1⤵
PID:3456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 592
  2⤵
  - Program crash
  PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2440 -ip 2440
1⤵
PID:5016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 596
  2⤵
  - Program crash
  PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3008 -ip 3008
1⤵
PID:3956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 592
  2⤵
  - Program crash
  PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2232 -ip 2232
1⤵
PID:1296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 592
  2⤵
  - Program crash
  PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4272 -ip 4272
1⤵
PID:2180

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 592
  2⤵
  - Program crash
  PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4444 -ip 4444
1⤵
PID:3048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 592
  2⤵
  - Program crash
  PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1372 -ip 1372
1⤵
PID:4936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 592
  2⤵
  - Program crash
  PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3208 -ip 3208
1⤵
PID:1964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 596
  2⤵
  - Program crash
  PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4632 -ip 4632
1⤵
PID:3448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 592
  2⤵
  - Program crash
  PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2772 -ip 2772
1⤵
PID:3668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 596
  2⤵
  - Program crash
  PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2932 -ip 2932
1⤵
PID:1508

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 592
  2⤵
  - Program crash
  PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4968 -ip 4968
1⤵
PID:4576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 592
  2⤵
  - Program crash
  PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4780 -ip 4780
1⤵
PID:2068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 592
  2⤵
  - Program crash
  PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 424 -ip 424
1⤵
PID:3144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
22.1MB

MD5
7a1f127a0ee2d869c9ffc0e1ef496a30

SHA1
5ebf5e57f390073886351cec17de14bde2655c1b

SHA256
8ea9f39ec2346e22e72ce5b444624ca8359b780f85de1155f59c4c91721aaa93

SHA512
e4f0a1790f77f3e3555bf844b5c40ee39543d7debc7b40c1f0d2753055d0600864b2eddeb9b5252220b6fe7b4acf96cd6a84b6df0ff416cba30322bd41159668

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
20.1MB

MD5
f2140f7fabc93170b77073a9b541b350

SHA1
211babc93a871c7ff89679163ab6f37305e3b436

SHA256
2312f8e70fe776a1981d9410e8a6215b159a7b6228cc36a15408e7aff1e9d45c

SHA512
91670d1f9d76c1a3526e7d0facb721dc8d7d2fddc398849a7ec72ef81086e40c6e7e84439f537287c61c84fe69e1d2f895472dfd9bb53a2fd7af216de8c0694d

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
22.0MB

MD5
986b2e5995a79ebcf2d6dbdf766e2eec

SHA1
7b14d1a94aabb2e17ce40eadd523ea1baf288262

SHA256
42ac0581bef539c4f452d0d024d1ec875466faa915966b4cbbc27b9f7da7b5a9

SHA512
fb2e1c8d8e584d0fd3a0c17d4ddf4c4e8011afaf3c4780eb7738056f549928de39a1388e07f5cbbd8ac6c0d2d252f3c442f030016fdeaef864b6f96f89405851

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
22.1MB

MD5
02f7217381f5e12332a83d7df00414cf

SHA1
d6b230ba5388455c1084e5e79e9699479d9ab638

SHA256
4f495bb5389550486013127427b21144dc868ea5683cf74cde6009d312959ae2

SHA512
5d25c436ef649b9155dc5f63b87a5ef893f69388d4d0ac6f6700f8c28a893186b57f3c7e50a7bb6dc947909f9cdd8908f3b4c306a13257958d512ba588892bad

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
21.1MB

MD5
426a2230eddcc6b82812d25443f91779

SHA1
aa5206c78e4ee780c4d4fa90a4cec34c8af13077

SHA256
217788a58d9f84572767d3940448e31990a62d32c351cc71491a14ecc1de662e

SHA512
393b359e87a449b0df5bb55b3f3823bb3a0edb66d3a6e7ee394806f33ceee83107beb9808046666739ae046130f440c96a3da165ef866dd45dd2d7019a9f273e

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
20.1MB

MD5
a8b21a671e46edc45ca708d56c5a34fb

SHA1
373fa1beae8edc77cc66741863956dd8a787c04d

SHA256
fb15b93aaa4f134d2a3b86803d4ec36b560bb84992470a268dc654414cf151dd

SHA512
5ae4148f07f7d9a18e873d1c12b71397fe5d216c0873ac2237fd952d3c3614a0dea6be7ce980397acd1ad652bad3d65f948ed4ebbdea534dbbca778a792a2511

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
23.0MB

MD5
db8308a7ff778251f370b14178645678

SHA1
1d3bb84f3d28a1e6e8fe462066def52263e2d9d6

SHA256
bcaa433f142e7dec029cc91941725f8f472836fd257e042e6283e60e383aaf6f

SHA512
62ed63320f3f3d3ca96e7a93942074e0453656001c19a661c74a69653d65d52fb057ef1f703fbc9125fe2fca3c07d5d3ac2020b1d71d856b75e776404238ea4b

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
23.0MB

MD5
ea64aa09e581c3570b5a6c551df70ae6

SHA1
c09f65d18c52d77336d181f0e4b3e20a535f5413

SHA256
74dfc1b0e6ec7d1845c40f3b2d43816b5e8648528de55818f9dd65e57144ba09

SHA512
e05721860f60413934824c50f3523bea474733a86e34c1e334659b5df2086565221690ccc10089a3e5a50a632e50064279d2d81fd03220fef4f1c8def41521f7

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
24.1MB

MD5
b980ec349f9746ae5c0a43b7ab7c4e97

SHA1
b69a35565bc544e4b564bb122dca4139a0c42565

SHA256
5fdfd2619b23c5be79b29ceb380922756af5f31a5ace3addaf9acce18fac415f

SHA512
134aa43724f83192eb53d52c7f2ff86cb160769aa6baf3cd8c8064266c6dd284daeeb0a9929d7f2a0521387ef8e543714d61bdb129d08a47249e58b5a205be9e

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
20.1MB

MD5
413f8cde0caf770b6acd285f5440a01c

SHA1
4271ec3c860d331525eb74d5c7862163598ba0bd

SHA256
21176422eb8af66094137011c3407acdc43209f0cdf82d0ff6388164e3463714

SHA512
5a3de44a9713b2ce086222b8c8e0eff39d0ccff70954149146ba64c1c442cbb49c586a47a3cf71bfd67e4b163197912a88f2870d8df38a6f7867ffeec8fca062

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
24.0MB

MD5
57a8b13fdb9b21f94cb5f670336e581c

SHA1
6fb362005643a7db896fa1dedb07979fc20a7d39

SHA256
6f6c961ef1953ffadbce719ca5219eddc2f934c40bc55ac3bc6a67bc394f4b9f

SHA512
45db2d357e607f614e4b521a10c2c7d2dabd02862ba2a7d6795d67ce0269a6a6236fd4f2b508e2f0467544f9be61c03bea7c4609a61e98e4221c390192d15f0e

Download Submit
\??\c:\windows\SysWOW64\ykucb.cc3

Filesize
24.0MB

MD5
efba106a4b465f8a530e8099ca6e8a3c

SHA1
c67ed8f132fecb22bd7596370e27df9d5e484d70

SHA256
9566ba7fe7d1c95ed0412ce8f20271fd7ab556eab3bdd478fa1982777681eb1a

SHA512
77223b135b3aedf6805ffc136d83a9268264fc85c9c425fa972479690e45a5994f88fb155c13baffd5c792ab45a545dc015789f431e91ab920731314960ec80d

Download Submit