Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
11/03/2025, 00:44
General
-
Target
JaffaCakes118_623ff1aabf9747161a364868ea2a6784.exe
-
Size
270KB
-
MD5
623ff1aabf9747161a364868ea2a6784
-
SHA1
169256dc7fa2ff29e3ebe5ae4c5ec933fec9fd9e
-
SHA256
47a7a96d5d211b986abd32a287c24e9691a81954c2bb60e1bccc193a4885a5c1
-
SHA512
96c3dfa936a546f25e3f1f8a69401400f8437868f44067e4faf1a70baab2d118cb28eb0a46fc467efbd5d2962edb3008d069338caf843ffc72b52e1e4eb1c1aa
-
SSDEEP
6144:eOnRyfNFO0HR7Wu55Onn+VI3zMJ79Wm0fvxT6/eaN:eI8fNBHlV5I+coJZ+5G/p
Malware Config
Signatures
-
Gh0st RAT payload 14 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 45 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 45 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 61 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_623ff1aabf9747161a364868ea2a6784.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_623ff1aabf9747161a364868ea2a6784.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\en.exe"C:\ProgramData\en.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install4821093.exeC:\Users\Admin\AppData\Roaming\install4821093.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\qa.exe"C:\ProgramData\qa.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install4903109.exeC:\Users\Admin\AppData\Roaming\install4903109.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3104 -ip 31041⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1444 -ip 14441⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1724 -ip 17241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2336 -ip 23361⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2184 -ip 21841⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4908 -ip 49081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3896 -ip 38961⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4244 -ip 42441⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1164 -ip 11641⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3268 -ip 32681⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3224 -ip 32241⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2272 -ip 22721⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1600 -ip 16001⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4572 -ip 45721⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1208 -ip 12081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1956 -ip 19561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4008 -ip 40081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 788 -ip 7881⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3544 -ip 35441⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5108 -ip 51081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 748 -ip 7481⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 5802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4008 -ip 40081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2656 -ip 26561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3444 -ip 34441⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1984 -ip 19841⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3976 -ip 39761⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2272 -ip 22721⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 868 -ip 8681⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 4322⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4852 -ip 48521⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3568 -ip 35681⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4064 -ip 40641⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4644 -ip 46441⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4360 -ip 43601⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 752 -ip 7521⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 4362⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2260 -ip 22601⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1136 -ip 11361⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 5922⤵
