Malware Analysis Report

2024-09-11 09:06

Sample ID 240628-w5zdjs1grj
Target Client-built.exe
SHA256 9d75cc219fc049368f2dcd1a0e2b6d770c5c00e25e9fcaa43cbffb64beec2f4f
Tags
discordrat persistence rat rootkit stealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d75cc219fc049368f2dcd1a0e2b6d770c5c00e25e9fcaa43cbffb64beec2f4f

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer spyware

Discordrat family

Suspicious use of NtCreateUserProcessOtherParentProcess

Discord RAT

Downloads MZ/PE file

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-28 18:30

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 18:30

Reported

2024-06-28 18:33

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\WerFault.exe
PID 2116 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\WerFault.exe
PID 2116 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2116 -s 596

Network

N/A

Files

memory/2116-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

memory/2116-1-0x000000013FCA0000-0x000000013FCB8000-memory.dmp

memory/2116-2-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

memory/2116-3-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 18:30

Reported

2024-06-28 18:32

Platform

win10v2004-20240611-en

Max time kernel

73s

Max time network

76s

Command Line

winlogon.exe

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4496 created 604 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\winlogon.exe

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4496 set thread context of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4496 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 328 wrote to memory of 604 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 328 wrote to memory of 664 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 328 wrote to memory of 936 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1016 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 328 wrote to memory of 504 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 932 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1096 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1108 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1132 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1156 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1236 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1300 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1312 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1444 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1584 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1632 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1696 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1728 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1744 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1804 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1908 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1944 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 1956 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 2024 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 1824 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 328 wrote to memory of 2144 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 2152 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 2272 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 2416 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 2424 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 2596 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 2652 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 328 wrote to memory of 2664 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 2676 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 2684 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 2764 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 328 wrote to memory of 2816 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 2984 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 328 wrote to memory of 2280 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhostw.exe
PID 328 wrote to memory of 2644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 3332 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 3420 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 328 wrote to memory of 3552 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 3736 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 328 wrote to memory of 3892 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 328 wrote to memory of 4104 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 328 wrote to memory of 4580 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\SppExtComObj.exe
PID 328 wrote to memory of 5116 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 4700 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 328 wrote to memory of 4980 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 328 wrote to memory of 792 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{f9d2c77c-6c4f-43a2-aef7-1d8cff191c88}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.136.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/4496-0-0x00007FFE378C3000-0x00007FFE378C5000-memory.dmp

memory/4496-1-0x000002067D840000-0x000002067D858000-memory.dmp

memory/4496-2-0x000002067FE20000-0x000002067FFE2000-memory.dmp

memory/4496-3-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

memory/4496-4-0x00000206186A0000-0x0000020618BC8000-memory.dmp

memory/4496-5-0x00007FFE378C3000-0x00007FFE378C5000-memory.dmp

memory/4496-6-0x00007FFE378C0000-0x00007FFE38381000-memory.dmp

memory/4496-7-0x00000206181A0000-0x00000206181DE000-memory.dmp

memory/4496-8-0x00007FFE558D0000-0x00007FFE55AC5000-memory.dmp

memory/4496-9-0x00007FFE539B0000-0x00007FFE53A6E000-memory.dmp

memory/328-10-0x0000000140000000-0x0000000140040000-memory.dmp

memory/328-15-0x0000000140000000-0x0000000140040000-memory.dmp

memory/328-14-0x00007FFE539B0000-0x00007FFE53A6E000-memory.dmp

memory/328-13-0x00007FFE558D0000-0x00007FFE55AC5000-memory.dmp

memory/328-12-0x0000000140000000-0x0000000140040000-memory.dmp

memory/328-11-0x0000000140000000-0x0000000140040000-memory.dmp

memory/664-24-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/936-33-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/936-43-0x00007FFE5596C000-0x00007FFE5596D000-memory.dmp

memory/1156-63-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/1236-67-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/1236-66-0x000001FC61D30000-0x000001FC61D5A000-memory.dmp

memory/1096-139-0x000002558F2F0000-0x000002558F31A000-memory.dmp

memory/932-138-0x0000023A7AC60000-0x0000023A7AC8A000-memory.dmp

memory/1156-62-0x00000266C2DC0000-0x00000266C2DEA000-memory.dmp

memory/1132-60-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/1132-59-0x000001F6E3030000-0x000001F6E305A000-memory.dmp

memory/1108-57-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/1108-56-0x000002548BF40000-0x000002548BF6A000-memory.dmp

memory/1096-54-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/1096-53-0x000002558F2F0000-0x000002558F31A000-memory.dmp

memory/932-51-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/932-50-0x0000023A7AC60000-0x0000023A7AC8A000-memory.dmp

memory/504-44-0x00000197F5F20000-0x00000197F5F4A000-memory.dmp

memory/936-42-0x000001C4D5050000-0x000001C4D507A000-memory.dmp

memory/1016-41-0x0000026C13E30000-0x0000026C13E5A000-memory.dmp

memory/664-40-0x0000023A4A800000-0x0000023A4A82A000-memory.dmp

memory/604-39-0x00007FFE5596D000-0x00007FFE5596E000-memory.dmp

memory/604-38-0x000002721DAA0000-0x000002721DACA000-memory.dmp

memory/504-36-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/504-35-0x00000197F5F20000-0x00000197F5F4A000-memory.dmp

memory/936-32-0x000001C4D5050000-0x000001C4D507A000-memory.dmp

memory/1016-29-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/1016-28-0x0000026C13E30000-0x0000026C13E5A000-memory.dmp

memory/664-23-0x0000023A4A800000-0x0000023A4A82A000-memory.dmp

memory/604-20-0x00007FFE15950000-0x00007FFE15960000-memory.dmp

memory/604-19-0x000002721DAA0000-0x000002721DACA000-memory.dmp

memory/604-18-0x000002721DA00000-0x000002721DA23000-memory.dmp

memory/4496-290-0x000002067FFF0000-0x0000020680066000-memory.dmp

memory/4496-291-0x0000020618570000-0x0000020618582000-memory.dmp

memory/4496-292-0x000002067F530000-0x000002067F54E000-memory.dmp

memory/504-293-0x00000197F5F20000-0x00000197F5F4A000-memory.dmp