discordrat | 9e37c85517f2475ecb79759df8a479ac1ca0c1dc788bd961e55001adf3ee4004

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celery Bootstrapper.exe
Size

204KB
MD5

02b71a38b3d55018b7f5c316543d5a8f
SHA1

c214652b538e94b19204e83e54483d911921d72a
SHA256

9e37c85517f2475ecb79759df8a479ac1ca0c1dc788bd961e55001adf3ee4004
SHA512

489de9c196ddd4cc92b3e3d9d20945c74cf3d0839940d0a2db88ab32bddf55e822c53f2c98034698eff72a28cc0da8b35527a8e5f9c3995109f68f0e323473fd
SSDEEP

1536:f2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+/PId+ovpfCfRRuaLgv+y1C3qzkn1:fZv5PDwbjNrmAE+HIMu2RuJGxB4RM

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE1NzU5MjUzOTQyODMwNzA2NA.Gco7Ft.BhtXaKRPsK-ZaaFbpomOTsGS41VToi1-dZqMqM
server_id
1165103369547939933

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1592 created 624	1592	WerFault.exe	5

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1384 created 624	1384	Celery Bootstrapper.exe	5
PID 5116 created 624	5116	svchost.exe	5
PID 5116 created 680	5116	svchost.exe	7
PID 5116 created 316	5116	svchost.exe	13

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
12	discord.com
25	discord.com
32	discord.com
35	discord.com
60	raw.githubusercontent.com
61	raw.githubusercontent.com
62	discord.com
10	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 1324	1384	Celery Bootstrapper.exe	98

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1384	Celery Bootstrapper.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1384	Celery Bootstrapper.exe
1324	dllhost.exe
1324	dllhost.exe
820	WerFault.exe
820	WerFault.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
5116	svchost.exe
5116	svchost.exe
1292	WerFault.exe
1292	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe
1324	dllhost.exe
1324	dllhost.exe
1384	Celery Bootstrapper.exe
1324	dllhost.exe
1324	dllhost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1384	Celery Bootstrapper.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1384	Celery Bootstrapper.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1384	Celery Bootstrapper.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
5088	Process not Found
2196	Process not Found
3832	Process not Found
4908	Process not Found
2936	Process not Found
4476	Process not Found
3276	Process not Found
3972	Process not Found
3700	Process not Found
1824	Process not Found
4692	Process not Found
4240	Process not Found
4520	Process not Found
952	Process not Found
1136	Process not Found
1668	Process not Found
3424	Process not Found
3040	Process not Found
4680	Process not Found
4696	Process not Found
396	Process not Found
1964	Process not Found
3556	Process not Found
1548	Process not Found
3068	Process not Found
2340	Process not Found
2940	Process not Found
4760	Process not Found
3724	Process not Found
820	Process not Found
4072	Process not Found
628	Process not Found
2092	Process not Found
3688	Process not Found
4748	Process not Found
2752	Process not Found
3312	Process not Found
832	Process not Found
840	Process not Found
4132	Process not Found
780	Process not Found
1536	Process not Found
3140	Process not Found
3356	Process not Found
2704	Process not Found
3916	Process not Found
4588	Process not Found
4428	Process not Found
3144	Process not Found
4328	Process not Found
332	Process not Found
524	Process not Found
1124	Process not Found
1132	Process not Found
1184	Process not Found
1248	Process not Found
1540	Process not Found
1504	Process not Found
892	Process not Found
4920	Process not Found
3880	Process not Found
1800	Process not Found
3044	Process not Found
4424	Process not Found

