fe5babb459b6efece0241e14768c284fe3f0d99fe05261ab9a55c9446b348eed

Analysis

max time kernel
62s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 18:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Discord-RAT-2.0-2.0/Discord rat/Resources/rootkit.exe
Size

223KB
MD5

d72fea64a05b3f7dce725352d7c1d032
SHA1

9c27e234567d237d9c495353567f2efa42e8f616
SHA256

8fdae5b4490183c9057a684f0ac2f82dd5c8911cb2f43a54ff47a9ad6e93952a
SHA512

56bb1c4d83587ecc5f8bb41882d449e1812cdf1db1fee4068f5ef1b49f28d3e0af95e14f306d494a6c6cd4771c052360a96388f59bfa409affb3b21790da00d3
SSDEEP

6144:wguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOks:kKLBwiZlzMB9xgndcP88DvvP

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rootkit.exe

description pid process target process

PID 3668 created 612 3668 rootkit.exe winlogon.exe

description	pid	process	target process
PID 3668 created 612	3668	rootkit.exe	winlogon.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rootkit.exe

description pid process target process

PID 3668 set thread context of 4176 3668 rootkit.exe dllhost.exe

description	pid	process	target process
PID 3668 set thread context of 4176	3668	rootkit.exe	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rootkit.exedllhost.exe

pid	process
3668	rootkit.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe
4176	dllhost.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
2892
3928
1184
3468
4992
4132
4388
3264
2700
4840
4512
4540
2196
3668
4520
4480
680
4672
4912
3724
2188
2192
4116
648
4608
1812
4552
1344
3776
100
4072
2808
2068
3416
452
3412
3192
1996
1500
4980
3452
1924
5024
1744
828
1864
4660
316
3332
4616
2660
3080
1464
1032
1204
1208
1252
1316
1524
1880
2712
756
3308
4860

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rootkit.exedllhost.exeExplorer.EXEsvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3668	rootkit.exe
Token: SeDebugPrivilege	3668	rootkit.exe
Token: SeDebugPrivilege	4176	dllhost.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeAuditPrivilege	2784	svchost.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1704	svchost.exe
Token: SeIncreaseQuotaPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeTakeOwnershipPrivilege	1704	svchost.exe
Token: SeLoadDriverPrivilege	1704	svchost.exe
Token: SeSystemtimePrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeRestorePrivilege	1704	svchost.exe
Token: SeShutdownPrivilege	1704	svchost.exe
Token: SeSystemEnvironmentPrivilege	1704	svchost.exe
Token: SeUndockPrivilege	1704	svchost.exe
Token: SeManageVolumePrivilege	1704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1704	svchost.exe
Token: SeIncreaseQuotaPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeTakeOwnershipPrivilege	1704	svchost.exe
Token: SeLoadDriverPrivilege	1704	svchost.exe
Token: SeSystemtimePrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeRestorePrivilege	1704	svchost.exe
Token: SeShutdownPrivilege	1704	svchost.exe
Token: SeSystemEnvironmentPrivilege	1704	svchost.exe
Token: SeUndockPrivilege	1704	svchost.exe
Token: SeManageVolumePrivilege	1704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1704	svchost.exe
Token: SeIncreaseQuotaPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeTakeOwnershipPrivilege	1704	svchost.exe
Token: SeLoadDriverPrivilege	1704	svchost.exe
Token: SeSystemtimePrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeRestorePrivilege	1704	svchost.exe
Token: SeShutdownPrivilege	1704	svchost.exe
Token: SeSystemEnvironmentPrivilege	1704	svchost.exe
Token: SeUndockPrivilege	1704	svchost.exe
Token: SeManageVolumePrivilege	1704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1704	svchost.exe
Token: SeIncreaseQuotaPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeTakeOwnershipPrivilege	1704	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3392 Explorer.EXE

pid	process
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rootkit.exedllhost.exelsass.exe

