Malware Analysis Report

2024-09-11 09:35

Sample ID 240603-w9akzseg7y
Target GTA5-FINAL-RELEASE.exe
SHA256 689481c56c91f86cf9e6d034cb714e3c92723af3035c00c3c339fcb384258e55
Tags
discordrat evasion persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

689481c56c91f86cf9e6d034cb714e3c92723af3035c00c3c339fcb384258e55

Threat Level: Known bad

The file GTA5-FINAL-RELEASE.exe was found to be: Known bad.

Malicious Activity Summary

discordrat evasion persistence rat rootkit stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Discordrat family

Discord RAT

Modifies Windows Firewall

Disables Task Manager via registry modification

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Runs .reg file with regedit

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks processor information in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 18:36

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 18:36

Reported

2024-06-03 18:39

Platform

win11-20240508-en

Max time kernel

150s

Max time network

146s

Command Line

winlogon.exe

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4952 created 624 N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe C:\Windows\system32\winlogon.exe

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\NetSh.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4952 set thread context of 3628 N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717439929" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Jun 2024 18:38:49 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={89530C2A-38A8-42F3-9293-D54761B800B4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 748 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe

"C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb94ea3cb8,0x7ffb94ea3cc8,0x7ffb94ea3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{c222db1c-a5e9-46a3-bd95-9473fa3168ce}

C:\Windows\SYSTEM32\NetSh.exe

"NetSh.exe" Advfirewall set allprofiles state off

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}

C:\Windows\ImmersiveControlPanel\SystemSettings.exe

"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\regedit.exe

"regedit.exe" "C:\Users\Admin\Desktop\UseCopy.reg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.133.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.133.159.162.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 52.111.227.14:443 tcp
GB 104.86.110.104:443 tcp
IE 13.69.239.77:443 browser.pipe.aria.microsoft.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/4952-0-0x00000278A6F90000-0x00000278A6FA8000-memory.dmp

memory/4952-1-0x00007FFB9C413000-0x00007FFB9C415000-memory.dmp

memory/4952-2-0x00000278C1660000-0x00000278C1822000-memory.dmp

memory/4952-3-0x00007FFB9C410000-0x00007FFB9CED2000-memory.dmp

memory/4952-4-0x00000278C28E0000-0x00000278C2E08000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0c705388d79c00418e5c1751159353e3
SHA1 aaeafebce5483626ef82813d286511c1f353f861
SHA256 697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d
SHA512 c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0d84d1490aa9f725b68407eab8f0030e
SHA1 83964574467b7422e160af34ef024d1821d6d1c3
SHA256 40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e
SHA512 f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

\??\pipe\LOCAL\crashpad_748_OEUHSELMDHLNNOBA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c1a37c2e89dd1e0889b44b45f9e59bc1
SHA1 64af4e36d077ed7bfd8bc5ce5a3895006e490647
SHA256 e58b9199edfa315a6b5c727866d0307141e4f7a5fedbc6fdd1761e27a05ef170
SHA512 1ad3ef7d98ee6a99307a352a2ca71b7b709392c4bc266e0ec87e37fdd8e6c42182ad65bc1b83dc4cbe62de3dc9d68b0cc64641bed7adf493928ecc301022352c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6087b608cfdce8e368d44d036bfd4de4
SHA1 4f633f48d36952a2d33216d238b0c4751421c44a
SHA256 5dc1445ff5db37ac173d9681651f94c5c0fe57e8b6581b9080e885129ad1080f
SHA512 1b995133cf8422241ddd475fe639b1aa5fdcc032332c2184761d74f6d9c578c6d2fbb455647a5415ab3116b97a499e7fd5bdf21b331743bb44f943cf48872980

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1587c8745e697fc070ef7cf06173b6ab
SHA1 bbaeee1cb3f97ce7ce94e0feee42934e11385e3c
SHA256 a58ef2bc7be0aba76c7f41f5debceacadc87699bbc85814f2629fb8823711667
SHA512 f021e851af8cae900b68b0fac041a29312a94df15599d624199dbfd015352d4b98507ad4b14964d7f55aceddfd57705d4a749c46574bd619dbbe17339fb6262e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/4952-99-0x00007FFB9C410000-0x00007FFB9CED2000-memory.dmp

memory/4952-100-0x00000278A8C70000-0x00000278A8CAE000-memory.dmp

memory/4952-101-0x00007FFBBD260000-0x00007FFBBD469000-memory.dmp

memory/4952-102-0x00007FFBBC440000-0x00007FFBBC4FD000-memory.dmp

memory/3628-104-0x0000000140000000-0x0000000140040000-memory.dmp

memory/3628-106-0x00007FFBBC440000-0x00007FFBBC4FD000-memory.dmp

memory/3628-105-0x00007FFBBD260000-0x00007FFBBD469000-memory.dmp

memory/3628-103-0x0000000140000000-0x0000000140040000-memory.dmp

memory/3628-107-0x0000000140000000-0x0000000140040000-memory.dmp

memory/692-115-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/692-114-0x0000023D9A190000-0x0000023D9A1BA000-memory.dmp

