discordrat | d99a4d776f04dfd3e8004c466ab81788da8f0ba08b83430df4dd984fa1ef4e39

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-07-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

veydovokna.exe
Size

78KB
MD5

7ee32f2553fa474e79b2f1a444172735
SHA1

fc17876384c197f73a7471850d13748aa6f659b0
SHA256

d99a4d776f04dfd3e8004c466ab81788da8f0ba08b83430df4dd984fa1ef4e39
SHA512

2789dc16e615f28c29f5e81ade9e4b03a47d9855cc9092bbcdf90ce7419fe38cabd729a87f038f4aa3d8e2f5317ac69a0637737f468dd8d05532dbd3dda738b9
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjYyNDkzOTk3MzQ4MDYzOA.GmmRJ5.-nbYbt2H8apuatUJNXT2gF-Pq4ZpLJRKwy0hls
server_id
1257063713945419826

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 512 created 556	512	veydovokna.exe	5

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
4	discord.com
5	discord.com
24	raw.githubusercontent.com
23	raw.githubusercontent.com
30	discord.com
13	discord.com
28	discord.com
29	discord.com
34	discord.com
9	discord.com
12	discord.com
25	discord.com
27	discord.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 512 set thread context of 4896	512	veydovokna.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
880	vlc.exe
1164	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe
1164	PaintStudio.View.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
880	vlc.exe
3324	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	veydovokna.exe
Token: SeDebugPrivilege	1164	PaintStudio.View.exe
Token: SeDebugPrivilege	1164	PaintStudio.View.exe
Token: SeDebugPrivilege	1164	PaintStudio.View.exe
Token: SeDebugPrivilege	512	veydovokna.exe
Token: SeDebugPrivilege	4896	dllhost.exe
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3840	RuntimeBroker.exe
Token: SeCreatePagefilePrivilege	3840	RuntimeBroker.exe
Token: SeShutdownPrivilege	3840	RuntimeBroker.exe
Token: SeCreatePagefilePrivilege	3840	RuntimeBroker.exe
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeDebugPrivilege	5772	taskmgr.exe
Token: SeSystemProfilePrivilege	5772	taskmgr.exe
Token: SeCreateGlobalPrivilege	5772	taskmgr.exe
Token: SeAuditPrivilege	1592	svchost.exe
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeDebugPrivilege	512	veydovokna.exe
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1444	notepad.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
1012	dwm.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
3324	Explorer.EXE
3324	Explorer.EXE
5772	taskmgr.exe
5772	taskmgr.exe
1012	dwm.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
1012	dwm.exe
5772	taskmgr.exe
5772	taskmgr.exe
1012	dwm.exe
1012	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
880	vlc.exe
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
3324	Explorer.EXE
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
880	vlc.exe
1164	PaintStudio.View.exe
4572	mspaint.exe
4572	mspaint.exe
4572	mspaint.exe
4572	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 512 wrote to memory of 4896	512	veydovokna.exe	88
PID 4896 wrote to memory of 556	4896	dllhost.exe	5
PID 4896 wrote to memory of 644	4896	dllhost.exe	7
PID 4896 wrote to memory of 752	4896	dllhost.exe	10
PID 4896 wrote to memory of 912	4896	dllhost.exe	13
PID 4896 wrote to memory of 1012	4896	dllhost.exe	14
PID 4896 wrote to memory of 420	4896	dllhost.exe	15
PID 4896 wrote to memory of 504	4896	dllhost.exe	16
PID 4896 wrote to memory of 628	4896	dllhost.exe	17
PID 4896 wrote to memory of 1084	4896	dllhost.exe	18
PID 4896 wrote to memory of 1108	4896	dllhost.exe	20
PID 4896 wrote to memory of 1192	4896	dllhost.exe	21
PID 4896 wrote to memory of 1200	4896	dllhost.exe	22
PID 4896 wrote to memory of 1232	4896	dllhost.exe	23
PID 4896 wrote to memory of 1240	4896	dllhost.exe	24
PID 4896 wrote to memory of 1380	4896	dllhost.exe	25
PID 4896 wrote to memory of 1404	4896	dllhost.exe	26
PID 4896 wrote to memory of 1436	4896	dllhost.exe	27
PID 4896 wrote to memory of 1512	4896	dllhost.exe	28
PID 4896 wrote to memory of 1560	4896	dllhost.exe	29
PID 4896 wrote to memory of 1616	4896	dllhost.exe	30
PID 4896 wrote to memory of 1632	4896	dllhost.exe	31
PID 4896 wrote to memory of 1728	4896	dllhost.exe	32
PID 4896 wrote to memory of 1760	4896	dllhost.exe	33
PID 4896 wrote to memory of 1772	4896	dllhost.exe	34
PID 4896 wrote to memory of 1828	4896	dllhost.exe	35
PID 4896 wrote to memory of 1860	4896	dllhost.exe	36
PID 4896 wrote to memory of 2044	4896	dllhost.exe	37
PID 4896 wrote to memory of 1592	4896	dllhost.exe	38
PID 4896 wrote to memory of 2220	4896	dllhost.exe	39
PID 4896 wrote to memory of 2240	4896	dllhost.exe	40
PID 4896 wrote to memory of 2248	4896	dllhost.exe	41
PID 4896 wrote to memory of 2288	4896	dllhost.exe	42
PID 4896 wrote to memory of 2348	4896	dllhost.exe	43
PID 4896 wrote to memory of 2380	4896	dllhost.exe	44
PID 4896 wrote to memory of 2420	4896	dllhost.exe	45
PID 4896 wrote to memory of 2432	4896	dllhost.exe	46
PID 4896 wrote to memory of 2448	4896	dllhost.exe	47
PID 4896 wrote to memory of 2696	4896	dllhost.exe	48
PID 4896 wrote to memory of 2968	4896	dllhost.exe	49
PID 4896 wrote to memory of 2976	4896	dllhost.exe	50
PID 4896 wrote to memory of 2988	4896	dllhost.exe	51
PID 4896 wrote to memory of 2184	4896	dllhost.exe	52
PID 4896 wrote to memory of 3180	4896	dllhost.exe	53
PID 4896 wrote to memory of 3324	4896	dllhost.exe	54
PID 4896 wrote to memory of 3840	4896	dllhost.exe	57
PID 4896 wrote to memory of 4080	4896	dllhost.exe	58
PID 4896 wrote to memory of 4764	4896	dllhost.exe	60
PID 4896 wrote to memory of 4952	4896	dllhost.exe	62
PID 4896 wrote to memory of 5016	4896	dllhost.exe	63
PID 4896 wrote to memory of 3080	4896	dllhost.exe	64
PID 4896 wrote to memory of 4008	4896	dllhost.exe	65
PID 4896 wrote to memory of 4508	4896	dllhost.exe	66
PID 4896 wrote to memory of 2360	4896	dllhost.exe	67