- Program crash
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4920 -ip 49201⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2272 -ip 22721⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k OutlookSharing1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3384 -ip 33841⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k OutlookSharing1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5096 -ip 50961⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k OutlookSharing1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4108 -ip 41081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k CurrentControlServices1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2308 -ip 23081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k CurrentControlServices1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3128 -ip 31281⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k CurrentControlServices1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4340 -ip 43401⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118KB
MD52d32fa5e3cb6e967cf3e93d14756c443
SHA1fc584e983cddc75bd953c6fb47107b503e7c3b13
SHA256ab74ee4cef9b9d08b9f46cc276047ff490b83588a0ef301e7982aae59663e888
SHA512c187efea4808cd33d942acac74ac43b35cd336c992e6f277698e1ab60510fd7debc2d2650ffc4952d5715f1d54e6c58130a7ed838afb15fa072d5348e1b32a00
-
Filesize
117KB
MD56f09bbc6d1e24d76251c0a566ca4310b
SHA1f38af11d64517fd6e5294e6017e25c016fe0bd7d
SHA25663bd165b4037893b26af4bf6a29e0dfe6637f0649caddd7196872e5fca2af8c0
SHA5128eb44d4c7c08cd668b30236193512d1e274922b7b8a1c200af69edba1a83def382c7e2d8b32885fbc658b2ed3c5173fde095f79d39f5209ce51a6168b4f97db0
-
Filesize
192KB
MD52cdced1cdbb37e687771c7eb297eebc5
SHA194ba6b37a5e81090672ed0dc6f4c63dc6b0ee537
SHA256e008441c0d970ec6a3ac09027b5a32050599339d87ee5392457ce692d2099580
SHA512330d6ba34633214f5a24e0d18a702121fc87b779ab37f79676f91c09db3be1c158d4e5606dd0529dddc2a822e6d07791a83d72cfbb7e38f8a8b2f38c9ec69def
-
Filesize
192KB
MD51d3bf95fb92486b71c1c8939ebc27f08
SHA1008b3fdf0b742b306f50f8503dc5be4b1023a4ca
SHA256c333f006f231c1dd310d8f97010120cdf710f43fcb555eeec27232f202c2fcf8
SHA5128f262e10fa53e70f41acb02fcc3208871d9b9ca5e263f3a70aa14aa4b8cb9169e73963740aa3e600e8e4830c67e5c6513721e36decf740f843c8ae8e7b0388e5
-
Filesize
23.0MB
MD511142d50a14c5f37b82ab2f431e5550d
SHA1b555a300979f2269158fb40d935b1ba6466d13ef
SHA256d370af135b9907a2c33c195aa00cc9ba701c3044d6f8c145fb66a003eca85df0
SHA51245acd39548603cba1e656946b1d8ed456f4517e626b318201dc6f1411fc77983d74dd2ab0f589da89731701d8cb9e8909099ba619deb36cd2b4753b40384b28a
-
Filesize
22.0MB
MD52ad6a029fc1efd2389bc99f068a9db36
SHA184d2848cefe50a32c8b119b3527f751591096c80
SHA256aaa92eb7d6936723d9dd0b08e7a45452f788349efe8fb053e5f10eea55ab72fd
SHA512a9a314dd48f8b34c489c73c7fbe9463d318ae56f21a3ca9e917d1bfab86166affa5eeb7f8730882fb11a422fab31e8b97001dbb6d9f40a2783c65268f12015b9
-
Filesize
22.0MB
MD5df96c2b6100f726bbbb0c76f8a2013db
SHA1fbbafaf7c472b221b2e3a9dfa8edc5d47ed6bae8
SHA256fb8b524c1e333471d6317bb14b242f719276a217a79a115f434e79e329916683