memory/624-111-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/624-110-0x0000013F1D280000-0x0000013F1D2AA000-memory.dmp

memory/624-109-0x0000013F1D250000-0x0000013F1D273000-memory.dmp

memory/428-120-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/984-123-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/984-122-0x000001B9673D0000-0x000001B9673FA000-memory.dmp

memory/428-119-0x000002303D140000-0x000002303D16A000-memory.dmp

memory/436-126-0x0000026CF3290000-0x0000026CF32BA000-memory.dmp

memory/436-127-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1048-135-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1048-134-0x000001522B540000-0x000001522B56A000-memory.dmp

memory/1040-132-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1240-152-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1416-165-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1416-164-0x0000024B846C0000-0x0000024B846EA000-memory.dmp

memory/1372-162-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1240-151-0x0000019D14C30000-0x0000019D14C5A000-memory.dmp

memory/1208-149-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1208-148-0x00000293D8090000-0x00000293D80BA000-memory.dmp

memory/1116-146-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1116-145-0x000002A9415D0000-0x000002A9415FA000-memory.dmp

memory/1056-143-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

memory/1056-142-0x0000029A1E930000-0x0000029A1E95A000-memory.dmp

memory/1040-131-0x000001E106D70000-0x000001E106D9A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 47e298abec158dc123e750d7c33b5f4a
SHA1 908a35c3da59378852aff587aeaa5f7167dae1ea
SHA256 fbe96f322826e4a6266279e9fbfadd95a8b4faaaa28f7c3d8d5df8514ed03a89
SHA512 dc359dfb0f803cb2c668fc8024f6e75684f23bb0d4119f9be8abbc60519075dae52cc85cc164e8285374746479cff5c95968fa37cde9d5baa284325af606883b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 149153057af18bf54307a1659eb7f976
SHA1 95e50564d874282f2a96b5dc5d75ebd87629e6e3
SHA256 cf46e9fe1bf2dd9fb9149f33baddbc437fda013d1ef3764e519e05c3d792b2fe
SHA512 bbe8ad60abdd940c0ee7d368db0c1ca013fc72134bf2683ad7178c090263b9de99e8472feaa9c82ef7d8cf6ba215a215fbbf9b8700469ebbd8f3f1e5952c3254

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 38397f47ba4564dcbf58f27447b48c1f
SHA1 ec7896095981af3faf8c7dabe6134ee8f5b97bf3
SHA256 43fbca4dfdbdbd0db0a27124255d8bf5378852ef0db12a20dcf79e1aefa88a40
SHA512 4d3af65dbe41da6a882a80bc61c53788c42f7add6cd064b2abf8de1ec53d801a2e37739701dbc17180974075d05c416c932b4eb9bb8c2f3da1750e4156948da5

C:\Windows\Panther\UnattendGC\diagerr.xml

MD5 a9c343dcbcbdeaed3df95afb2bf65494
SHA1 5f202bceb81ec2958997afb4c39e19e90fa2a437
SHA256 86b97cd954df7e2e6497cb6728c37dd3d7ab3caa530bb14e60067de19d66ae6c
SHA512 95b601d42fcdb269edac5f60a5036b03cf0ece017bbce3a658595b54ada777d707a83a956fe8ee20407409ee597990900e4826a842854af2d289e6a2dbd10dba

C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5 f0f73e1e31f1e7f8ee79227293bb4ac7
SHA1 ee7083df61045d4b14249a32a488890f68941208
SHA256 728eb5d416ff31448c976e9097f641e87dd3f1892ee923ed56f510ac9d6e51ca
SHA512 8e0df96cc6ad65c27e3d6f4e214b19d4f1f8441d52d4a7a6cfe1f3a3fa346fd525b1681d2657528eb7e966452fe859816e165eed0eaef9ac88d4591911ce361d

C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b0a40f6847934b610c24822c5c1e60b4
SHA1 7a984562d0765a185ab4af0f6b574b326410e7eb
SHA256 baa3c6350471601390dda37570a20a23567c582df132eb0fbe997f36ac831da2
SHA512 05453981b9bd66438c4e707a2763e00f58929f41bc2802f01ba240f3d7d46a6f2a7be9c28192ba783ef42c33d0f1e50766a70edbd61e8c48f299e0da75712a8f

C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 2e286dd0367aaf12ac7a61923b48c1e6
SHA1 6757cfcc28a86552fa5d535bd8e2c247ef7b722d
SHA256 d33e3afd37e7150f69f78c16355a039925bb53b624587ef37727f8954c801973
SHA512 c347fd6731e59da059863918e3bafa07bd50ea8f3e6f88ad8837b3301c3971376a0665d081df3d8501ae5538a306a97f06e237e679ea3bd725256cb497307511