description	pid	process	target process
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 3668 wrote to memory of 4176	3668	rootkit.exe	dllhost.exe
PID 4176 wrote to memory of 612	4176	dllhost.exe	winlogon.exe
PID 4176 wrote to memory of 668	4176	dllhost.exe	lsass.exe
PID 4176 wrote to memory of 948	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 60	4176	dllhost.exe	dwm.exe
PID 668 wrote to memory of 2764	668	lsass.exe	sysmon.exe
PID 668 wrote to memory of 2764	668	lsass.exe	sysmon.exe
PID 668 wrote to memory of 2764	668	lsass.exe	sysmon.exe
PID 668 wrote to memory of 2764	668	lsass.exe	sysmon.exe
PID 4176 wrote to memory of 388	4176	dllhost.exe	svchost.exe
PID 668 wrote to memory of 2764	668	lsass.exe	sysmon.exe
PID 668 wrote to memory of 2764	668	lsass.exe	sysmon.exe
PID 4176 wrote to memory of 860	4176	dllhost.exe	svchost.exe
PID 668 wrote to memory of 2764	668	lsass.exe	sysmon.exe
PID 4176 wrote to memory of 1064	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1080	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1216	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1228	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1308	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1332	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1356	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1468	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1492	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1512	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1588	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1664	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1728	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1780	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1804	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1892	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1964	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1984	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1504	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1704	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2096	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2152	4176	dllhost.exe	spoolsv.exe
PID 4176 wrote to memory of 2260	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2384	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2512	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2520	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2648	4176	dllhost.exe	sihost.exe
PID 4176 wrote to memory of 2688	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2728	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2764	4176	dllhost.exe	sysmon.exe
PID 4176 wrote to memory of 2784	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2800	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2828	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 2848	4176	dllhost.exe	taskhostw.exe
PID 4176 wrote to memory of 2976	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 1048	4176	dllhost.exe	unsecapp.exe
PID 4176 wrote to memory of 3340	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 3392	4176	dllhost.exe	Explorer.EXE
PID 4176 wrote to memory of 3540	4176	dllhost.exe	svchost.exe
PID 4176 wrote to memory of 3716	4176	dllhost.exe	DllHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 60 -s 3432
    3⤵
    PID:4440
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{edbc1b19-e968-4280-b31a-80e545967cba}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4176

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1228
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1588
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2648
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1920
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2012
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1816
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3356
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:212
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2096

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2728

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2976

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3392
- C:\Users\Admin\AppData\Local\Temp\Discord-RAT-2.0-2.0\Discord rat\Resources\rootkit.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord-RAT-2.0-2.0\Discord rat\Resources\rootkit.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2868

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1908

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-183-0x00007FFE76B6F000-0x00007FFE76B70000-memory.dmp

Filesize
4KB

Download
memory/60-23-0x00000163276C0000-0x00000163276EA000-memory.dmp

Filesize
168KB

Download
memory/60-29-0x00000163276C0000-0x00000163276EA000-memory.dmp

Filesize
168KB

Download
memory/60-30-0x00007FFE76B6D000-0x00007FFE76B6E000-memory.dmp

Filesize
4KB

Download
memory/60-279-0x00000163276C0000-0x00000163276EA000-memory.dmp

Filesize
168KB

Download
memory/388-334-0x000001D7A7DD0000-0x000001D7A7DFA000-memory.dmp

Filesize
168KB

Download
memory/388-37-0x000001D7A7DD0000-0x000001D7A7DFA000-memory.dmp

Filesize
168KB

Download
memory/388-38-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/388-40-0x000001D7A7DD0000-0x000001D7A7DFA000-memory.dmp

