discordrat | e829111a06b3c46316e683ea01a4bef38ef035617c59530fd792ba0fb56b3c4f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rat.xml
Size

229B
MD5

028e53859fd915bc1af667647286a618
SHA1

a4e7b6ca46701c06b71dded3dbde52246825a437
SHA256

e829111a06b3c46316e683ea01a4bef38ef035617c59530fd792ba0fb56b3c4f
SHA512

51b070895622559f299eabfa723c3740ccf5c4039b927361fe10b680b881f4040908d2b9cdfe11957708c801554157a4f9f2ea939dd541720b8125281d3356b9

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjYxMDkyODE0MTY2NDM0Ng.GoCAda.9jAnxnZbVToLnUTaW-wRrWIl-V07WOjBZlKZ6U
server_id
809482718164680734

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rat.exe

description pid process target process

PID 4952 created 612 4952 rat.exe winlogon.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

rat.exerat.exe

pid process

5568 rat.exe
4952 rat.exe

description	pid	process	target process
PID 4952 created 612	4952	rat.exe	winlogon.exe

pid	process
5568	rat.exe
4952	rat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
67	discord.com
76	discord.com
84	discord.com
78	discord.com
80	discord.com
83	raw.githubusercontent.com
79	discord.com
82	raw.githubusercontent.com
86	discord.com
66	discord.com
72	discord.com
73	discord.com
81	discord.com

Drops file in System32 directory 3 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77rat.exe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rat.exe

description pid process target process

PID 4952 set thread context of 3524 4952 rat.exe dllhost.exe

description	pid	process	target process
PID 4952 set thread context of 3524	4952	rat.exe	dllhost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 486714.crdownload:SmartScreen msedge.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

SCHTASKS.exe

pid process

4520 SCHTASKS.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 486714.crdownload:SmartScreen	msedge.exe

pid	process
4520	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exerat.exedllhost.exerat.exe

pid	process
1604	chrome.exe
1604	chrome.exe
1612	msedge.exe
1612	msedge.exe
4656	msedge.exe
4656	msedge.exe
4264	identity_helper.exe
4264	identity_helper.exe
5492	msedge.exe
5492	msedge.exe
4952	rat.exe
4952	rat.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
5568	rat.exe
4952	rat.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
4952	rat.exe
3524	dllhost.exe
5568	rat.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
4952	rat.exe
3524	dllhost.exe
3524	dllhost.exe
5568	rat.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
4952	rat.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
5568	rat.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
4952	rat.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
3524	dllhost.exe
5568	rat.exe
3524	dllhost.exe
3524	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

chrome.exemsedge.exerat.exe

pid	process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
5568	rat.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of UnmapMainImage 3 IoCs

Processes:

Explorer.EXERuntimeBroker.exeRuntimeBroker.exe

pid process

3484 Explorer.EXE
3980 RuntimeBroker.exe
432 RuntimeBroker.exe

pid	process
3484	Explorer.EXE
3980	RuntimeBroker.exe
432	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1604 wrote to memory of 3636	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3636	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 3512	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 4808	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 4808	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1744	1604	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:332

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3d462b6b-9e0f-4a5c-8633-159826012097}
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1112

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1488

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2732

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2876

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3380

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3484

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rat.xml"
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff92bd0cc40,0x7ff92bd0cc4c,0x7ff92bd0cc58
3⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,310574664692183332,4857169188128992421,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1816 /prefetch:2
3⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,310574664692183332,4857169188128992421,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2120 /prefetch:3
3⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,310574664692183332,4857169188128992421,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2464 /prefetch:8
3⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,310574664692183332,4857169188128992421,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:1
3⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3308,i,310574664692183332,4857169188128992421,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3336 /prefetch:1
3⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3708,i,310574664692183332,4857169188128992421,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4572 /prefetch:1
3⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,310574664692183332,4857169188128992421,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4816 /prefetch:8
3⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,310574664692183332,4857169188128992421,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4896 /prefetch:8
3⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff919b646f8,0x7ff919b64708,0x7ff919b64718
3⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
3⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
3⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
3⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
3⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
3⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
3⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
3⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
3⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
3⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
3⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
3⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
3⤵
PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
3⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8
3⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
3⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4884 /prefetch:8
3⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,14702249762386550926,5986931259662783613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5492

