discordrat | c75ed8e67edb12ce91b04dfc1155fe1abb3328fd4e8669bc5a0d64090b62f2d7

Analysis

max time kernel
93s
max time network
78s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-05-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doxtool.exe
Size

78KB
MD5

16d0fb269db477be08d333641dc063c6
SHA1

135e62c03692f27c9c3217a2d974702acdcfc122
SHA256

c75ed8e67edb12ce91b04dfc1155fe1abb3328fd4e8669bc5a0d64090b62f2d7
SHA512

c474547c749ffaa226c23fe0bc7f2dbd9da36e7ccb50626650c8365bac28f07b90f93c450210a8bcb9166f5f7046e9a69759be4fb9b2e804fd3df6c4adee899f
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+xPIC:5Zv5PDwbjNrmAE+hIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzODI1MzczNzMwMzM0NzMyMg.GageoQ.lrQ8H8NI2J99-bJ1ou6AHy2TezHO3Qo24PieOI
server_id
1238097255248957492

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4728 created 572	4728	WerFault.exe	5

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2196 created 572	2196	doxtool.exe	5
PID 2272 created 572	2272	svchost.exe	5
PID 2272 created 572	2272	svchost.exe	5

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	discord.com
16	discord.com
17	discord.com
3	discord.com
4	discord.com
9	discord.com
11	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 3680	2196	doxtool.exe	74

