Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-06-2024 19:02
Behavioral task
behavioral1
Sample
hehe's external.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
hehe's external.exe
Resource
win10v2004-20240508-en
General
-
Target
hehe's external.exe
-
Size
78KB
-
MD5
89843ea4105378e4fbe7afe99f2b291b
-
SHA1
a469ae734ba46f9a3712d95fa987286a303263d7
-
SHA256
d71e071decfbf58e254b4c45a18c71b30446ca83d7acff324761569e57027b24
-
SHA512
7cff64984b9d4cd233542e10cb507b99fd7c291d4cea52af6feb36e029094d7db68643d120f6239623ef567867baab903095a56fc713565cddddbcb66b5f5574
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+9GPIC:5Zv5PDwbjNrmAE+8IC
Malware Config
Extracted
discordrat
-
discord_token
MTI1MjM2MzM1NDQwNDgxOTEzOA.Gu7T7x.fG7ImMChaLHchh6lcv8_MHa3JQWR8Fn4L12thY
-
server_id
1251916764929982485
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
hehe's external.exedescription pid process target process PID 4728 created 584 4728 hehe's external.exe winlogon.exe -
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
Processes:
flow ioc 4 discord.com 12 discord.com 18 discord.com 19 discord.com 25 raw.githubusercontent.com 27 discord.com 3 discord.com 9 discord.com 13 discord.com 17 discord.com 24 raw.githubusercontent.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hehe's external.exedescription pid process target process PID 4728 set thread context of 4100 4728 hehe's external.exe dllhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exeExplorer.EXEpid process 4192 taskmgr.exe 3360 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
hehe's external.exetaskmgr.exeAUDIODG.EXEdllhost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4728 hehe's external.exe Token: SeDebugPrivilege 4192 taskmgr.exe Token: SeSystemProfilePrivilege 4192 taskmgr.exe Token: SeCreateGlobalPrivilege 4192 taskmgr.exe Token: 33 4192 taskmgr.exe Token: SeIncBasePriorityPrivilege 4192 taskmgr.exe Token: 33 4152 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4152 AUDIODG.EXE Token: SeDebugPrivilege 4728 hehe's external.exe Token: SeDebugPrivilege 4100 dllhost.exe Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
hehe's external.exedllhost.exedescription pid process target process PID 4728 wrote to memory of 4348 4728 hehe's external.exe SCHTASKS.exe PID 4728 wrote to memory of 4348 4728 hehe's external.exe SCHTASKS.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4728 wrote to memory of 4100 4728 hehe's external.exe dllhost.exe PID 4100 wrote to memory of 584 4100 dllhost.exe winlogon.exe PID 4100 wrote to memory of 636 4100 dllhost.exe lsass.exe PID 4100 wrote to memory of 728 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 908 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1004 4100 dllhost.exe dwm.exe PID 4100 wrote to memory of 64 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 304 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 380 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1040 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1080 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1100 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1172 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1220 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1304 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1324 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1336 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1416 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1472 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1540 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1564 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1584 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1664 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1680 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1796 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1804 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1868 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1904 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 1536 4100 dllhost.exe spoolsv.exe PID 4100 wrote to memory of 1900 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2060 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2364 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2492 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2536 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2544 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2588 4100 dllhost.exe sihost.exe PID 4100 wrote to memory of 2632 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2708 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2716 4100 dllhost.exe sysmon.exe PID 4100 wrote to memory of 2756 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2780 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2792 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2904 4100 dllhost.exe taskhostw.exe PID 4100 wrote to memory of 3052 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2864 4100 dllhost.exe unsecapp.exe PID 4100 wrote to memory of 3360 4100 dllhost.exe Explorer.EXE PID 4100 wrote to memory of 3932 4100 dllhost.exe RuntimeBroker.exe PID 4100 wrote to memory of 3684 4100 dllhost.exe DllHost.exe PID 4100 wrote to memory of 4752 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 4488 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 3968 4100 dllhost.exe svchost.exe PID 4100 wrote to memory of 2560 4100 dllhost.exe OfficeClickToRun.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:584
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1004
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{502ccfae-c3a2-47f2-ac71-6f0b0a4d45c7}2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:636
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:728
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:908
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:64
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵PID:304
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:380
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1040
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1080
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2904
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:1100
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1172
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1220
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1304
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1324
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1336
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1416
-
c:\windows\system32\sihost.exesihost.exe2⤵PID:2588
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1472
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1540
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1564
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1584
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1680
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f82⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1804
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1868
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1904
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1536
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:1900
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2060
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2364
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2492
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2536
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2544
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2632
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2708
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2716
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2756
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2780
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2792
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:3052
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2864
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"C:\Users\Admin\AppData\Local\Temp\hehe's external.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I3⤵PID:4348
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3932
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3684
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4752
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵PID:3968
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2560
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:4336
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3464
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:3948
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:3704
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:3068
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:4884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_FB37E93139FE414EACF34E30FDA993A6.datFilesize
940B
MD5d55714f7fc0bdc6379d97500d325b221
SHA10662517e18ca899b56fff8cf2d9d917afd54a6ce
SHA2569da511206473d7f3c178592dca1a7d9a9da5ab3573602f39c8a51649166c49a8
SHA512561d7e6dfb9517ee1e2dfeb5e2b6b47a378d06331f5e0f30d6280a628c68ee01820bfdb7920828b7c0531f4f407cd1865bd3d3e464a09e454c71980c7d805ea3
-
memory/584-37-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/584-34-0x0000022D64A80000-0x0000022D64AA3000-memory.dmpFilesize
140KB
-
memory/584-36-0x0000022D64AB0000-0x0000022D64ADA000-memory.dmpFilesize
168KB
-
memory/636-39-0x000001F3C7E60000-0x000001F3C7E8A000-memory.dmpFilesize
168KB
-
memory/636-40-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/1004-46-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/1004-45-0x0000028C31FC0000-0x0000028C31FEA000-memory.dmpFilesize
168KB
-
memory/3360-88-0x0000000002590000-0x00000000025BA000-memory.dmpFilesize
168KB
-
memory/3360-89-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/4100-28-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4100-31-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/4100-32-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4100-29-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4100-30-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4728-26-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4728-0-0x00007FFFABA43000-0x00007FFFABA44000-memory.dmpFilesize
4KB
-
memory/4728-27-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/4728-25-0x0000011EEB1E0000-0x0000011EEB21E000-memory.dmpFilesize
248KB
-
memory/4728-17-0x0000011EEB0F0000-0x0000011EEB19A000-memory.dmpFilesize
680KB
-
memory/4728-13-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmpFilesize
9.9MB
-
memory/4728-12-0x00007FFFABA43000-0x00007FFFABA44000-memory.dmpFilesize
4KB
-
memory/4728-4-0x0000011EE9080000-0x0000011EE95A6000-memory.dmpFilesize
5.1MB
-
memory/4728-3-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmpFilesize
9.9MB
-
memory/4728-2-0x0000011EE8880000-0x0000011EE8A42000-memory.dmpFilesize
1.8MB
-
memory/4728-1-0x0000011ECE280000-0x0000011ECE298000-memory.dmpFilesize
96KB