fe5babb459b6efece0241e14768c284fe3f0d99fe05261ab9a55c9446b348eed

Analysis

max time kernel
62s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 18:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Discord-RAT-2.0-2.0/Discord rat/Resources/rootkit.exe
Size

223KB
MD5

d72fea64a05b3f7dce725352d7c1d032
SHA1

9c27e234567d237d9c495353567f2efa42e8f616
SHA256

8fdae5b4490183c9057a684f0ac2f82dd5c8911cb2f43a54ff47a9ad6e93952a
SHA512

56bb1c4d83587ecc5f8bb41882d449e1812cdf1db1fee4068f5ef1b49f28d3e0af95e14f306d494a6c6cd4771c052360a96388f59bfa409affb3b21790da00d3
SSDEEP

6144:wguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOks:kKLBwiZlzMB9xgndcP88DvvP

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3668 created 612	3668	rootkit.exe	5

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3668 set thread context of 4176	3668	rootkit.exe	85

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3668	rootkit.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2892	Process not Found
3928	Process not Found
1184	Process not Found
3468	Process not Found
4992	Process not Found
4132	Process not Found
4388	Process not Found
3264	Process not Found
2700	Process not Found
4840	Process not Found
4512	Process not Found
4540	Process not Found
2196	Process not Found
3668	Process not Found
4520	Process not Found
4480	Process not Found
680	Process not Found
4672	Process not Found
4912	Process not Found
3724	Process not Found
2188	Process not Found
2192	Process not Found
4116	Process not Found
648	Process not Found
4608	Process not Found
1812	Process not Found
4552	Process not Found
1344	Process not Found
3776	Process not Found
100	Process not Found
4072	Process not Found
2808	Process not Found
2068	Process not Found
3416	Process not Found
452	Process not Found
3412	Process not Found
3192	Process not Found
1996	Process not Found
1500	Process not Found
4980	Process not Found
3452	Process not Found
1924	Process not Found
5024	Process not Found
1744	Process not Found
828	Process not Found
1864	Process not Found
4660	Process not Found
316	Process not Found
3332	Process not Found
4616	Process not Found
2660	Process not Found
3080	Process not Found
1464	Process not Found
1032	Process not Found
1204	Process not Found
1208	Process not Found
1252	Process not Found
1316	Process not Found
1524	Process not Found
1880	Process not Found
2712	Process not Found
756	Process not Found
3308	Process not Found
4860	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	rootkit.exe
Token: SeDebugPrivilege	3668	rootkit.exe
Token: SeDebugPrivilege	4176	dllhost.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeAuditPrivilege	2784	svchost.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1704	svchost.exe
Token: SeIncreaseQuotaPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeTakeOwnershipPrivilege	1704	svchost.exe
Token: SeLoadDriverPrivilege	1704	svchost.exe
Token: SeSystemtimePrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeRestorePrivilege	1704	svchost.exe
Token: SeShutdownPrivilege	1704	svchost.exe
Token: SeSystemEnvironmentPrivilege	1704	svchost.exe
Token: SeUndockPrivilege	1704	svchost.exe
Token: SeManageVolumePrivilege	1704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1704	svchost.exe
Token: SeIncreaseQuotaPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeTakeOwnershipPrivilege	1704	svchost.exe
Token: SeLoadDriverPrivilege	1704	svchost.exe
Token: SeSystemtimePrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeRestorePrivilege	1704	svchost.exe
Token: SeShutdownPrivilege	1704	svchost.exe
Token: SeSystemEnvironmentPrivilege	1704	svchost.exe
Token: SeUndockPrivilege	1704	svchost.exe
Token: SeManageVolumePrivilege	1704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1704	svchost.exe
Token: SeIncreaseQuotaPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeTakeOwnershipPrivilege	1704	svchost.exe
Token: SeLoadDriverPrivilege	1704	svchost.exe
Token: SeSystemtimePrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeRestorePrivilege	1704	svchost.exe
Token: SeShutdownPrivilege	1704	svchost.exe
Token: SeSystemEnvironmentPrivilege	1704	svchost.exe
Token: SeUndockPrivilege	1704	svchost.exe
Token: SeManageVolumePrivilege	1704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1704	svchost.exe
Token: SeIncreaseQuotaPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeTakeOwnershipPrivilege	1704	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 3668 wrote to memory of 4176	3668	rootkit.exe	85
PID 4176 wrote to memory of 612	4176	dllhost.exe	5
PID 4176 wrote to memory of 668	4176	dllhost.exe	7
PID 4176 wrote to memory of 948	4176	dllhost.exe	12
PID 4176 wrote to memory of 60	4176	dllhost.exe	13
PID 668 wrote to memory of 2764	668	lsass.exe	47
PID 668 wrote to memory of 2764	668	lsass.exe	47
PID 668 wrote to memory of 2764	668	lsass.exe	47
PID 668 wrote to memory of 2764	668	lsass.exe	47
PID 4176 wrote to memory of 388	4176	dllhost.exe	14
PID 668 wrote to memory of 2764	668	lsass.exe	47
PID 668 wrote to memory of 2764	668	lsass.exe	47
PID 4176 wrote to memory of 860	4176	dllhost.exe	15
PID 668 wrote to memory of 2764	668	lsass.exe	47
PID 4176 wrote to memory of 1064	4176	dllhost.exe	16
PID 4176 wrote to memory of 1080	4176	dllhost.exe	18
PID 4176 wrote to memory of 1216	4176	dllhost.exe	19
PID 4176 wrote to memory of 1228	4176	dllhost.exe	20
PID 4176 wrote to memory of 1308	4176	dllhost.exe	21
PID 4176 wrote to memory of 1332	4176	dllhost.exe	22
PID 4176 wrote to memory of 1356	4176	dllhost.exe	23
PID 4176 wrote to memory of 1468	4176	dllhost.exe	24
PID 4176 wrote to memory of 1492	4176	dllhost.exe	25
PID 4176 wrote to memory of 1512	4176	dllhost.exe	26
PID 4176 wrote to memory of 1588	4176	dllhost.exe	27
PID 4176 wrote to memory of 1664	4176	dllhost.exe	28
PID 4176 wrote to memory of 1728	4176	dllhost.exe	29
PID 4176 wrote to memory of 1780	4176	dllhost.exe	30
PID 4176 wrote to memory of 1804	4176	dllhost.exe	31
PID 4176 wrote to memory of 1892	4176	dllhost.exe	32
PID 4176 wrote to memory of 1964	4176	dllhost.exe	33
PID 4176 wrote to memory of 1984	4176	dllhost.exe	34
PID 4176 wrote to memory of 1504	4176	dllhost.exe	35
PID 4176 wrote to memory of 1704	4176	dllhost.exe	36
PID 4176 wrote to memory of 2096	4176	dllhost.exe	37
PID 4176 wrote to memory of 2152	4176	dllhost.exe	38
PID 4176 wrote to memory of 2260	4176	dllhost.exe	40
PID 4176 wrote to memory of 2384	4176	dllhost.exe	41
PID 4176 wrote to memory of 2512	4176	dllhost.exe	42
PID 4176 wrote to memory of 2520	4176	dllhost.exe	43
PID 4176 wrote to memory of 2648	4176	dllhost.exe	44
PID 4176 wrote to memory of 2688	4176	dllhost.exe	45
PID 4176 wrote to memory of 2728	4176	dllhost.exe	46
PID 4176 wrote to memory of 2764	4176	dllhost.exe	47
PID 4176 wrote to memory of 2784	4176	dllhost.exe	48
PID 4176 wrote to memory of 2800	4176	dllhost.exe	49
PID 4176 wrote to memory of 2828	4176	dllhost.exe	50
PID 4176 wrote to memory of 2848	4176	dllhost.exe	51
PID 4176 wrote to memory of 2976	4176	dllhost.exe	52
PID 4176 wrote to memory of 1048	4176	dllhost.exe	53
PID 4176 wrote to memory of 3340	4176	dllhost.exe	55
PID 4176 wrote to memory of 3392	4176	dllhost.exe	56
PID 4176 wrote to memory of 3540	4176	dllhost.exe	57
PID 4176 wrote to memory of 3716	4176	dllhost.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 60 -s 3432
    3⤵
    PID:4440
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{edbc1b19-e968-4280-b31a-80e545967cba}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4176

