Malware Analysis Report

2024-09-11 09:22

Sample ID 240604-mg376adg67
Target GTA5-FINAL-RELEASE.exe
SHA256 689481c56c91f86cf9e6d034cb714e3c92723af3035c00c3c339fcb384258e55
Tags
discordrat evasion persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

689481c56c91f86cf9e6d034cb714e3c92723af3035c00c3c339fcb384258e55

Threat Level: Known bad

The file GTA5-FINAL-RELEASE.exe was found to be: Known bad.

Malicious Activity Summary

discordrat evasion persistence rat rootkit stealer

Discordrat family

Discord RAT

Disables Task Manager via registry modification

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-04 10:27

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 10:27

Reported

2024-06-04 10:29

Platform

win11-20240508-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Disables Task Manager via registry modification

evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).y = "4294967295" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\explorer.exe N/A
Key created \Registry\User\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\NotificationData C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).top = "39" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).x = "4294967295" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MaxPos1280x720x96(1).x = "4294967295" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MaxPos1280x720x96(1).y = "4294967295" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).left = "246" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\control.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).bottom = "639" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).right = "1046" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 2388 N/A C:\Windows\explorer.exe C:\Windows\system32\taskmgr.exe
PID 1664 wrote to memory of 2388 N/A C:\Windows\explorer.exe C:\Windows\system32\taskmgr.exe
PID 1664 wrote to memory of 4264 N/A C:\Windows\explorer.exe C:\Windows\system32\taskmgr.exe
PID 1664 wrote to memory of 4264 N/A C:\Windows\explorer.exe C:\Windows\system32\taskmgr.exe
PID 1664 wrote to memory of 4492 N/A C:\Windows\explorer.exe C:\Windows\system32\taskmgr.exe
PID 1664 wrote to memory of 4492 N/A C:\Windows\explorer.exe C:\Windows\system32\taskmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe

"C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe"

C:\Windows\system32\control.exe

"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.136.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
GB 104.86.110.104:443 tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp

Files

memory/5104-0-0x000001DEB9360000-0x000001DEB9378000-memory.dmp

memory/5104-1-0x00007FFCB4D33000-0x00007FFCB4D35000-memory.dmp

memory/5104-2-0x000001DED3990000-0x000001DED3B52000-memory.dmp

memory/5104-3-0x00007FFCB4D30000-0x00007FFCB57F2000-memory.dmp

memory/5104-4-0x000001DED4C60000-0x000001DED5188000-memory.dmp

memory/5104-10-0x00007FFCB4D30000-0x00007FFCB57F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 46e73ffc1e2868a135b3581527fc9b0f
SHA1 0b7abe15db8fc80d224dabcc087dd7dd0df6acd0
SHA256 22522f90bf0e9892dfc52430f72dc8274c9497c7f016043580eab6d5d02223a9
SHA512 23b09612e20ad18498066d59e726e26eab1fe9b93ac1114ae32b1325254538a2f9e3fe86a8387684bd32d114d11936ebf4e071008838bf76eb211e965d07842f

memory/2388-14-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-13-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-12-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-24-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-23-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-22-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-21-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-20-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-19-0x0000021D69920000-0x0000021D69921000-memory.dmp

memory/2388-18-0x0000021D69920000-0x0000021D69921000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 16846df493521e84fe47cd6b6451ec8f
SHA1 6d99eb017c5aec08d3a7e908bbd4a051ce250c02
SHA256 69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9
SHA512 aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 9e466b4837d8431be725d6b9c1b4d9ef
SHA1 3f247b7c89985a41d839cad351cd0fc182fcb284
SHA256 2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d
SHA512 01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

memory/4492-27-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp

memory/4492-26-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp

memory/4492-25-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp

memory/4492-32-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp

memory/4492-35-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp

memory/4492-34-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp

memory/4492-36-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp

memory/4492-33-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp

memory/4492-37-0x00000209F6AD0000-0x00000209F6AD1000-memory.dmp