SHA51278bbd2cb80feba61743d1d927840872b56fe3ad9c8739cf454f4626876c868d400cf7b6fcf69c2add745fae491b536686059b74dd943aeedced158bb3bd25663
-
Filesize
21.1MB
MD55d8e8aa5a4b974164a29ac461609b506
SHA1b4bc267964a9a93cd3c121996d73065ac00dff38
SHA256ea3360c08bfd24cd7d4b9d0b58b0a306b870661975092ecb70bca5da999ceca1
SHA51263c4325c5ba2ae918df3f26199d4abf461cccfc7681aee50d2b34a278e35f55ba166d7c865baba2eb41eee3fab6d7a675a32842460c240901bd31d3970ef598b
-
Filesize
24.1MB
MD5f14bbfa28de80586aa572bc61e84f740
SHA1a8f3e407d8d48d8617eb58ac12b8b31f6d4e8748
SHA25608215da50a627be39cec342aac1f1ed1317d48105ac8de603c8c51c25646b4d6
SHA512bf98b007f1dc169ecad03a74dfa448975c72284d1651606ea0ab33dcc4731ecd1335f6315c2b88413da08837af49e0675a4a258f387427dc113bc844c50d8a61
-
Filesize
20.0MB
MD55c542fcb8dab24559abb94ba5f77daea
SHA1aa6c15cbffd9f02efd5fa62fbcf39802d1620360
SHA256a3296ff181ca56ba773b34e7eb94e4493ddd235355faf43532985fe473f6a6ef
SHA512b0a07add515142fc3b62128e2bc292a2462a598a7a4438a9a0e5158c21ff76b3f2a3b65bcecb9754f16be88bf75c5b551aaae4267d34d22c3ee5ea2f3f98e49a
-
Filesize
23.0MB
MD5b8fe6cb716ffa489d2f52fc46d17c315
SHA1bff022043ccd06efa5f74ecedaaba93b9866d778
SHA256ba3514537604cba36b803dc60e46d070848a3b7469f218d7cf0d499ee8b1fbcf
SHA5124dbf1ff5b0a670d391326486e0b91457ebca23a801d87f23cb3eb72bdd4c292cc26298eef38af560e007005e3803c9ce355e8b0dc6a51ff5789bfc8a35b453f4
-
Filesize
24.1MB
MD50e3c476557636d5ccb5aa1ffd190259b
SHA181d741d8a75a9f07d23d8833f3515ad711aea53d
SHA256da184634f1fba7a48cab8b261a38308f28e4ce32ecd39e778f9f08e2f52b61ff
SHA512a8035e7833b87a71ad91436f80c228bed10f4f7082cf1cab4a9178ac12fe80b0628728281e7f45e333e277a522815ab706f5197289a3c4caf8d2273f3ee7658e
-
Filesize
20.1MB
MD537d7c150fd7e00dd83a9b5ab29dd7c75
SHA1d4d819c5cb451a4a7aade6022a9c0fb1ab2f33ad
SHA256e19778c2e568a834611aec7e26554b595b3a651a05f67cc06b683ee50e150d2a
SHA5121b8662324706f55ef35122d2f4354f3965b6e8ce864259bafaea813113d03943905c6afef5563bae960b03f2b0d3f10a6594214c0e8020aa747c466798aa39a7
-
Filesize
22.0MB
MD50c9e0acd4b544f6b51fe87b1ce24e283
SHA1aa7479135a77ee4393601b92afef54bda459b8ef
SHA256aa25d73a46eb9ea34f1d1e2ef9c098fcb923e3c4e89638051a18c1750bdb3356
SHA51274cab71e55abd4c2baa2d5c6fb2860d8a67b0c4ad0c758f71a102a40799e4e53280bb4dc9fc7d1ea1c25127f9014ae162cded7484f296d2c6ddf3b6f8a6e2f14
-
Filesize
23.1MB
MD51e5d897bd27e8d6f5d7759be80cc2146
SHA1c32dbc15146c052608dd37bef8c7372b8df0ebe2
SHA256cf51ee401152dba3d89b8f7f5689c56da87e5789307e31a9de88a5bbe83750ec
SHA512af4604a533a6f86e87a1c4c2ad22ae7c29d2699d195410ffa2a29ea81e8315e274f2ff402426d018481f22157a1b2177a2edddbdf6ab54b1dfbc7a897170f662
-
Filesize
19.1MB
MD58330a95986b32d6a3d45ef4e90fbbf56
SHA174c574f186f2ba872407b24edff2bd2855333b38
SHA25639dcc670684e48b442f0c0db5b906b52e7fcaa4e732170cf50c2f5e722aaa627
SHA5120afb7cbac82fb1ca0b4ec003c2846d65e1d6b7652617dfe1e3ed03a1ffbae025c83e493a8a88e6cb527f86d2ecd47313f194234faaa0e6388dc3b6e0d16f2ce2
-
Filesize
22.0MB
MD594be1b52fa008c2a7ea295e0c4cc0e9f
SHA188e7185a2dc35724ee91fe389bd3cf4e08116c44
SHA256caf950b80177e017403f65c3ced995bc1a2410d25a7cc58a3abed881acf2f57e
SHA51267cbaaf46c024395a14d2c0d28e7e2b1ce4ba9e184d6bb307e3400850d9a1eed60a3d8a6a5e23c836397df4d61669b9380aad60ba7de4b6c7f27984501874598
-
Filesize
20.1MB
MD5035a72181978edecb3a0d83efda828ae
SHA1e437cd95a2133d3646623ae58b13fc14d8ae72a8
SHA25620e8d0af5e4ff6ff86bce8f3c2c9b558ac1ebf37bfc1c806b655ff1a88c4e311
SHA512adb442787b2ee1d548ef2c813e0d8da82a2f00ca06ac8db914761ba76aea43198fc296d683c6286cf0d7519da6cf4d7ef5215338346221593ee106ca9eb233cd
-
Filesize
32KB
-
Filesize
32KB