Filesize
168KB

Download
memory/612-25-0x00007FFE76B6D000-0x00007FFE76B6E000-memory.dmp

Filesize
4KB

Download
memory/612-16-0x000001DFE5730000-0x000001DFE575A000-memory.dmp

Filesize
168KB

Download
memory/612-178-0x000001DFE5730000-0x000001DFE575A000-memory.dmp

Filesize
168KB

Download
memory/612-24-0x000001DFE5730000-0x000001DFE575A000-memory.dmp

Filesize
168KB

Download
memory/612-15-0x000001DFE5700000-0x000001DFE5723000-memory.dmp

Filesize
140KB

Download
memory/612-26-0x00007FFE76B6F000-0x00007FFE76B70000-memory.dmp

Filesize
4KB

Download
memory/668-27-0x000001FDE5670000-0x000001FDE569A000-memory.dmp

Filesize
168KB

Download
memory/668-19-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/668-28-0x00007FFE76B6D000-0x00007FFE76B6E000-memory.dmp

Filesize
4KB

Download
memory/668-18-0x000001FDE5670000-0x000001FDE569A000-memory.dmp

Filesize
168KB

Download
memory/860-335-0x000001FC87AE0000-0x000001FC87B0A000-memory.dmp

Filesize
168KB

Download
memory/860-61-0x000001FC87AE0000-0x000001FC87B0A000-memory.dmp

Filesize
168KB

Download
memory/860-47-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/860-46-0x000001FC87AE0000-0x000001FC87B0A000-memory.dmp

Filesize
168KB

Download
memory/948-31-0x000001AE92BB0000-0x000001AE92BDA000-memory.dmp

Filesize
168KB

Download
memory/948-32-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/948-34-0x000001AE92BB0000-0x000001AE92BDA000-memory.dmp

Filesize
168KB

Download
memory/948-332-0x000001AE92BB0000-0x000001AE92BDA000-memory.dmp

Filesize
168KB

Download
memory/948-35-0x00007FFE76B6C000-0x00007FFE76B6D000-memory.dmp

Filesize
4KB

Download
memory/1064-50-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1064-336-0x0000025F495C0000-0x0000025F495EA000-memory.dmp

Filesize
168KB

Download
memory/1064-62-0x0000025F495C0000-0x0000025F495EA000-memory.dmp

Filesize
168KB

Download
memory/1064-49-0x0000025F495C0000-0x0000025F495EA000-memory.dmp

Filesize
168KB

Download
memory/1080-53-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1080-52-0x0000018FB2F70000-0x0000018FB2F9A000-memory.dmp

Filesize
168KB

Download
memory/1216-55-0x000001BCEB960000-0x000001BCEB98A000-memory.dmp

Filesize
168KB

Download
memory/1216-56-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1228-58-0x000001BD491D0000-0x000001BD491FA000-memory.dmp

Filesize
168KB

Download
memory/1228-59-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1308-65-0x000001D9E17A0000-0x000001D9E17CA000-memory.dmp

Filesize
168KB

Download
memory/1308-66-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1332-69-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1332-68-0x00000241759D0000-0x00000241759FA000-memory.dmp

Filesize
168KB

Download
memory/1356-79-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/1356-78-0x000001F99A190000-0x000001F99A1BA000-memory.dmp

Filesize
168KB

Download
memory/1468-81-0x000001CE9A7A0000-0x000001CE9A7CA000-memory.dmp

Filesize
168KB

Download
memory/3668-3-0x00007FFE76320000-0x00007FFE763DE000-memory.dmp

Filesize
760KB

Download
memory/3668-0-0x00007FFE57F45000-0x00007FFE57F46000-memory.dmp

Filesize
4KB

Download
memory/3668-2-0x00007FFE76AD0000-0x00007FFE76CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3668-12-0x00007FFE57C90000-0x00007FFE58631000-memory.dmp

Filesize
9.6MB

Download
memory/3668-4-0x00007FFE57C90000-0x00007FFE58631000-memory.dmp

Filesize
9.6MB

Download
memory/3668-1-0x00007FFE57C90000-0x00007FFE58631000-memory.dmp

Filesize
9.6MB

Download
memory/4176-9-0x00007FFE76AD0000-0x00007FFE76CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4176-7-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4176-6-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4176-5-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4176-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4176-10-0x00007FFE76320000-0x00007FFE763DE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads