gh0strat | 06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00

Analysis

max time kernel
151s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
Size

246KB
MD5

8f101545a83a42697b601b49440bfbef
SHA1

b64ae33e3cebf2641134d682c805bf323b2f35b3
SHA256

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00
SHA512

5b99db995e38c756e72c5d711220acd9c737d20d79a644a163843c60d7794739a740b3c4fd9cf594cece3d4a84e4abdbfc203c75479ba9902ddf91a187928806
SSDEEP

6144:BCvHDbXP2nBfV+SfYzL1FvERa1q6NXtCVanz:BST4BfV+IYzL1FvAa1xnz

Score

10^/10

gh0strat evasion rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3324-136-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral2/memory/4704-141-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral2/memory/4704-142-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral2/memory/3324-148-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral2/memory/4704-151-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe:*:enabled:@shell32.dll,-1"	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tyiF5CE.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\tyiF5CE.tmp	acprotect
C:\Windows\Temp\lziFD70.tmp	acprotect
C:\Windows\Temp\lziFD70.tmp	acprotect
C:\Windows\Temp\lziFD70.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\tyiF5CE.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\tyiF5CE.tmp	acprotect

Executes dropped EXE 1 IoCs

Processes:

Goclear.exe

pid process

4704 Goclear.exe

pid	process
4704	Goclear.exe

Loads dropped DLL 7 IoCs

Processes:

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exeGoclear.exeWerFault.exeWerFault.exe

pid	process
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
4704	Goclear.exe
4704	Goclear.exe
3372	WerFault.exe
4616	WerFault.exe
4616	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Goclear.exe	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
File created	C:\Windows\SysWOW64\Goclear.exe	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4616 3324 WerFault.exe 06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

pid	pid_target	process	target process
4616	3324	WerFault.exe	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exeGoclear.exe

pid	process
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
4704	Goclear.exe
4704	Goclear.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

pid	process
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exeGoclear.exe

description	pid	process
Token: SeDebugPrivilege	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
Token: SeDebugPrivilege	4704	Goclear.exe
Token: SeIncBasePriorityPrivilege	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exeGoclear.exe

pid process

3324 06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
4704 Goclear.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe

description	pid	process	target process
PID 3324 wrote to memory of 620	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	winlogon.exe
PID 3324 wrote to memory of 620	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	winlogon.exe
PID 3324 wrote to memory of 620	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	winlogon.exe
PID 3324 wrote to memory of 620	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	winlogon.exe
PID 3324 wrote to memory of 620	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	winlogon.exe
PID 3324 wrote to memory of 620	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	winlogon.exe
PID 3324 wrote to memory of 668	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	lsass.exe
PID 3324 wrote to memory of 668	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	lsass.exe
PID 3324 wrote to memory of 668	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	lsass.exe
PID 3324 wrote to memory of 668	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	lsass.exe
PID 3324 wrote to memory of 668	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	lsass.exe
PID 3324 wrote to memory of 668	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	lsass.exe
PID 3324 wrote to memory of 784	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 784	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 784	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 784	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 784	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 784	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 788	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 788	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 788	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 788	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 788	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 788	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	fontdrvhost.exe
PID 3324 wrote to memory of 800	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 800	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 800	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 800	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 800	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 800	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 908	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 908	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 908	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 908	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 908	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 908	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 964	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 964	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 964	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 964	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 964	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 964	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 316	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	dwm.exe
PID 3324 wrote to memory of 316	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	dwm.exe
PID 3324 wrote to memory of 316	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	dwm.exe
PID 3324 wrote to memory of 316	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	dwm.exe
PID 3324 wrote to memory of 316	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	dwm.exe
PID 3324 wrote to memory of 316	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	dwm.exe
PID 3324 wrote to memory of 388	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 388	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 388	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 388	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 388	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 388	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 616	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 616	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 616	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 616	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 616	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 616	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 924	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 924	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 924	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe
PID 3324 wrote to memory of 924	3324	06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3248

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:3632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4128

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:616

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1920

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3324 -ip 3324
2⤵
- Loads dropped DLL
PID:3372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2756

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2744

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe
"C:\Users\Admin\AppData\Local\Temp\06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00.exe"
2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 636
3⤵
- Loads dropped DLL
- Program crash
PID:4616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2360

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\SysWOW64\Goclear.exe
C:\Windows\SysWOW64\Goclear.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tyiF5CE.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyiF5CE.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyiF5CE.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyiF5CE.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\SysWOW64\Goclear.exe

Filesize
246KB

MD5
8f101545a83a42697b601b49440bfbef

SHA1
b64ae33e3cebf2641134d682c805bf323b2f35b3

SHA256
06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00

SHA512
5b99db995e38c756e72c5d711220acd9c737d20d79a644a163843c60d7794739a740b3c4fd9cf594cece3d4a84e4abdbfc203c75479ba9902ddf91a187928806

Download Submit
C:\Windows\SysWOW64\Goclear.exe

Filesize
246KB

MD5
8f101545a83a42697b601b49440bfbef

SHA1
b64ae33e3cebf2641134d682c805bf323b2f35b3

SHA256
06851627edcc8b9052fb6e96ea89850b2d4ac605f640ac5f36f7afc54f576b00

SHA512
5b99db995e38c756e72c5d711220acd9c737d20d79a644a163843c60d7794739a740b3c4fd9cf594cece3d4a84e4abdbfc203c75479ba9902ddf91a187928806

Download Submit
C:\Windows\Temp\lziFD70.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\Temp\lziFD70.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\Temp\lziFD70.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/3324-149-0x00000000008C0000-0x0000000000933000-memory.dmp

Filesize
460KB

Download
memory/3324-144-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3324-136-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3324-135-0x00000000008C0000-0x0000000000933000-memory.dmp

Filesize
460KB

Download
memory/3324-148-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3324-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3324-150-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/4704-142-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4704-143-0x0000000000540000-0x00000000005B3000-memory.dmp

Filesize
460KB

Download
memory/4704-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4704-151-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4704-152-0x0000000000540000-0x00000000005B3000-memory.dmp

Filesize
460KB

Download