Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-07-2024 15:39
Behavioral task
behavioral1
Sample
veydovokna.exe
Resource
win10-20240404-en
General
-
Target
veydovokna.exe
-
Size
78KB
-
MD5
7ee32f2553fa474e79b2f1a444172735
-
SHA1
fc17876384c197f73a7471850d13748aa6f659b0
-
SHA256
d99a4d776f04dfd3e8004c466ab81788da8f0ba08b83430df4dd984fa1ef4e39
-
SHA512
2789dc16e615f28c29f5e81ade9e4b03a47d9855cc9092bbcdf90ce7419fe38cabd729a87f038f4aa3d8e2f5317ac69a0637737f468dd8d05532dbd3dda738b9
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC
Malware Config
Extracted
discordrat
-
discord_token
MTI1NjYyNDkzOTk3MzQ4MDYzOA.GmmRJ5.-nbYbt2H8apuatUJNXT2gF-Pq4ZpLJRKwy0hls
-
server_id
1257063713945419826
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
veydovokna.exedescription pid process target process PID 512 created 556 512 veydovokna.exe winlogon.exe -
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
Processes:
flow ioc 4 discord.com 5 discord.com 24 raw.githubusercontent.com 23 raw.githubusercontent.com 30 discord.com 13 discord.com 28 discord.com 29 discord.com 34 discord.com 9 discord.com 12 discord.com 25 discord.com 27 discord.com -
Drops file in System32 directory 4 IoCs
Processes:
OfficeClickToRun.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
veydovokna.exedescription pid process target process PID 512 set thread context of 4896 512 veydovokna.exe dllhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
taskmgr.exemspaint.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Processes:
PaintStudio.View.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached PaintStudio.View.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exeOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe -
Modifies registry class 12 IoCs
Processes:
PaintStudio.View.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
vlc.exePaintStudio.View.exepid process 880 vlc.exe 1164 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PaintStudio.View.exepid process 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe 1164 PaintStudio.View.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exeExplorer.EXEpid process 880 vlc.exe 3324 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
veydovokna.exePaintStudio.View.exedllhost.exeExplorer.EXERuntimeBroker.exetaskmgr.exesvchost.exedescription pid process Token: SeDebugPrivilege 512 veydovokna.exe Token: SeDebugPrivilege 1164 PaintStudio.View.exe Token: SeDebugPrivilege 1164 PaintStudio.View.exe Token: SeDebugPrivilege 1164 PaintStudio.View.exe Token: SeDebugPrivilege 512 veydovokna.exe Token: SeDebugPrivilege 4896 dllhost.exe Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3840 RuntimeBroker.exe Token: SeCreatePagefilePrivilege 3840 RuntimeBroker.exe Token: SeShutdownPrivilege 3840 RuntimeBroker.exe Token: SeCreatePagefilePrivilege 3840 RuntimeBroker.exe Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeDebugPrivilege 5772 taskmgr.exe Token: SeSystemProfilePrivilege 5772 taskmgr.exe Token: SeCreateGlobalPrivilege 5772 taskmgr.exe Token: SeAuditPrivilege 1592 svchost.exe Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeDebugPrivilege 512 veydovokna.exe Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE Token: SeShutdownPrivilege 3324 Explorer.EXE Token: SeCreatePagefilePrivilege 3324 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
notepad.exevlc.exeExplorer.EXEdwm.exetaskmgr.exepid process 1444 notepad.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 1012 dwm.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 3324 Explorer.EXE 3324 Explorer.EXE 5772 taskmgr.exe 5772 taskmgr.exe 1012 dwm.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 5772 taskmgr.exe 5772 taskmgr.exe 1012 dwm.exe 1012 dwm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
vlc.exeExplorer.EXEtaskmgr.exepid process 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 880 vlc.exe 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 3324 Explorer.EXE 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 3324 Explorer.EXE 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
vlc.exePaintStudio.View.exemspaint.exepid process 880 vlc.exe 1164 PaintStudio.View.exe 4572 mspaint.exe 4572 mspaint.exe 4572 mspaint.exe 4572 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
veydovokna.exedllhost.exedescription pid process target process PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 512 wrote to memory of 4896 512 veydovokna.exe dllhost.exe PID 4896 wrote to memory of 556 4896 dllhost.exe winlogon.exe PID 4896 wrote to memory of 644 4896 dllhost.exe lsass.exe PID 4896 wrote to memory of 752 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 912 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1012 4896 dllhost.exe dwm.exe PID 4896 wrote to memory of 420 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 504 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 628 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1084 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1108 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1192 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1200 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1232 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1240 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1380 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1404 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1436 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1512 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1560 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1616 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1632 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1728 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1760 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1772 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1828 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 1860 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2044 4896 dllhost.exe spoolsv.exe PID 4896 wrote to memory of 1592 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2220 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2240 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2248 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2288 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2348 4896 dllhost.exe sysmon.exe PID 4896 wrote to memory of 2380 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2420 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2432 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2448 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2696 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2968 4896 dllhost.exe unsecapp.exe PID 4896 wrote to memory of 2976 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 2988 4896 dllhost.exe sihost.exe PID 4896 wrote to memory of 2184 4896 dllhost.exe taskhostw.exe PID 4896 wrote to memory of 3180 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 3324 4896 dllhost.exe Explorer.EXE PID 4896 wrote to memory of 3840 4896 dllhost.exe RuntimeBroker.exe PID 4896 wrote to memory of 4080 4896 dllhost.exe DllHost.exe PID 4896 wrote to memory of 4764 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 4952 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 5016 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 3080 4896 dllhost.exe OfficeClickToRun.exe PID 4896 wrote to memory of 4008 4896 dllhost.exe svchost.exe PID 4896 wrote to memory of 4508 4896 dllhost.exe DllHost.exe PID 4896 wrote to memory of 2360 4896 dllhost.exe ApplicationFrameHost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:556