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	Celery Bootstrapper.exe
Token: SeDebugPrivilege	1384	Celery Bootstrapper.exe
Token: SeDebugPrivilege	1324	dllhost.exe
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeAuditPrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3500	Explorer.EXE
3500	Explorer.EXE
3500	Explorer.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3500	Explorer.EXE
3500	Explorer.EXE
3500	Explorer.EXE
3500	Explorer.EXE
3500	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3500	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1384 wrote to memory of 1324	1384	Celery Bootstrapper.exe	98
PID 1324 wrote to memory of 624	1324	dllhost.exe	5
PID 1324 wrote to memory of 680	1324	dllhost.exe	7
PID 1324 wrote to memory of 960	1324	dllhost.exe	12
PID 1324 wrote to memory of 316	1324	dllhost.exe	13
PID 680 wrote to memory of 2768	680	lsass.exe	48
PID 1324 wrote to memory of 392	1324	dllhost.exe	14
PID 1324 wrote to memory of 876	1324	dllhost.exe	15
PID 1324 wrote to memory of 1108	1324	dllhost.exe	17
PID 1324 wrote to memory of 1116	1324	dllhost.exe	18
PID 1324 wrote to memory of 1144	1324	dllhost.exe	19
PID 1324 wrote to memory of 1156	1324	dllhost.exe	20
PID 1324 wrote to memory of 1236	1324	dllhost.exe	21
PID 1324 wrote to memory of 1252	1324	dllhost.exe	22
PID 1324 wrote to memory of 1340	1324	dllhost.exe	23
PID 1324 wrote to memory of 1408	1324	dllhost.exe	24
PID 1324 wrote to memory of 1416	1324	dllhost.exe	25
PID 1324 wrote to memory of 1564	1324	dllhost.exe	26
PID 1324 wrote to memory of 1584	1324	dllhost.exe	27
PID 1324 wrote to memory of 1648	1324	dllhost.exe	28
PID 1324 wrote to memory of 1704	1324	dllhost.exe	29
PID 1324 wrote to memory of 1732	1324	dllhost.exe	30
PID 1324 wrote to memory of 1768	1324	dllhost.exe	31
PID 1324 wrote to memory of 1808	1324	dllhost.exe	32
PID 1324 wrote to memory of 1920	1324	dllhost.exe	33
PID 1324 wrote to memory of 1980	1324	dllhost.exe	34
PID 1324 wrote to memory of 2004	1324	dllhost.exe	35
PID 1324 wrote to memory of 1472	1324	dllhost.exe	36
PID 1324 wrote to memory of 2068	1324	dllhost.exe	37
PID 1324 wrote to memory of 2148	1324	dllhost.exe	38
PID 1324 wrote to memory of 2260	1324	dllhost.exe	40
PID 1324 wrote to memory of 2408	1324	dllhost.exe	41
PID 1324 wrote to memory of 2564	1324	dllhost.exe	43
PID 1324 wrote to memory of 2572	1324	dllhost.exe	44
PID 1324 wrote to memory of 2680	1324	dllhost.exe	45
PID 1324 wrote to memory of 2696	1324	dllhost.exe	46
PID 1324 wrote to memory of 2720	1324	dllhost.exe	47
PID 1324 wrote to memory of 2768	1324	dllhost.exe	48
PID 1324 wrote to memory of 2776	1324	dllhost.exe	49
PID 1324 wrote to memory of 2804	1324	dllhost.exe	50
PID 1324 wrote to memory of 2836	1324	dllhost.exe	51
PID 1324 wrote to memory of 2884	1324	dllhost.exe	52
PID 1324 wrote to memory of 2996	1324	dllhost.exe	53
PID 1324 wrote to memory of 2796	1324	dllhost.exe	54
PID 1324 wrote to memory of 3408	1324	dllhost.exe	55
PID 1324 wrote to memory of 3500	1324	dllhost.exe	56
PID 1324 wrote to memory of 3640	1324	dllhost.exe	57
PID 1324 wrote to memory of 3816	1324	dllhost.exe	58
PID 1324 wrote to memory of 4000	1324	dllhost.exe	60
PID 1324 wrote to memory of 3612	1324	dllhost.exe	62
PID 1324 wrote to memory of 1204	1324	dllhost.exe	65
PID 1324 wrote to memory of 2688	1324	dllhost.exe	67
PID 1324 wrote to memory of 4420	1324	dllhost.exe	68
PID 1324 wrote to memory of 4400	1324	dllhost.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 316 -s 2588
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1292
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1aad9486-2478-4175-8591-c84ba1a757d3}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1324
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 624 -s 844
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:820

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 680 -s 4876
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1116
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1408
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2680
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4576
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3580
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4668
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2056
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1516
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2720

