Overview
overview
10Static
static
3Discord-RA...ram.js
windows7-x64
10Discord-RA...ram.js
windows10-2004-x64
3Discord-RA...er.dll
windows7-x64
1Discord-RA...er.dll
windows10-2004-x64
1Discord-RA...er.dll
windows7-x64
1Discord-RA...er.dll
windows10-2004-x64
1Discord-RA...am.dll
windows7-x64
1Discord-RA...am.dll
windows10-2004-x64
1Discord-RA...it.exe
windows7-x64
10Discord-RA...it.exe
windows10-2004-x64
10Discord-RA...it.exe
windows7-x64
10Discord-RA...it.exe
windows10-2004-x64
10Discord-RA...ib.dll
windows7-x64
1Discord-RA...ib.dll
windows10-2004-x64
1Discord-RA...ib.dll
windows7-x64
1Discord-RA...ib.dll
windows10-2004-x64
1Discord-RA...ib.dll
windows7-x64
1Discord-RA...ib.dll
windows10-2004-x64
1Discord-RA...er.ps1
windows7-x64
3Discord-RA...er.ps1
windows10-2004-x64
3Discord-RA...ser.js
windows7-x64
3Discord-RA...ser.js
windows10-2004-x64
3Discord-RA...ble.js
windows7-x64
3Discord-RA...ble.js
windows10-2004-x64
3Discord-RA...eam.js
windows7-x64
3Discord-RA...eam.js
windows10-2004-x64
3Discord-RA...ull.js
windows7-x64
3Discord-RA...ull.js
windows10-2004-x64
3Discord-RA...ect.js
windows7-x64
3Discord-RA...ect.js
windows10-2004-x64
3Discord-RA...tor.js
windows7-x64
3Discord-RA...tor.js
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
Discord-RAT-2.0-master/Discord rat/Program.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Discord-RAT-2.0-master/Discord rat/Program.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Discord-RAT-2.0-master/Discord rat/Resources/PasswordStealer.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Discord-RAT-2.0-master/Discord rat/Resources/PasswordStealer.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Discord-RAT-2.0-master/Discord rat/Resources/Token grabber.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Discord-RAT-2.0-master/Discord rat/Resources/Token grabber.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Discord-RAT-2.0-master/Discord rat/Resources/Webcam.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
Discord-RAT-2.0-master/Discord rat/Resources/Webcam.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Discord-RAT-2.0-master/Discord rat/Resources/rootkit.exe
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
Discord-RAT-2.0-master/Discord rat/Resources/rootkit.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Discord-RAT-2.0-master/Discord rat/Resources/unrootkit.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Discord-RAT-2.0-master/Discord rat/Resources/unrootkit.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/net35/dnlib.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/net35/dnlib.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/net45/dnlib.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/net45/dnlib.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/netstandard2.0/dnlib.dll
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/netstandard2.0/dnlib.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
Discord-RAT-2.0-master/Token grabber/grabber.ps1
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
Discord-RAT-2.0-master/Token grabber/grabber.ps1
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/ASN1StreamParser.js
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/ASN1StreamParser.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Encodable.js
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Encodable.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1InputStream.js
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1InputStream.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Null.js
Resource
win7-20240419-en
Behavioral task
behavioral28
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Null.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Object.js
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Object.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1ObjectDescriptor.js
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1ObjectDescriptor.js
Resource
win10v2004-20240611-en
General
-
Target
Discord-RAT-2.0-master/Discord rat/Resources/rootkit.exe
-
Size
223KB
-
MD5
d72fea64a05b3f7dce725352d7c1d032
-
SHA1
9c27e234567d237d9c495353567f2efa42e8f616
-
SHA256
8fdae5b4490183c9057a684f0ac2f82dd5c8911cb2f43a54ff47a9ad6e93952a
-
SHA512
56bb1c4d83587ecc5f8bb41882d449e1812cdf1db1fee4068f5ef1b49f28d3e0af95e14f306d494a6c6cd4771c052360a96388f59bfa409affb3b21790da00d3
-
SSDEEP
6144:wguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOks:kKLBwiZlzMB9xgndcP88DvvP
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rootkit.exedescription pid process target process PID 2716 created 624 2716 rootkit.exe winlogon.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\V: svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
wmiprvse.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe -
Drops file in System32 directory 21 IoCs
Processes:
svchost.exeOfficeClickToRun.exesvchost.exesvchost.exesvchost.exelsass.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D lsass.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rootkit.exedescription pid process target process PID 2716 set thread context of 3432 2716 rootkit.exe dllhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\EventCache.v2\{4E3A2C56-F6CF-44DC-94A9-BA869AC1A54A}.bin svchost.exe -
Checks SCSI registry key(s) 3 TTPs 24 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mousocoreworker.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