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:556
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1012
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e7d6cd19-0383-45ce-b7fb-436e9ad97cca}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4896

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1108
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1404
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2988

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1860

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2044

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2248

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2288

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2696

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2968

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2976

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3324
- C:\Users\Admin\AppData\Local\Temp\veydovokna.exe
  "C:\Users\Admin\AppData\Local\Temp\veydovokna.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:512
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1444
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterSplit.ogg"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:880
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4572
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5016

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4508

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:2360

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:4332

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s LicenseManager
1⤵
PID:2400

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k imgsvc
1⤵
PID:2028

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
233B

MD5
721836bbbbc66f60f370b7b4dfa46834

SHA1
38a710491bb5a25b8041ec696e8fb04d141ae9d8

SHA256
70056310f5cfa853b61e10ac840d5eac7b3cc8c90c635ef11cbb3d67d25f6b5b

SHA512
24eb166b11950b2bab4312f816d6f265cdd648262cf15e373219f9af110ac694604f718ef34635f973be35959fefa68ce4617ccf1d688b96d60ee3a047155a77

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.mspaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.mspaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
3cdb58f4130d87cbd48166cb7346fa04

SHA1
59f7fc2ea1b6791f94c859b186f474a936d7dfbf

SHA256
a805131e00ad9d78064b96b29badcddd2eb3e93a9122b6ed08ff1326b4ac2342

SHA512
6c4a289e3881f74a566dda26d28404ea6bf90a413d7f6aa16af0d1ed5f60325090820714e241cc34ab1dc7bc745718df3ecfb9e8b72578cefa044ea98e30fdb8

Download Submit
memory/512-102-0x00007FFEB0420000-0x00007FFEB05FB000-memory.dmp

Filesize
1.9MB

Download
memory/512-101-0x0000026AB5690000-0x0000026AB56CE000-memory.dmp

Filesize
248KB

Download
memory/512-6-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

Filesize
9.9MB

Download
memory/512-0-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp

Filesize
4KB

Download
memory/512-103-0x00007FFEB02C0000-0x00007FFEB036E000-memory.dmp

Filesize
696KB

Download
memory/512-4-0x0000026ACE7A0000-0x0000026ACECC6000-memory.dmp

Filesize
5.1MB

Download
memory/512-5-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp

Filesize
4KB

Download
memory/512-2-0x0000026ACDFA0000-0x0000026ACE162000-memory.dmp

Filesize
1.8MB

Download
memory/512-3-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

Filesize
9.9MB

Download
memory/512-1-0x0000026AB3930000-0x0000026AB3948000-memory.dmp

Filesize
96KB

Download
memory/556-113-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmp

Filesize
64KB

Download
memory/556-112-0x0000025DA6070000-0x0000025DA609A000-memory.dmp

Filesize
168KB

Download
memory/556-110-0x0000025DA6040000-0x0000025DA6063000-memory.dmp

Filesize
140KB

Download
memory/644-115-0x0000024C650A0000-0x0000024C650CA000-memory.dmp

Filesize
168KB

Download
memory/644-116-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmp

Filesize
64KB

Download
memory/880-19-0x00007FF708A20000-0x00007FF708B18000-memory.dmp

Filesize
992KB

Download
memory/880-22-0x00007FFE8A100000-0x00007FFE8B1B0000-memory.dmp

Filesize
16.7MB

Download
memory/880-23-0x00007FFE8E180000-0x00007FFE8E28E000-memory.dmp

Filesize
1.1MB

Download
memory/880-21-0x00007FFE8FAF0000-0x00007FFE8FDA6000-memory.dmp

Filesize
2.7MB

Download
memory/880-20-0x00007FFEA05A0000-0x00007FFEA05D4000-memory.dmp

Filesize
208KB

Download
memory/1012-122-0x00007FFE704B0000-0x00007FFE704C0000-memory.dmp

Filesize
64KB

Download
memory/1012-121-0x0000028C40600000-0x0000028C4062A000-memory.dmp

Filesize
168KB

Download
memory/4896-107-0x00007FFEB02C0000-0x00007FFEB036E000-memory.dmp

Filesize
696KB

Download
memory/4896-108-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4896-106-0x00007FFEB0420000-0x00007FFEB05FB000-memory.dmp

Filesize
1.9MB

Download
memory/4896-105-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4896-104-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download