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2836

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3408

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3500
- C:\Users\Admin\AppData\Local\Temp\Celery Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Celery Bootstrapper.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4420

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2656

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2404

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:32

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:5116
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 480 -p 624 -ip 624
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:1592
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 500 -p 680 -ip 680
  2⤵
  PID:1664
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 464 -p 316 -ip 316
  2⤵
  PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ABD.tmp.csv

Filesize
36KB

MD5
780b519526745ebd372f401717ed44b1

SHA1
d7402d7d1e735ed775391109a078e9523e6bc426

SHA256
6ef1b53dbe5273ecad1c7817fdd5f4799b9c72e2cb78e42d6cfbe17ac178785a

SHA512
79e90d36571e446eeb0c21d7d290e4df910e831a455604b390cd96b221dc1656c508b94c79a23437bd5992337f2b673fda404f5ae139b20ad5b795cce4e1a9d5

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ACE.tmp.txt

Filesize
13KB

MD5
642ff43b2f5c74bea2399ed08473b6dd

SHA1
e88570c2968196f5387ce771d34e795e91cd8042

SHA256
d2a4de34fa72fcbd2f6374c4e909f4f4a69a1d7169a65ef977e40d3dfa2d5726

SHA512
2fa0b8d245c7d32fec66c22d2854d920cfc1491f0ee0906a69d540a0df27bb4b2fb0f62ef8c6b2d9eebd4254e0aaa79af0fa4202c5777d068e1184c2b561fadb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BD8.tmp.csv

Filesize
34KB

MD5
7a385442e65ae808493757c443838570

SHA1
49301776466839511e083c131e90b8c6b858c79d

SHA256
b3e6d8f69200af48bd37c8bccde9325b210117a901b02105caef39e759001838

SHA512
ea7fb0e83bef62948209d05b697897a1b8e5393e237438690fbae2ffc74331ed3817da470370c4567801d1c19c6f8c31aadceb34c2edb9f7aee934fb43bb5263

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BF9.tmp.txt

Filesize
13KB

MD5
fafec75a0305b93a3d474a1d70525d50

SHA1
0f4cc20aa72bafbfd8d726592b66eeb025f9ecfd

SHA256
b7afe1eaae52c3f0da2831e30a9c4348b6b4df62979e08d03e7229e72a480646

SHA512
62734ed58a6149604f09d6024af5a3e08c73b7171a3a082625627932b49cb7deb2684a1eff234f53550b20718490771fa9cc9317ffbfd85f079fdb390e9ca1c5

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C09.tmp.csv

Filesize
34KB

MD5
baf253418e9f604b252d9da61248ab39

SHA1
0143aafd060896d1823cc8f68d96fb6dea38557b

SHA256
8ea7c7014b1a038b71cdaf5fbaa94b812870b26bceb7ef8e91da90e13b3af234

SHA512
136251cb8dcddd6b83d8770a531eb50db4a0abe4d2f073f607b1609562cd4f31f6685c9a1df2b1f5687eea83224bb6b2f16852f77fa608e02366fde92ab09916

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C1A.tmp.txt

Filesize
13KB

MD5
5c42f79b571d0124c11caf27367c844c

SHA1
d6a1991cace06457137fb6c1e3fc2317fc2eea56

SHA256
cfcf02322c4860d300333ffd3d4def2c03064aac558f80c6133c02d86bb4f608

SHA512
8c5d2869749f10048849251b2204425fe8d4ea7661121fe5c6a884de6d8fbe90d1852b49392bd5d0d7b3e0410f3d27ec787dea90b07326c3664bfdc0c45369ef

Download Submit
memory/316-26-0x00000195C1B80000-0x00000195C1BAA000-memory.dmp

Filesize
168KB

Download
memory/316-327-0x00000195C1B80000-0x00000195C1BAA000-memory.dmp

Filesize
168KB

Download
memory/316-38-0x00000195C1B80000-0x00000195C1BAA000-memory.dmp

Filesize
168KB

Download
memory/392-32-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/392-41-0x0000024C12AE0000-0x0000024C12B0A000-memory.dmp