mousocoreworker.exewmiprvse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exeOfficeClickToRun.exemousocoreworker.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018400FE50F738B = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000bafa4e1cec2ead41a6ab3c1b458ef4020000000002000000000010660000000100002000000012aa7596e99dd03eb749e5d902127eac04d9593b0c6c86d89121dfda737ccb19000000000e8000000002000020000000be84cedaeed80c9c3e1a5231e0db0054b64bde1ad92d33a339a196234eef667d8000000097a2c9580f226985d246b9c164df600d4ebb18005448191f44e732155f9f5e96d809956dad8006b35e66f9419210104f81817f5869a8d3349c960c0a922f1f24c9e8302da1ccbc7f1f7ebbfd5a5c5aa45446fdde4b53146a55812e692278cc195bae23f3fb19bc6a4c3552661441d4d6d9bddcb166bab8a491f90a38431a161040000000df9ee70bc308e9e382d9af25163314ba1857ca1c698d5fd1825cd8a5ec3512e54e50124af8a07cfdacbc4c143c91ebd27a3498e496cdb0cac8a02be7faada666 mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 03 Jul 2024 03:41:03 GMT" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1719978062" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qmtbucoceoooxu svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qmtbucoceoooxu\Provision Wednesday, July 03, 2024 03:39:47 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAuvpOHOwurUGmqzwbRY70AgAAAAACAAAAAAAQZgAAAAEAACAAAABjJbzhALVHmynBorPXHTPzQwWbwiHVApc91XBlgysoFgAAAAAOgAAAAAIAACAAAACcaj1LbskQu5PWcxKpk3MhCmdwJ0a8VVET+G1/gSx+yCAAAABHnwY1RkyhhDi3NfhjJSFGl7tjnpC/cQDvw5JZq7VMGkAAAABHKBv9CsghDozZUoDiCU01yf6nLRMoIeXuleHRYnNnpXe8MZsdoZT+Ni/XnnIwxy+XdPOb/r+rTu8SkUIiolMg" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02disoyvepagcqpv\Provision Wednesday, July 03, 2024 03:39:45 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAuvpOHOwurUGmqzwbRY70AgAAAAACAAAAAAAQZgAAAAEAACAAAABdBc6SlbKo/fa7Sw53le0NztxM9Hznd7nHFy1IVwsS7AAAAAAOgAAAAAIAACAAAABGWq+HbVQ0RmnLSspnC38Xzi584Iz60kGqGdyzbljWfCAAAAB/H9ovOuE63WZcQ60m/u9TGb4QJyuHy15NsBvGcnlOUUAAAAAYysBOq7+XJJL/ind5UKeS6MaTH81ESShpgDqbb9lTdLaf2N6zB2kGnOfPzwhkQmkdxCMVt0ntOyzv9EB4Ppu1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5436FE63-05F9-49BF-A4B9-404397A5E0C9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02sncikvpqvtvaxe\Reason = "2147750679" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qmtbucoceoooxu\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02disoyvepagcqpv svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qmtbucoceoooxu\DeviceId = "<Data LastUpdatedTime=\"1719977988\"><User username=\"02QMTBUCOCEOOOXU\"><HardwareInfo BoundTime=\"1719977988\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400FE50F738B" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02sncikvpqvtvaxe\AppIdList svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qmtbucoceoooxu svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02qmtbucoceoooxu" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rootkit.exedllhost.exepid process 2716 rootkit.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe 3432 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rootkit.exedllhost.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2716 rootkit.exe Token: SeDebugPrivilege 2716 rootkit.exe Token: SeDebugPrivilege 3432 dllhost.exe Token: SeShutdownPrivilege 1768 svchost.exe Token: SeCreatePagefilePrivilege 1768 svchost.exe Token: SeShutdownPrivilege 1768 svchost.exe Token: SeCreatePagefilePrivilege 1768 svchost.exe Token: SeShutdownPrivilege 1768 svchost.exe Token: SeCreatePagefilePrivilege 1768 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2196 svchost.exe Token: SeIncreaseQuotaPrivilege 2196 svchost.exe Token: SeSecurityPrivilege 2196 svchost.exe Token: SeTakeOwnershipPrivilege 2196 svchost.exe Token: SeLoadDriverPrivilege 2196 svchost.exe Token: SeBackupPrivilege 2196 svchost.exe Token: SeRestorePrivilege 2196 svchost.exe Token: SeShutdownPrivilege 2196 svchost.exe Token: SeSystemEnvironmentPrivilege 2196 svchost.exe Token: SeManageVolumePrivilege 2196 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2196 svchost.exe Token: SeIncreaseQuotaPrivilege 2196 svchost.exe Token: SeSecurityPrivilege 2196 svchost.exe Token: SeTakeOwnershipPrivilege 2196 svchost.exe Token: SeLoadDriverPrivilege 2196 svchost.exe Token: SeSystemtimePrivilege 2196 svchost.exe Token: SeBackupPrivilege 2196 svchost.exe Token: SeRestorePrivilege 2196 svchost.exe Token: SeShutdownPrivilege 2196 svchost.exe Token: SeSystemEnvironmentPrivilege 2196 svchost.exe Token: SeUndockPrivilege 2196 svchost.exe Token: SeManageVolumePrivilege 2196 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2196 svchost.exe Token: SeIncreaseQuotaPrivilege 2196 svchost.exe Token: SeSecurityPrivilege 2196 svchost.exe Token: SeTakeOwnershipPrivilege 2196 svchost.exe Token: SeLoadDriverPrivilege 2196 svchost.exe Token: SeSystemtimePrivilege 2196 svchost.exe Token: SeBackupPrivilege 2196 svchost.exe Token: SeRestorePrivilege 2196 svchost.exe Token: SeShutdownPrivilege 2196 svchost.exe Token: SeSystemEnvironmentPrivilege 2196 svchost.exe Token: SeUndockPrivilege 2196 svchost.exe Token: SeManageVolumePrivilege 2196 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2196 svchost.exe Token: SeIncreaseQuotaPrivilege 2196 svchost.exe Token: SeSecurityPrivilege 2196 svchost.exe Token: SeTakeOwnershipPrivilege 2196 svchost.exe Token: SeLoadDriverPrivilege 2196 svchost.exe Token: SeSystemtimePrivilege 2196 svchost.exe Token: SeBackupPrivilege 2196 svchost.exe Token: SeRestorePrivilege 2196 svchost.exe Token: SeShutdownPrivilege 2196 svchost.exe Token: SeSystemEnvironmentPrivilege 2196 svchost.exe Token: SeUndockPrivilege 2196 svchost.exe Token: SeManageVolumePrivilege 2196 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2196 svchost.exe Token: SeIncreaseQuotaPrivilege 2196 svchost.exe Token: SeSecurityPrivilege 2196 svchost.exe Token: SeTakeOwnershipPrivilege 2196 svchost.exe Token: SeLoadDriverPrivilege 2196 svchost.exe Token: SeSystemtimePrivilege 2196 svchost.exe Token: SeBackupPrivilege 2196 svchost.exe Token: SeRestorePrivilege 2196 svchost.exe Token: SeShutdownPrivilege 2196 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rootkit.exedllhost.exedescription pid process target process PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 2716 wrote to memory of 3432 2716 rootkit.exe dllhost.exe PID 3432 wrote to memory of 624 3432 dllhost.exe winlogon.exe PID 3432 wrote to memory of 676 3432 dllhost.exe lsass.exe PID 3432 wrote to memory of 952 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 316 3432 dllhost.exe dwm.exe PID 3432 wrote to memory of 740 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1048 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1104 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1116 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1180 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1208 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1264 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1328 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1356 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1424 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1432 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1560 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1572 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1652 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1676 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1744 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1776 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1824 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1916 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1924 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1960 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1176 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 1876 3432 dllhost.exe spoolsv.exe PID 3432 wrote to memory of 2156 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2196 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2280 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2416 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2424 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2564 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2644 3432 dllhost.exe sysmon.exe PID 3432 wrote to memory of 2652 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2676 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2700 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 2912 3432 dllhost.exe unsecapp.exe PID 3432 wrote to memory of 2988 3432 dllhost.exe sihost.exe PID 3432 wrote to memory of 2816 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 3128 3432 dllhost.exe taskhostw.exe PID 3432 wrote to memory of 3184 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 3340 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 3436 3432 dllhost.exe Explorer.EXE PID 3432 wrote to memory of 3556 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 3752 3432 dllhost.exe DllHost.exe PID 3432 wrote to memory of 3924 3432 dllhost.exe RuntimeBroker.exe PID 3432 wrote to memory of 3572 3432 dllhost.exe RuntimeBroker.exe PID 3432 wrote to memory of 4624 3432 dllhost.exe RuntimeBroker.exe PID 3432 wrote to memory of 2588 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 404 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 3724 3432 dllhost.exe svchost.exe PID 3432 wrote to memory of 5064 3432 dllhost.exe OfficeClickToRun.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f607ae4c-d8be-481c-a6be-c99496578dba}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Drops file in System32 directory
PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1048
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1180 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1424
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1176
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2564
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
PID:2652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2700
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3340
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\Discord-RAT-2.0-master\Discord rat\Resources\rootkit.exe"C:\Users\Admin\AppData\Local\Temp\Discord-RAT-2.0-master\Discord rat\Resources\rootkit.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3724
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5064
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4280
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2628
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2732
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe f187f78931eb08435fedf36a11295a15 bhLuJnK5HE6w+XgDvyvCFA.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:2836 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1084
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:5004
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3836
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
PID:5016
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD54b5e956bb7f8e56e60a5d4acfc5b5f36
SHA165214ad1dfca20d5d0f21987e86f0f0a11124765
SHA2568488e13d9c1469dda79c9ebe622eebce99310e11b5467f18079465df741333ba
SHA512195a29a7eb90c43b27cf14a4bf9c8f8ffdd9e7bb9c99daa96e9aadb06f2cfc78b572c379cc7c59f240f48ec265ecbd670264e3eafe47d82d38c1737982eeab7a