C:\Users\Admin\Downloads\rat.exe
"C:\Users\Admin\Downloads\rat.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5568

C:\Users\Admin\Downloads\rat.exe
"C:\Users\Admin\Downloads\rat.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77rat.exe" /tr "'C:\Users\Admin\Downloads\rat.exe'" /sc onlogon /rl HIGHEST
4⤵
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3704

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1832

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1600

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2140

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\317eb928-ebb6-445a-bee1-5ebc14f4c001.tmp
Filesize
181KB

MD5
9fef286bcb98bd15034a71c4a1318d89

SHA1
51b86e3eae0caf1c39b237d5a6b98e1312da99ba

SHA256
132696e80868d2f3165e2df899da88fa4b5205d9028554c8f3a78c87f7508a09

SHA512
ff4c9247624e12ca4445ff556d2db53939d84d73fc0fc939e953a2550d385be6f810d4b740e47a7c95235a57f52f5f9f67001e446394807838fba1a07cf0cb00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
1db6df4eb6aec098a2a5327657380b1c

SHA1
f8609fd48cc62e9c98a04049b84737f3cb550fba

SHA256
7a90b3d58c8de8b65ea0e4c6acf7490e664f5666109d6ad76df45548494414fa

SHA512
1b9754a9f3bdfe95179169109ad6717b819ebd5e3b6a081bb26423f7136e786f28f4f8ae16180dc9a283fcaffa01096973142a13e5655ee4acfa7ee81f2a1037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
2f7db35084ebed8270de79da2177bd46

SHA1
1901a7f25fdbda57d6fbf2b346bdffeb19d06c36

SHA256
0dfe6e3068ec692b121706e388859631698d5dcb9c5343941f47086723739562

SHA512
602886e32ab59bbbbd3737faae9cdd4d4dc7c8681143e9729f88464316fd77aec2c673272f4daa2f2bfd6e4216939532f90abdf0f9c79373468e12bbb19919b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
a846c0e02e2ddaa0d3c179cf0d1ad12a

SHA1
03057eef71e9ce082421642fcd9847d1126243f2

SHA256
8371fdb1f7f8d2c7aba6cf8de25c1ddcc542325ee30377bb10cfb864434d6c66

SHA512
926268cc4636b8069e05e1f2700485869f75bffa9e543ea5a41044142299763a45695223ecf9b84c411afe52c6f40d6b449de02be90f974f7bf991b9f18506f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
996e4ee69daabafea32602e7c8bd3626

SHA1
673e199b5cc8bde97807c9abe81b268507e7cc16

SHA256
71245428c041c702c59d7792adbb8ba0de033b000c89aafe394ca533358ae3a2

SHA512
6d6ab40bd5c4e4171f4688b65867a4db7b59fd48d293fe4cf0e28a2a3a1f9e427db38c087957828d8ddc4f344c42ec58510c62a405c0d18faab0ca233cee61cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
3790c363d0d7b25d31432322c4280cba

SHA1
2b75e90e825db6b8e4646dea60394dc9f0b0a14d

SHA256
9a831fe809174dfc6867981b524195f07e2986bc7912f92852327b719417e2bb

SHA512
2ac6f1c8667219d2189d8e94bc863651ffb7dd581464d643409cb8a0f8266bb132f60329aed63de9da184c489f554fb4a93a7d6fa9be03d9f65a445d63f50ba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f210b1ecb749f0ff92dc5f1b6f5c1335

SHA1
69b92affdc34a7f9c49623e76d30a4f69173c43b

SHA256
a6306b10285111ae992550a35ea90a9ba3bf6fbde499446dda8fb2b7321dc168

SHA512
eb8754169320bde92427dcf5ded5f397e146d274bcb5fdd22da18219436156cd17e5d43fc463ec6acae4590d5ee7bb9a4da7930c9f8f94fc96456a0436e4980f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1c1a745a8c9805720552ff6727cdfb6e

SHA1
06b4eec80ad0d038aa63070869606134b5ab2c6e

SHA256
9317241dcfa98e2eb0ab2470dc4e387793bf96effb690b9c1f4ce79e61af3373

SHA512
78e3fd866822bd58cbc52d9189b7f20a365768e73b4087c8d0a89420194e11c2675709c7b2051e7cb7daa83057af3fbe6d24c830b3b0232c6d852367c128c955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
31088617e49fa8737493dce07a6d8a1d