Filesize
168KB

Download
memory/392-31-0x0000024C12AE0000-0x0000024C12B0A000-memory.dmp

Filesize
168KB

Download
memory/624-18-0x000001B5E94B0000-0x000001B5E94D3000-memory.dmp

Filesize
140KB

Download
memory/624-34-0x000001B5E94E0000-0x000001B5E950A000-memory.dmp

Filesize
168KB

Download
memory/624-20-0x000001B5E94E0000-0x000001B5E950A000-memory.dmp

Filesize
168KB

Download
memory/624-35-0x00007FF80D40D000-0x00007FF80D40E000-memory.dmp

Filesize
4KB

Download
memory/624-36-0x00007FF80D40F000-0x00007FF80D410000-memory.dmp

Filesize
4KB

Download
memory/680-22-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/680-21-0x0000016AE5970000-0x0000016AE599A000-memory.dmp

Filesize
168KB

Download
memory/680-37-0x0000016AE5970000-0x0000016AE599A000-memory.dmp

Filesize
168KB

Download
memory/876-49-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/876-48-0x000001D7D5C90000-0x000001D7D5CBA000-memory.dmp

Filesize
168KB

Download
memory/876-262-0x000001D7D5C90000-0x000001D7D5CBA000-memory.dmp

Filesize
168KB

Download
memory/960-39-0x000002A97CCD0000-0x000002A97CCFA000-memory.dmp

Filesize
168KB

Download
memory/960-28-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/960-40-0x00007FF80D40C000-0x00007FF80D40D000-memory.dmp

Filesize
4KB

Download
memory/960-27-0x000002A97CCD0000-0x000002A97CCFA000-memory.dmp

Filesize
168KB

Download
memory/1108-51-0x000001F725CD0000-0x000001F725CFA000-memory.dmp

Filesize
168KB

Download
memory/1108-52-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/1116-55-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/1116-54-0x000001E3445B0000-0x000001E3445DA000-memory.dmp

Filesize
168KB

Download
memory/1144-57-0x000001F24CC60000-0x000001F24CC8A000-memory.dmp

Filesize
168KB

Download
memory/1144-58-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/1156-60-0x0000023944120000-0x000002394414A000-memory.dmp

Filesize
168KB

Download
memory/1156-61-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/1236-64-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/1236-63-0x000002354EB30000-0x000002354EB5A000-memory.dmp

Filesize
168KB

Download
memory/1252-68-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/1252-67-0x000001CDAE080000-0x000001CDAE0AA000-memory.dmp

Filesize
168KB

Download
memory/1324-13-0x00007FF80D370000-0x00007FF80D565000-memory.dmp

Filesize
2.0MB

Download
memory/1324-16-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1324-12-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1324-15-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1324-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1324-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1324-14-0x00007FF80BD60000-0x00007FF80BE1E000-memory.dmp

Filesize
760KB

Download
memory/1340-77-0x0000020073000000-0x000002007302A000-memory.dmp

Filesize
168KB

Download
memory/1340-78-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

Filesize
64KB

Download
memory/1384-6-0x000002F0FD970000-0x000002F0FD980000-memory.dmp

Filesize
64KB

Download
memory/1384-9-0x00007FF80BD60000-0x00007FF80BE1E000-memory.dmp

Filesize
760KB

Download
memory/1384-0-0x000002F0FB2F0000-0x000002F0FB326000-memory.dmp

Filesize
216KB

Download
memory/1384-8-0x00007FF80D370000-0x00007FF80D565000-memory.dmp

Filesize
2.0MB

Download
memory/1384-7-0x000002F0FDD60000-0x000002F0FDD9E000-memory.dmp

Filesize
248KB

Download
memory/1384-5-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1384-4-0x000002F0FE1A0000-0x000002F0FE6C8000-memory.dmp

Filesize
5.2MB

Download
memory/1384-3-0x000002F0FD970000-0x000002F0FD980000-memory.dmp

Filesize
64KB

Download
memory/1384-2-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1384-1-0x000002F0FD9A0000-0x000002F0FDB62000-memory.dmp

Filesize
1.8MB

Download
memory/1384-425-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1408-80-0x000002D2C2E80000-0x000002D2C2EAA000-memory.dmp

Filesize
168KB

Download