gh0strat | d36e8aa297749e5909316230b55c07fa185761d2f58699e6caefdf3a8141168e

Analysis

max time kernel
150s
max time network
157s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12/03/2025, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cae2144249cca11917ce26657fc0281.exe
Size

176KB
MD5

0cae2144249cca11917ce26657fc0281
SHA1

e7ffc36c62c26e987c6954e4739a306a95d119e1
SHA256

5fa749158a4dd5dd030bb97a5ca74a542ae4661b2a76ec69b29d41c3a32e8767
SHA512

50c5ea18407b74fc5d741d602c87a28c0bfebb348a8ff1710026951937b1e9077a353ee0b9bf2eb648b83a60e34a5e934d8b95c1b7e1202933aea875e6975027
SSDEEP

3072:MBFDC2a8kkalMLmNTMeN1vT72dPxIhf+5HS5LTbl2NBX9ZdebJR3u:M/inHlN1vTyTIBEHkTbl2zn0bJR

Score

10^/10

gh0strat defense_evasion discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral7/memory/3876-0-0x0000000000400000-0x0000000000431000-memory.dmp	family_gh0strat
behavioral7/files/0x000c000000027dc0-5.dat	family_gh0strat
behavioral7/memory/3876-15-0x0000000000400000-0x0000000000431000-memory.dmp	family_gh0strat
behavioral7/memory/2420-16-0x0000000000400000-0x0000000000431000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Modifies firewall policy service 3 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	0cae2144249cca11917ce26657fc0281.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	0cae2144249cca11917ce26657fc0281.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	0cae2144249cca11917ce26657fc0281.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\0cae2144249cca11917ce26657fc0281.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0cae2144249cca11917ce26657fc0281.exe:*:enabled:@shell32.dll,-1"	0cae2144249cca11917ce26657fc0281.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	hmdriy.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hmdriy.exe	0cae2144249cca11917ce26657fc0281.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cae2144249cca11917ce26657fc0281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hmdriy.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
2420	hmdriy.exe
2420	hmdriy.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe
3876	0cae2144249cca11917ce26657fc0281.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3876	0cae2144249cca11917ce26657fc0281.exe
Token: SeDebugPrivilege	2420	hmdriy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 628	3876	0cae2144249cca11917ce26657fc0281.exe	5
PID 3876 wrote to memory of 628	3876	0cae2144249cca11917ce26657fc0281.exe	5
PID 3876 wrote to memory of 628	3876	0cae2144249cca11917ce26657fc0281.exe	5
PID 3876 wrote to memory of 628	3876	0cae2144249cca11917ce26657fc0281.exe	5
PID 3876 wrote to memory of 628	3876	0cae2144249cca11917ce26657fc0281.exe	5
PID 3876 wrote to memory of 628	3876	0cae2144249cca11917ce26657fc0281.exe	5
PID 3876 wrote to memory of 684	3876	0cae2144249cca11917ce26657fc0281.exe	7
PID 3876 wrote to memory of 684	3876	0cae2144249cca11917ce26657fc0281.exe	7
PID 3876 wrote to memory of 684	3876	0cae2144249cca11917ce26657fc0281.exe	7
PID 3876 wrote to memory of 684	3876	0cae2144249cca11917ce26657fc0281.exe	7
PID 3876 wrote to memory of 684	3876	0cae2144249cca11917ce26657fc0281.exe	7
PID 3876 wrote to memory of 684	3876	0cae2144249cca11917ce26657fc0281.exe	7
PID 3876 wrote to memory of 808	3876	0cae2144249cca11917ce26657fc0281.exe	8
PID 3876 wrote to memory of 808	3876	0cae2144249cca11917ce26657fc0281.exe	8
PID 3876 wrote to memory of 808	3876	0cae2144249cca11917ce26657fc0281.exe	8
PID 3876 wrote to memory of 808	3876	0cae2144249cca11917ce26657fc0281.exe	8
PID 3876 wrote to memory of 808	3876	0cae2144249cca11917ce26657fc0281.exe	8
PID 3876 wrote to memory of 808	3876	0cae2144249cca11917ce26657fc0281.exe	8
PID 3876 wrote to memory of 812	3876	0cae2144249cca11917ce26657fc0281.exe	9
PID 3876 wrote to memory of 812	3876	0cae2144249cca11917ce26657fc0281.exe	9
PID 3876 wrote to memory of 812	3876	0cae2144249cca11917ce26657fc0281.exe	9
PID 3876 wrote to memory of 812	3876	0cae2144249cca11917ce26657fc0281.exe	9
PID 3876 wrote to memory of 812	3876	0cae2144249cca11917ce26657fc0281.exe	9
PID 3876 wrote to memory of 812	3876	0cae2144249cca11917ce26657fc0281.exe	9
PID 3876 wrote to memory of 824	3876	0cae2144249cca11917ce26657fc0281.exe	10
PID 3876 wrote to memory of 824	3876	0cae2144249cca11917ce26657fc0281.exe	10
PID 3876 wrote to memory of 824	3876	0cae2144249cca11917ce26657fc0281.exe	10
PID 3876 wrote to memory of 824	3876	0cae2144249cca11917ce26657fc0281.exe	10
PID 3876 wrote to memory of 824	3876	0cae2144249cca11917ce26657fc0281.exe	10
PID 3876 wrote to memory of 824	3876	0cae2144249cca11917ce26657fc0281.exe	10
PID 3876 wrote to memory of 928	3876	0cae2144249cca11917ce26657fc0281.exe	11
PID 3876 wrote to memory of 928	3876	0cae2144249cca11917ce26657fc0281.exe	11
PID 3876 wrote to memory of 928	3876	0cae2144249cca11917ce26657fc0281.exe	11
PID 3876 wrote to memory of 928	3876	0cae2144249cca11917ce26657fc0281.exe	11
PID 3876 wrote to memory of 928	3876	0cae2144249cca11917ce26657fc0281.exe	11
PID 3876 wrote to memory of 928	3876	0cae2144249cca11917ce26657fc0281.exe	11
PID 3876 wrote to memory of 976	3876	0cae2144249cca11917ce26657fc0281.exe	12
PID 3876 wrote to memory of 976	3876	0cae2144249cca11917ce26657fc0281.exe	12
PID 3876 wrote to memory of 976	3876	0cae2144249cca11917ce26657fc0281.exe	12
PID 3876 wrote to memory of 976	3876	0cae2144249cca11917ce26657fc0281.exe	12
PID 3876 wrote to memory of 976	3876	0cae2144249cca11917ce26657fc0281.exe	12
PID 3876 wrote to memory of 976	3876	0cae2144249cca11917ce26657fc0281.exe	12
PID 3876 wrote to memory of 420	3876	0cae2144249cca11917ce26657fc0281.exe	13
PID 3876 wrote to memory of 420	3876	0cae2144249cca11917ce26657fc0281.exe	13
PID 3876 wrote to memory of 420	3876	0cae2144249cca11917ce26657fc0281.exe	13
PID 3876 wrote to memory of 420	3876	0cae2144249cca11917ce26657fc0281.exe	13
PID 3876 wrote to memory of 420	3876	0cae2144249cca11917ce26657fc0281.exe	13
PID 3876 wrote to memory of 420	3876	0cae2144249cca11917ce26657fc0281.exe	13
PID 3876 wrote to memory of 436	3876	0cae2144249cca11917ce26657fc0281.exe	14
PID 3876 wrote to memory of 436	3876	0cae2144249cca11917ce26657fc0281.exe	14
PID 3876 wrote to memory of 436	3876	0cae2144249cca11917ce26657fc0281.exe	14
PID 3876 wrote to memory of 436	3876	0cae2144249cca11917ce26657fc0281.exe	14
PID 3876 wrote to memory of 436	3876	0cae2144249cca11917ce26657fc0281.exe	14
PID 3876 wrote to memory of 436	3876	0cae2144249cca11917ce26657fc0281.exe	14
PID 3876 wrote to memory of 704	3876	0cae2144249cca11917ce26657fc0281.exe	15
PID 3876 wrote to memory of 704	3876	0cae2144249cca11917ce26657fc0281.exe	15
PID 3876 wrote to memory of 704	3876	0cae2144249cca11917ce26657fc0281.exe	15
PID 3876 wrote to memory of 704	3876	0cae2144249cca11917ce26657fc0281.exe	15
PID 3876 wrote to memory of 704	3876	0cae2144249cca11917ce26657fc0281.exe	15
PID 3876 wrote to memory of 704	3876	0cae2144249cca11917ce26657fc0281.exe	15
PID 3876 wrote to memory of 1040	3876	0cae2144249cca11917ce26657fc0281.exe	16
PID 3876 wrote to memory of 1040	3876	0cae2144249cca11917ce26657fc0281.exe	16
PID 3876 wrote to memory of 1040	3876	0cae2144249cca11917ce26657fc0281.exe	16
PID 3876 wrote to memory of 1040	3876	0cae2144249cca11917ce26657fc0281.exe	16