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	Explorer.EXE

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715639503"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={447BF857-54C7-402E-9358-1A2490BB118D}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 13 May 2024 22:31:43 GMT"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	doxtool.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
3680	dllhost.exe
3680	dllhost.exe
2196	doxtool.exe
3680	dllhost.exe
3680	dllhost.exe
2272	svchost.exe
2272	svchost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
2196	doxtool.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
2196	doxtool.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
2196	doxtool.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3624	Process not Found
708	Process not Found
4528	Process not Found
4408	Process not Found
2336	Process not Found
1928	Process not Found
1652	Process not Found
692	Process not Found
4412	Process not Found
1524	Process not Found
3404	Process not Found
4068	Process not Found
1256	Process not Found
3764	Process not Found
396	Process not Found
3844	Process not Found
2324	Process not Found
1712	Process not Found
4724	Process not Found
4972	Process not Found
3080	Process not Found
3852	Process not Found
2888	Process not Found
1336	Process not Found
3028	Process not Found
920	Process not Found
2580	Process not Found
1132	Process not Found
2812	Process not Found
4452	Process not Found
2384	Process not Found
3564	Process not Found
2344	Process not Found
2980	Process not Found
704	Process not Found
2756	Process not Found
4308	Process not Found
2892	Process not Found
4164	Process not Found
2188	Process not Found
3412	Process not Found
2744	Process not Found
2628	Process not Found
4200	Process not Found
2796	Process not Found
2424	Process not Found
2136	Process not Found
4380	Process not Found
2936	Process not Found
60	Process not Found
3008	Process not Found
804	Process not Found
4160	Process not Found
1040	Process not Found
4204	Process not Found
204	Process not Found
756	Process not Found
1588	Process not Found
2292	Process not Found
4772	Process not Found
1844	Process not Found
1760	Process not Found
376	Process not Found
4524	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	doxtool.exe
Token: SeDebugPrivilege	2196	doxtool.exe
Token: SeDebugPrivilege	3680	dllhost.exe
Token: SeDebugPrivilege	4728	WerFault.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeAuditPrivilege	2428	svchost.exe
Token: SeAuditPrivilege	2428	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 2196 wrote to memory of 3680	2196	doxtool.exe	74
PID 3680 wrote to memory of 572	3680	dllhost.exe	5
PID 3680 wrote to memory of 656	3680	dllhost.exe	7
PID 3680 wrote to memory of 748	3680	dllhost.exe	10
PID 3680 wrote to memory of 912	3680	dllhost.exe	13
PID 3680 wrote to memory of 988	3680	dllhost.exe	14
PID 3680 wrote to memory of 1020	3680	dllhost.exe	15
PID 3680 wrote to memory of 352	3680	dllhost.exe	16
PID 3680 wrote to memory of 364	3680	dllhost.exe	17
PID 3680 wrote to memory of 600	3680	dllhost.exe	18
PID 3680 wrote to memory of 1064	3680	dllhost.exe	19
PID 3680 wrote to memory of 1108	3680	dllhost.exe	21
PID 3680 wrote to memory of 1192	3680	dllhost.exe	22
PID 3680 wrote to memory of 1216	3680	dllhost.exe	23
PID 3680 wrote to memory of 1228	3680	dllhost.exe	24
PID 3680 wrote to memory of 1236	3680	dllhost.exe	25
PID 3680 wrote to memory of 1372	3680	dllhost.exe	26
PID 3680 wrote to memory of 1416	3680	dllhost.exe	27
PID 3680 wrote to memory of 1492	3680	dllhost.exe	28
PID 3680 wrote to memory of 1540	3680	dllhost.exe	29
PID 3680 wrote to memory of 1548	3680	dllhost.exe	30
PID 3680 wrote to memory of 1580	3680	dllhost.exe	31
PID 3680 wrote to memory of 1672	3680	dllhost.exe	32
PID 3680 wrote to memory of 1684	3680	dllhost.exe	33
PID 3680 wrote to memory of 1768	3680	dllhost.exe	34
PID 3680 wrote to memory of 1776	3680	dllhost.exe	35
PID 3680 wrote to memory of 1932	3680	dllhost.exe	36
PID 3680 wrote to memory of 1968	3680	dllhost.exe	37
PID 3680 wrote to memory of 2040	3680	dllhost.exe	38
PID 3680 wrote to memory of 1604	3680	dllhost.exe	39
PID 3680 wrote to memory of 2124	3680	dllhost.exe	40
PID 3680 wrote to memory of 2316	3680	dllhost.exe	41
PID 3680 wrote to memory of 2404	3680	dllhost.exe	42
PID 3680 wrote to memory of 2412	3680	dllhost.exe	43
PID 3680 wrote to memory of 2428	3680	dllhost.exe	44
PID 3680 wrote to memory of 2560	3680	dllhost.exe	45
PID 3680 wrote to memory of 2596	3680	dllhost.exe	46
PID 3680 wrote to memory of 2632	3680	dllhost.exe	47
PID 3680 wrote to memory of 2660	3680	dllhost.exe	48
PID 3680 wrote to memory of 2772	3680	dllhost.exe	49
PID 3680 wrote to memory of 2920	3680	dllhost.exe	50
PID 3680 wrote to memory of 3088	3680	dllhost.exe	51
PID 3680 wrote to memory of 3112	3680	dllhost.exe	52
PID 3680 wrote to memory of 3176	3680	dllhost.exe	53
PID 3680 wrote to memory of 3256	3680	dllhost.exe	54
PID 3680 wrote to memory of 3396	3680	dllhost.exe	55
PID 3680 wrote to memory of 3916	3680	dllhost.exe	58
PID 3680 wrote to memory of 3808	3680	dllhost.exe	59
PID 3680 wrote to memory of 4956	3680	dllhost.exe	61
PID 3680 wrote to memory of 4796	3680	dllhost.exe	63
PID 3680 wrote to memory of 3548	3680	dllhost.exe	64
PID 3680 wrote to memory of 3196	3680	dllhost.exe	65
PID 3680 wrote to memory of 3036	3680	dllhost.exe	66
PID 3680 wrote to memory of 4784	3680	dllhost.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:572
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ca851b0-c764-4688-a793-281ed04fb806}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 572 -s 928
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 572 -s 944
  2⤵
  PID:4252

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:988

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1108
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1416
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3088
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4352
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4888
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4092
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4276
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1120
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1580

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1932

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1968

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2124

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2772

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3112

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3396
- C:\Users\Admin\AppData\Local\Temp\doxtool.exe
  "C:\Users\Admin\AppData\Local\Temp\doxtool.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3916

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3808

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4956

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3548

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3196

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4784

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:2444

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:2276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:3684