SHA1
35ce96237cc500d0a52530952b676680af9bfe7a

SHA256
256e3372b0138f000675388168225548e3bf1e01fc61bd1b7f9a61eeca2816bf

SHA512
85bf49668f93607538ada5ef70fd022fbb884920fdb7047538b2fca785cbec3ef27d434a81c554fb9af9c11b50f529ad6631021801caddd45d51fe79c43da47d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
0a55f4b29a7dc1fd64311f50434d0c9c

SHA1
3db9a51d359a25339736d94a1052b295f8658f0f

SHA256
f312ac7ab3ec0ce19ccb431d5de10517b701a4e1947e2c3751ded36eeedcda9a

SHA512
f333554aa178cc041175888d505fc6038f252906fb64e8ff7c49f1260a66c270dc302191f7ed8863bfbf6817683b5489ee25354f4fb190c4e721a0a2124c7681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
181KB

MD5
4b015aa23706c2d19ce02b8f0a3c22b8

SHA1
3173d7dd0df0c11824b20ce2355937ca78681b17

SHA256
776d88a76d590781927921090397298adc32ac2b3592260d2cf0f9a4af750f5c

SHA512
cecfbb18a2befbb8378c3f520c10f04c5de72ba0481754b9575f18d34d21c4f1c4b11ad7fba18a3de77d1ebe69cfc0e452c3ca07d51c6dcb45a3a3fcdcea6201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
1650fe7ea23c787b18b23d5a042e090a

SHA1
085dda5ed6beaeb68108a548af393bca6e7f52e6

SHA256
1be1f094ef06897e23db52a535364a62b57d678e09f1ee934242e119bec45893

SHA512
25500c50d92dc6b1ee31ff0c2d0bf381a77397e55e7123529dba1e0854c9475af5d6bd5e8578d67b32efea016ae57e0dab90100d52926b766902e719c1f37f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
387B

MD5
a76d8ae9523bcf5bb2caa451121a0d91

SHA1
4867caa19f280aabdc4f85f6468335d70ad1d996

SHA256
515a528f05f0c708175813df2e149b0960d193bd4dac47a11a7641745c8a063b

SHA512
9dbab2a7c6ce09335a805a319399b95ad818c94153d57818cdf30cd26f825ab4517d15dca8bf4156a0aab5a24a6c06977ddb5f9d27f4be8f601a813dc88b9a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ff748ebbb348761035956d34a59629f3

SHA1
5b12f59ab2480816f74f8324b7e958dca2c14898

SHA256
630e1e4fe159c4ae912d480f27b3273974d67e16db787e1b2fa2d946892a42db

SHA512
f35a02866b9be2fb297c23ab59b3c5f4a8a24f57ae2a48069782a2480cd7859625508c25d7e1331a4429d61ae377ffa033354284679c6a21035bb1c9c6114b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1bd70d115b48ace62cbdb418b429b205

SHA1
c2fbb778f66f3a2644167ba497e4cb691b192274

SHA256
a700a5596983cac03ba5f7c208435767699739429f7dee02247908ecd9667236

SHA512
4bf0039b5196e1b86eb7bad6a4e62114322882d13085428989b61fec6ed060fed19d692db1d1e1e2c5325af501e9bedd25ce87be573dca863981544892e7cdf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
159df4c176fcc163a1d93b41ebb654ff

SHA1
d8b71ad52f7a1f1be9be759e5808deb2ac7d8d1a

SHA256
4ff2613f48c9f130313feaa078cf922b946795731acbe8c8bb6c7d132f3a2b74

SHA512
77b69680b40a0a4e02f1c0c52b6b913eeb1aa10502b9b41a175002163b2aa1f47f7050e8b17db3c66949b3fa305952ee29c36ca95f7cb7245f5a5ccd39da17cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
40c4eb80ef63fb3b7494f5b7233c6de8

SHA1
926458b08597412c4e265ac4e66f323c6e5a92db

SHA256
1f9152fe6e567a1298ff070196f5f7358a473d8f5b19e7ea27150bb1ffb7ba86

SHA512
14f2186c5333cea46100ad8f2197c3779a96cc2c4c691d713e8889b260e85e8acd47cd155c569b3573851110a0d580c25eb8701c03c8f4fd00f237d959e474b4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 486714.crdownload
Filesize
78KB