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1228
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1588
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2648
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1920
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2012
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1816
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3356
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:212
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2096

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2728

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2976

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3392
- C:\Users\Admin\AppData\Local\Temp\Discord-RAT-2.0-2.0\Discord rat\Resources\rootkit.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord-RAT-2.0-2.0\Discord rat\Resources\rootkit.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2868

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1908

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-183-0x00007FFE76B6F000-0x00007FFE76B70000-memory.dmp

Filesize
4KB

Download
memory/60-23-0x00000163276C0000-0x00000163276EA000-memory.dmp

Filesize
168KB

Download
memory/60-29-0x00000163276C0000-0x00000163276EA000-memory.dmp

Filesize
168KB

Download
memory/60-30-0x00007FFE76B6D000-0x00007FFE76B6E000-memory.dmp

Filesize
4KB

Download
memory/60-279-0x00000163276C0000-0x00000163276EA000-memory.dmp

Filesize
168KB

Download
memory/388-334-0x000001D7A7DD0000-0x000001D7A7DFA000-memory.dmp

Filesize
168KB

Download
memory/388-37-0x000001D7A7DD0000-0x000001D7A7DFA000-memory.dmp

Filesize
168KB

Download
memory/388-38-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/388-40-0x000001D7A7DD0000-0x000001D7A7DFA000-memory.dmp

Filesize
168KB

Download
memory/612-25-0x00007FFE76B6D000-0x00007FFE76B6E000-memory.dmp

Filesize
4KB

Download
memory/612-16-0x000001DFE5730000-0x000001DFE575A000-memory.dmp

Filesize
168KB

Download
memory/612-178-0x000001DFE5730000-0x000001DFE575A000-memory.dmp

Filesize
168KB

Download
memory/612-24-0x000001DFE5730000-0x000001DFE575A000-memory.dmp

Filesize
168KB

Download
memory/612-15-0x000001DFE5700000-0x000001DFE5723000-memory.dmp

Filesize
140KB

Download
memory/612-26-0x00007FFE76B6F000-0x00007FFE76B70000-memory.dmp

Filesize
4KB

Download
memory/668-27-0x000001FDE5670000-0x000001FDE569A000-memory.dmp

Filesize
168KB

Download
memory/668-19-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/668-28-0x00007FFE76B6D000-0x00007FFE76B6E000-memory.dmp

Filesize
4KB

Download
memory/668-18-0x000001FDE5670000-0x000001FDE569A000-memory.dmp

Filesize
168KB

Download
memory/860-335-0x000001FC87AE0000-0x000001FC87B0A000-memory.dmp

Filesize
168KB

Download
memory/860-61-0x000001FC87AE0000-0x000001FC87B0A000-memory.dmp

Filesize
168KB

Download
memory/860-47-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/860-46-0x000001FC87AE0000-0x000001FC87B0A000-memory.dmp

Filesize
168KB

Download
memory/948-31-0x000001AE92BB0000-0x000001AE92BDA000-memory.dmp

Filesize
168KB

Download
memory/948-32-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/948-34-0x000001AE92BB0000-0x000001AE92BDA000-memory.dmp

Filesize
168KB

Download
memory/948-332-0x000001AE92BB0000-0x000001AE92BDA000-memory.dmp

Filesize
168KB

Download
memory/948-35-0x00007FFE76B6C000-0x00007FFE76B6D000-memory.dmp

Filesize
4KB

Download
memory/1064-50-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1064-336-0x0000025F495C0000-0x0000025F495EA000-memory.dmp

Filesize
168KB

Download
memory/1064-62-0x0000025F495C0000-0x0000025F495EA000-memory.dmp

Filesize
168KB

Download
memory/1064-49-0x0000025F495C0000-0x0000025F495EA000-memory.dmp

Filesize
168KB

Download
memory/1080-53-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1080-52-0x0000018FB2F70000-0x0000018FB2F9A000-memory.dmp

Filesize
168KB

Download
memory/1216-55-0x000001BCEB960000-0x000001BCEB98A000-memory.dmp

Filesize
168KB

Download
memory/1216-56-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1228-58-0x000001BD491D0000-0x000001BD491FA000-memory.dmp

Filesize
168KB

Download
memory/1228-59-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1308-65-0x000001D9E17A0000-0x000001D9E17CA000-memory.dmp

Filesize
168KB

Download
memory/1308-66-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1332-69-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1332-68-0x00000241759D0000-0x00000241759FA000-memory.dmp

Filesize
168KB

Download
memory/1356-79-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1356-78-0x000001F99A190000-0x000001F99A1BA000-memory.dmp

Filesize
168KB

Download
memory/1468-81-0x000001CE9A7A0000-0x000001CE9A7CA000-memory.dmp

Filesize
168KB

Download
memory/3668-3-0x00007FFE76320000-0x00007FFE763DE000-memory.dmp

Filesize
760KB

Download
memory/3668-0-0x00007FFE57F45000-0x00007FFE57F46000-memory.dmp

Filesize
4KB

Download
memory/3668-2-0x00007FFE76AD0000-0x00007FFE76CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3668-12-0x00007FFE57C90000-0x00007FFE58631000-memory.dmp

Filesize
9.6MB

Download
memory/3668-4-0x00007FFE57C90000-0x00007FFE58631000-memory.dmp

Filesize
9.6MB

Download
memory/3668-1-0x00007FFE57C90000-0x00007FFE58631000-memory.dmp

Filesize
9.6MB

Download
memory/4176-9-0x00007FFE76AD0000-0x00007FFE76CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4176-7-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4176-6-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4176-5-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4176-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4176-10-0x00007FFE76320000-0x00007FFE763DE000-memory.dmp

Filesize
760KB

Download