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA066.tmp.csv

Filesize
29KB

MD5
864d2efb9067a3d19a7934038919a236

SHA1
9e8350eb3031d18fe5e9208ec1024be959c47257

SHA256
34cdae0232c3c4de95a096ef31347921c5bc1feff5d8e1eb61ffafd695155f16

SHA512
bb62b06df098e9f6af349e48eb53c17867d4ce7619cf8923ed2c0bb1260582321cb20858820a2808c7946087df7e6cc6436121fcd513cc97cd06384f81d6a1fa

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA077.tmp.txt

Filesize
12KB

MD5
6a6c294b4d081ae85d2d2cf97bf91763

SHA1
0fa558b6fd1a27f4d6ce994642d1afe1e9e0f675

SHA256
ddd10797d4eb8c1eb5c5a25d58b0312ee884b624c93f2b6505fcf5c868de0db9

SHA512
5b540cdcf8a211d4388027cf0a689d7f27b647b55330cbe26c2a1f1200dc053c9e06f2a3ec5f91ac60beef6555f38355b10342348d9ae6c3ce76671022213ed7

Download Submit
memory/572-200-0x00007FFB82E45000-0x00007FFB82E46000-memory.dmp

Filesize
4KB

Download
memory/572-15-0x0000025843800000-0x0000025843823000-memory.dmp

Filesize
140KB

Download
memory/572-199-0x0000025843830000-0x000002584385A000-memory.dmp

Filesize
168KB

Download
memory/572-27-0x0000025843830000-0x000002584385A000-memory.dmp

Filesize
168KB

Download
memory/656-191-0x000001CA6E440000-0x000001CA6E46A000-memory.dmp

Filesize
168KB

Download
memory/656-192-0x00007FFB82E45000-0x00007FFB82E46000-memory.dmp

Filesize
4KB

Download
memory/656-17-0x000001CA6E440000-0x000001CA6E46A000-memory.dmp

Filesize
168KB

Download
memory/656-18-0x00007FFB42E30000-0x00007FFB42E40000-memory.dmp

Filesize
64KB

Download
memory/1020-195-0x00000182C7870000-0x00000182C789A000-memory.dmp

Filesize
168KB

Download
memory/1020-25-0x00007FFB42E30000-0x00007FFB42E40000-memory.dmp

Filesize
64KB

Download
memory/1020-24-0x00000182C7870000-0x00000182C789A000-memory.dmp

Filesize
168KB

Download
memory/2196-7-0x00007FFB81FB0000-0x00007FFB8205E000-memory.dmp

Filesize
696KB

Download
memory/2196-288-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp

Filesize
4KB

Download
memory/2196-84-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-289-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-301-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-246-0x00007FFB81FB1000-0x00007FFB82024000-memory.dmp

Filesize
460KB

Download
memory/2196-0-0x0000018119B20000-0x0000018119B38000-memory.dmp

Filesize
96KB

Download
memory/2196-6-0x00007FFB82DA0000-0x00007FFB82F7B000-memory.dmp

Filesize
1.9MB

Download
memory/2196-5-0x000001811B880000-0x000001811B8BE000-memory.dmp

Filesize
248KB

Download
memory/2196-4-0x0000018134A50000-0x0000018134F76000-memory.dmp

Filesize
5.1MB

Download
memory/2196-3-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-2-0x0000018134160000-0x0000018134322000-memory.dmp

Filesize
1.8MB

Download
memory/2196-1-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp

Filesize
4KB

Download
memory/3680-8-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3680-186-0x00007FFB82DA0000-0x00007FFB82F7B000-memory.dmp

Filesize
1.9MB

Download
memory/3680-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3680-181-0x00007FFB82DA1000-0x00007FFB82EAF000-memory.dmp

Filesize
1.1MB

Download
memory/3680-9-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3680-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3680-12-0x00007FFB81FB0000-0x00007FFB8205E000-memory.dmp

Filesize
696KB

Download
memory/3680-300-0x00007FFB82DA0000-0x00007FFB82F7B000-memory.dmp

Filesize
1.9MB

Download
memory/3680-11-0x00007FFB82DA0000-0x00007FFB82F7B000-memory.dmp

Filesize
1.9MB

Download