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:812
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1080

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:824
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3016
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3896
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3968
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4048
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:8
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4288
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4108
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1032
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
  2⤵
  PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1312
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1624
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:972

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2508

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3476

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\0cae2144249cca11917ce26657fc0281.exe
  "C:\Users\Admin\AppData\Local\Temp\0cae2144249cca11917ce26657fc0281.exe"
  2⤵
  - Modifies firewall policy service
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:60

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3852

C:\Windows\SysWOW64\hmdriy.exe
C:\Windows\SysWOW64\hmdriy.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hmdriy.exe

Filesize
176KB

MD5
0cae2144249cca11917ce26657fc0281

SHA1
e7ffc36c62c26e987c6954e4739a306a95d119e1

SHA256
5fa749158a4dd5dd030bb97a5ca74a542ae4661b2a76ec69b29d41c3a32e8767

SHA512
50c5ea18407b74fc5d741d602c87a28c0bfebb348a8ff1710026951937b1e9077a353ee0b9bf2eb648b83a60e34a5e934d8b95c1b7e1202933aea875e6975027

Download Submit
memory/2420-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-6-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3876-4-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3876-3-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3876-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3876-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-7-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3876-8-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3876-9-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3876-12-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3876-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-2-0x0000000077D13000-0x0000000077D14000-memory.dmp

Filesize
4KB

Download