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
PID:1012 -
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{e7d6cd19-0383-45ce-b7fb-436e9ad97cca}2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:644
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:752
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:912
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:420
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:504
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:628
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1084
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1108
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2184
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1192
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1200
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1232
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1240
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1380
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1404
-
c:\windows\system32\sihost.exesihost.exe2⤵PID:2988
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1436
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1512
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1560
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1632
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1772
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1828
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1860
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2044
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2220
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2240
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
PID:2248
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2288
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2348
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2380
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2420
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2432
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2448
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2696
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2968
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2976
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:3180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\veydovokna.exe"C:\Users\Admin\AppData\Local\Temp\veydovokna.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Suspicious use of FindShellTrayWindow
PID:1444 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterSplit.ogg"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:880 -
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4572 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5772
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4080
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4764
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:5016
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3080
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:4008
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4508
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:2360
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:4964
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵PID:4332
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s LicenseManager1⤵PID:2400
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k imgsvc1⤵PID:2028
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:2332
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:5680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.jsonFilesize
233B
MD5721836bbbbc66f60f370b7b4dfa46834
SHA138a710491bb5a25b8041ec696e8fb04d141ae9d8
SHA25670056310f5cfa853b61e10ac840d5eac7b3cc8c90c635ef11cbb3d67d25f6b5b
SHA51224eb166b11950b2bab4312f816d6f265cdd648262cf15e373219f9af110ac694604f718ef34635f973be35959fefa68ce4617ccf1d688b96d60ee3a047155a77
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.jsonFilesize
2KB
MD5404a3ec24e3ebf45be65e77f75990825
SHA11e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5
-
C:\Users\Admin\AppData\Local\Packages\microsoft.mspaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
4KB
MD51bfe591a4fe3d91b03cdf26eaacd8f89
SHA1719c37c320f518ac168c86723724891950911cea
SHA2569cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA51202f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db
-
C:\Users\Admin\AppData\Local\Packages\microsoft.mspaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
338B
MD53cdb58f4130d87cbd48166cb7346fa04
SHA159f7fc2ea1b6791f94c859b186f474a936d7dfbf
SHA256a805131e00ad9d78064b96b29badcddd2eb3e93a9122b6ed08ff1326b4ac2342
SHA5126c4a289e3881f74a566dda26d28404ea6bf90a413d7f6aa16af0d1ed5f60325090820714e241cc34ab1dc7bc745718df3ecfb9e8b72578cefa044ea98e30fdb8
-
memory/512-102-0x00007FFEB0420000-0x00007FFEB05FB000-memory.dmpFilesize
1.9MB
-
memory/512-101-0x0000026AB5690000-0x0000026AB56CE000-memory.dmpFilesize
248KB
-
memory/512-6-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmpFilesize
9.9MB
-
memory/512-0-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmpFilesize
4KB
-
memory/512-103-0x00007FFEB02C0000-0x00007FFEB036E000-memory.dmpFilesize
696KB
-
memory/512-4-0x0000026ACE7A0000-0x0000026ACECC6000-memory.dmpFilesize
5.1MB
-
memory/512-5-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmpFilesize
4KB
-
memory/512-2-0x0000026ACDFA0000-0x0000026ACE162000-memory.dmpFilesize
1.8MB
-
memory/512-3-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmpFilesize
9.9MB
-
memory/512-1-0x0000026AB3930000-0x0000026AB3948000-memory.dmpFilesize
96KB
-
memory/556-113-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmpFilesize
64KB
-
memory/556-112-0x0000025DA6070000-0x0000025DA609A000-memory.dmpFilesize
168KB
-
memory/556-110-0x0000025DA6040000-0x0000025DA6063000-memory.dmpFilesize
140KB
-
memory/644-115-0x0000024C650A0000-0x0000024C650CA000-memory.dmpFilesize
168KB
-
memory/644-116-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmpFilesize
64KB
-
memory/880-19-0x00007FF708A20000-0x00007FF708B18000-memory.dmpFilesize
992KB
-
memory/880-22-0x00007FFE8A100000-0x00007FFE8B1B0000-memory.dmpFilesize
16.7MB
-
memory/880-23-0x00007FFE8E180000-0x00007FFE8E28E000-memory.dmpFilesize
1.1MB
-
memory/880-21-0x00007FFE8FAF0000-0x00007FFE8FDA6000-memory.dmpFilesize
2.7MB
-
memory/880-20-0x00007FFEA05A0000-0x00007FFEA05D4000-memory.dmpFilesize
208KB
-
memory/1012-122-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmpFilesize
64KB
-
memory/1012-121-0x0000028C40600000-0x0000028C4062A000-memory.dmpFilesize
168KB
-
memory/4896-107-0x00007FFEB02C0000-0x00007FFEB036E000-memory.dmpFilesize
696KB
-
memory/4896-108-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4896-106-0x00007FFEB0420000-0x00007FFEB05FB000-memory.dmpFilesize
1.9MB
-
memory/4896-105-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4896-104-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB