discordrat | d71e071decfbf58e254b4c45a18c71b30446ca83d7acff324761569e57027b24

Analysis

max time kernel
150s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-06-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hehe's external.exe
Size

78KB
MD5

89843ea4105378e4fbe7afe99f2b291b
SHA1

a469ae734ba46f9a3712d95fa987286a303263d7
SHA256

d71e071decfbf58e254b4c45a18c71b30446ca83d7acff324761569e57027b24
SHA512

7cff64984b9d4cd233542e10cb507b99fd7c291d4cea52af6feb36e029094d7db68643d120f6239623ef567867baab903095a56fc713565cddddbcb66b5f5574
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+9GPIC:5Zv5PDwbjNrmAE+8IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MjM2MzM1NDQwNDgxOTEzOA.Gu7T7x.fG7ImMChaLHchh6lcv8_MHa3JQWR8Fn4L12thY
server_id
1251916764929982485

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4728 created 584	4728	hehe's external.exe	5

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	discord.com
12	discord.com
18	discord.com
19	discord.com
25	raw.githubusercontent.com
27	discord.com
3	discord.com
9	discord.com
13	discord.com
17	discord.com
24	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4728 set thread context of 4100	4728	hehe's external.exe	78

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4192	taskmgr.exe
3360	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	hehe's external.exe
Token: SeDebugPrivilege	4192	taskmgr.exe
Token: SeSystemProfilePrivilege	4192	taskmgr.exe
Token: SeCreateGlobalPrivilege	4192	taskmgr.exe
Token: 33	4192	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4192	taskmgr.exe
Token: 33	4152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4152	AUDIODG.EXE
Token: SeDebugPrivilege	4728	hehe's external.exe
Token: SeDebugPrivilege	4100	dllhost.exe
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 4348	4728	hehe's external.exe	76
PID 4728 wrote to memory of 4348	4728	hehe's external.exe	76
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4728 wrote to memory of 4100	4728	hehe's external.exe	78
PID 4100 wrote to memory of 584	4100	dllhost.exe	5
PID 4100 wrote to memory of 636	4100	dllhost.exe	7
PID 4100 wrote to memory of 728	4100	dllhost.exe	8
PID 4100 wrote to memory of 908	4100	dllhost.exe	13
PID 4100 wrote to memory of 1004	4100	dllhost.exe	14
PID 4100 wrote to memory of 64	4100	dllhost.exe	15
PID 4100 wrote to memory of 304	4100	dllhost.exe	16
PID 4100 wrote to memory of 380	4100	dllhost.exe	17
PID 4100 wrote to memory of 1040	4100	dllhost.exe	18
PID 4100 wrote to memory of 1080	4100	dllhost.exe	20
PID 4100 wrote to memory of 1100	4100	dllhost.exe	21
PID 4100 wrote to memory of 1172	4100	dllhost.exe	22
PID 4100 wrote to memory of 1220	4100	dllhost.exe	23
PID 4100 wrote to memory of 1304	4100	dllhost.exe	24
PID 4100 wrote to memory of 1324	4100	dllhost.exe	25
PID 4100 wrote to memory of 1336	4100	dllhost.exe	26
PID 4100 wrote to memory of 1416	4100	dllhost.exe	27
PID 4100 wrote to memory of 1472	4100	dllhost.exe	28
PID 4100 wrote to memory of 1540	4100	dllhost.exe	29
PID 4100 wrote to memory of 1564	4100	dllhost.exe	30
PID 4100 wrote to memory of 1584	4100	dllhost.exe	31
PID 4100 wrote to memory of 1664	4100	dllhost.exe	32
PID 4100 wrote to memory of 1680	4100	dllhost.exe	33
PID 4100 wrote to memory of 1796	4100	dllhost.exe	34
PID 4100 wrote to memory of 1804	4100	dllhost.exe	35
PID 4100 wrote to memory of 1868	4100	dllhost.exe	36
PID 4100 wrote to memory of 1904	4100	dllhost.exe	37
PID 4100 wrote to memory of 1536	4100	dllhost.exe	38
PID 4100 wrote to memory of 1900	4100	dllhost.exe	39
PID 4100 wrote to memory of 2060	4100	dllhost.exe	40
PID 4100 wrote to memory of 2364	4100	dllhost.exe	41
PID 4100 wrote to memory of 2492	4100	dllhost.exe	42
PID 4100 wrote to memory of 2536	4100	dllhost.exe	43
PID 4100 wrote to memory of 2544	4100	dllhost.exe	44
PID 4100 wrote to memory of 2588	4100	dllhost.exe	45
PID 4100 wrote to memory of 2632	4100	dllhost.exe	46
PID 4100 wrote to memory of 2708	4100	dllhost.exe	47
PID 4100 wrote to memory of 2716	4100	dllhost.exe	48
PID 4100 wrote to memory of 2756	4100	dllhost.exe	49
PID 4100 wrote to memory of 2780	4100	dllhost.exe	50
PID 4100 wrote to memory of 2792	4100	dllhost.exe	51
PID 4100 wrote to memory of 2904	4100	dllhost.exe	52
PID 4100 wrote to memory of 3052	4100	dllhost.exe	53
PID 4100 wrote to memory of 2864	4100	dllhost.exe	54
PID 4100 wrote to memory of 3360	4100	dllhost.exe	55
PID 4100 wrote to memory of 3932	4100	dllhost.exe	58
PID 4100 wrote to memory of 3684	4100	dllhost.exe	60
PID 4100 wrote to memory of 4752	4100	dllhost.exe	61
PID 4100 wrote to memory of 4488	4100	dllhost.exe	63
PID 4100 wrote to memory of 3968	4100	dllhost.exe	64
PID 4100 wrote to memory of 2560	4100	dllhost.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1004
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{502ccfae-c3a2-47f2-ac71-6f0b0a4d45c7}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4100