MD5
778530293626aa22c24995339aebdb0c

SHA1
6316c9b311be02521566b0f612be5b39c02071bd

SHA256
70be34e9af44e63074c443f14c312228e887269fcf3feb757ed674cc5390b262

SHA512
1fa355c5defdc008858d14f5b0304aea046de062e2c703dc47ebecc84d7f15da5a29d6c474390c9dc110c8d22b96ac30ba4ae836460023f1fd22a694794fe2c7

Download Submit
\??\pipe\crashpad_1604_WVCJEWFHITLJCARE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/332-314-0x0000029850BA0000-0x0000029850BCA000-memory.dmp

Filesize
168KB

Download
memory/332-315-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/612-306-0x000001F5E7B10000-0x000001F5E7B3A000-memory.dmp

Filesize
168KB

Download
memory/612-307-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/612-304-0x000001F5E7A80000-0x000001F5E7AA3000-memory.dmp

Filesize
140KB

Download
memory/668-312-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/668-311-0x0000016DA8600000-0x0000016DA862A000-memory.dmp

Filesize
168KB

Download
memory/736-322-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/736-321-0x000002126BFA0000-0x000002126BFCA000-memory.dmp

Filesize
168KB

Download
memory/948-330-0x0000020AB24C0000-0x0000020AB24EA000-memory.dmp

Filesize
168KB

Download
memory/948-331-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/952-318-0x0000020244FD0000-0x0000020244FFA000-memory.dmp

Filesize
168KB

Download
memory/952-319-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/1096-334-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/1096-333-0x000001E7236D0000-0x000001E7236FA000-memory.dmp

Filesize
168KB

Download
memory/1112-337-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/1112-336-0x000001E2CE560000-0x000001E2CE58A000-memory.dmp

Filesize
168KB

Download
memory/1136-341-0x000001A939800000-0x000001A93982A000-memory.dmp

Filesize
168KB

Download
memory/1136-342-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/1224-345-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/1224-344-0x00000284A1F60000-0x00000284A1F8A000-memory.dmp

Filesize
168KB

Download
memory/1236-339-0x000002BEAFB40000-0x000002BEAFB6A000-memory.dmp

Filesize
168KB

Download
memory/1244-348-0x000001A80F680000-0x000001A80F6AA000-memory.dmp

Filesize
168KB

Download
memory/1244-349-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/1372-359-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/1372-358-0x00000232266A0000-0x00000232266CA000-memory.dmp

Filesize
168KB

Download
memory/1612-4-0x00007FF93ABD0000-0x00007FF93ADC5000-memory.dmp

Filesize
2.0MB

Download
memory/1612-0-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/1612-1-0x00007FF93AC6D000-0x00007FF93AC6E000-memory.dmp

Filesize
4KB

Download
memory/1612-2-0x00007FF93ABD0000-0x00007FF93ADC5000-memory.dmp

Filesize
2.0MB

Download
memory/1612-3-0x00007FF93ABD0000-0x00007FF93ADC5000-memory.dmp

Filesize
2.0MB

Download
memory/3524-299-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3524-298-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3524-300-0x00007FF93ABD0000-0x00007FF93ADC5000-memory.dmp

Filesize
2.0MB

Download
memory/3524-301-0x00007FF939990000-0x00007FF939A4E000-memory.dmp

Filesize
760KB

Download
memory/3524-302-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4952-296-0x00007FF93ABD0000-0x00007FF93ADC5000-memory.dmp

Filesize
2.0MB

Download
memory/4952-297-0x00007FF939990000-0x00007FF939A4E000-memory.dmp

Filesize
760KB

Download
memory/4952-295-0x000001EBFC3C0000-0x000001EBFC3FE000-memory.dmp

Filesize
248KB

Download
memory/5568-230-0x0000015B79760000-0x0000015B79C88000-memory.dmp

Filesize
5.2MB

Download
memory/5568-229-0x0000015B78F20000-0x0000015B790E2000-memory.dmp

Filesize
1.8MB

Download
memory/5568-228-0x0000015B768A0000-0x0000015B768B8000-memory.dmp

Filesize
96KB

Download