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:64

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1080
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1416
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x3f8
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2708

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2792

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3052

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3360
- C:\Users\Admin\AppData\Local\Temp\hehe's external.exe
  "C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
    3⤵
    PID:4348
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4192

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3968

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3464

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:3948

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:3068

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_FB37E93139FE414EACF34E30FDA993A6.dat

Filesize
940B

MD5
d55714f7fc0bdc6379d97500d325b221

SHA1
0662517e18ca899b56fff8cf2d9d917afd54a6ce

SHA256
9da511206473d7f3c178592dca1a7d9a9da5ab3573602f39c8a51649166c49a8

SHA512
561d7e6dfb9517ee1e2dfeb5e2b6b47a378d06331f5e0f30d6280a628c68ee01820bfdb7920828b7c0531f4f407cd1865bd3d3e464a09e454c71980c7d805ea3

Download Submit
memory/584-37-0x00007FFF884F0000-0x00007FFF88500000-memory.dmp

Filesize
64KB

Download
memory/584-34-0x0000022D64A80000-0x0000022D64AA3000-memory.dmp

Filesize
140KB

Download
memory/584-36-0x0000022D64AB0000-0x0000022D64ADA000-memory.dmp

Filesize
168KB

Download
memory/636-39-0x000001F3C7E60000-0x000001F3C7E8A000-memory.dmp

Filesize
168KB

Download
memory/636-40-0x00007FFF884F0000-0x00007FFF88500000-memory.dmp

Filesize
64KB

Download
memory/1004-46-0x00007FFF884F0000-0x00007FFF88500000-memory.dmp

Filesize
64KB

Download
memory/1004-45-0x0000028C31FC0000-0x0000028C31FEA000-memory.dmp

Filesize
168KB

Download
memory/3360-88-0x0000000002590000-0x00000000025BA000-memory.dmp

Filesize
168KB

Download
memory/3360-89-0x00007FFF884F0000-0x00007FFF88500000-memory.dmp

Filesize
64KB

Download
memory/4100-28-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4100-31-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmp

Filesize
696KB

Download
memory/4100-32-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4100-29-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4100-30-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-26-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-0-0x00007FFFABA43000-0x00007FFFABA44000-memory.dmp

Filesize
4KB

Download
memory/4728-27-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmp

Filesize
696KB

Download
memory/4728-25-0x0000011EEB1E0000-0x0000011EEB21E000-memory.dmp

Filesize
248KB

Download
memory/4728-17-0x0000011EEB0F0000-0x0000011EEB19A000-memory.dmp

Filesize
680KB

Download
memory/4728-13-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-12-0x00007FFFABA43000-0x00007FFFABA44000-memory.dmp

Filesize
4KB

Download
memory/4728-4-0x0000011EE9080000-0x0000011EE95A6000-memory.dmp

Filesize
5.1MB

Download
memory/4728-3-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-2-0x0000011EE8880000-0x0000011EE8A42000-memory.dmp

Filesize
1.8MB

Download
memory/4728-1-0x0000011ECE280000-0x0000011ECE298000-memory.dmp

Filesize
96KB

Download