discordrat | 6ae2eda2d99617d2df7ad5bcb6b6521e96b18cf26d62db6f1521281c90f89d27

Analysis

max time kernel
1200s
max time network
1149s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
18-07-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

aee9adc778457502a1a34477c8c4ae73
SHA1

f2789a1c6fca778f10e511b57c9dda13ce2f7f0d
SHA256

6ae2eda2d99617d2df7ad5bcb6b6521e96b18cf26d62db6f1521281c90f89d27
SHA512

c9a6f53da6758d1f6e07c65947e4a31b2a2fefc2e560bb2bd4a9c4205c29352ade68cd21b6e81ad5495db75ff8b6460afd488bd66a7c0f66031fb3fc9865b746
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+XPIC:5Zv5PDwbjNrmAE+fIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MzQzNzIyMjg5NjczNDIwOQ.G2Vzuz.KQI3pwoLAi2QNOsM3VLvNcTIjyN7N1ULpSLPGE
server_id
1224684836627681300

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2764 created 652	2764	Client-built.exe	5

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
32	discord.com
33	raw.githubusercontent.com
1	discord.com
19	discord.com
20	discord.com
21	discord.com
34	discord.com
17	discord.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2764 set thread context of 4012	2764	Client-built.exe	91

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1721331031"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 18 Jul 2024 19:30:32 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={BE6C67B3-56AB-4C91-A364-E2320FBC16D4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5460	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	Client-built.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
2764	Client-built.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
2764	Client-built.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
2764	Client-built.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
2764	Client-built.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
2764	Client-built.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
2764	Client-built.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	Client-built.exe
Token: SeDebugPrivilege	2764	Client-built.exe
Token: SeDebugPrivilege	4012	dllhost.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	548	dwm.exe
Token: SeCreatePagefilePrivilege	548	dwm.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	548	dwm.exe
Token: SeCreatePagefilePrivilege	548	dwm.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	548	dwm.exe
Token: SeCreatePagefilePrivilege	548	dwm.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	548	dwm.exe
Token: SeCreatePagefilePrivilege	548	dwm.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3872	RuntimeBroker.exe
3316	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 5460	2764	Client-built.exe	89
PID 2764 wrote to memory of 5460	2764	Client-built.exe	89
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 2764 wrote to memory of 4012	2764	Client-built.exe	91
PID 4012 wrote to memory of 652	4012	dllhost.exe	5
PID 4012 wrote to memory of 704	4012	dllhost.exe	7
PID 4012 wrote to memory of 1008	4012	dllhost.exe	12
PID 4012 wrote to memory of 548	4012	dllhost.exe	13
PID 4012 wrote to memory of 448	4012	dllhost.exe	14
PID 4012 wrote to memory of 788	4012	dllhost.exe	15
PID 4012 wrote to memory of 1048	4012	dllhost.exe	16
PID 4012 wrote to memory of 1068	4012	dllhost.exe	17
PID 4012 wrote to memory of 1148	4012	dllhost.exe	18
PID 4012 wrote to memory of 1216	4012	dllhost.exe	20
PID 4012 wrote to memory of 1224	4012	dllhost.exe	21
PID 4012 wrote to memory of 1280	4012	dllhost.exe	22
PID 4012 wrote to memory of 1376	4012	dllhost.exe	23
PID 4012 wrote to memory of 1404	4012	dllhost.exe	24
PID 4012 wrote to memory of 1424	4012	dllhost.exe	25
PID 4012 wrote to memory of 1548	4012	dllhost.exe	26
PID 4012 wrote to memory of 1556	4012	dllhost.exe	27
PID 4012 wrote to memory of 1684	4012	dllhost.exe	28
PID 4012 wrote to memory of 1708	4012	dllhost.exe	29
PID 4012 wrote to memory of 1784	4012	dllhost.exe	30
PID 4012 wrote to memory of 1852	4012	dllhost.exe	31
PID 4012 wrote to memory of 1896	4012	dllhost.exe	32
PID 4012 wrote to memory of 2036	4012	dllhost.exe	33
PID 4012 wrote to memory of 2044	4012	dllhost.exe	34
PID 4012 wrote to memory of 2012	4012	dllhost.exe	35
PID 4012 wrote to memory of 2084	4012	dllhost.exe	36
PID 4012 wrote to memory of 2208	4012	dllhost.exe	37
PID 4012 wrote to memory of 2288	4012	dllhost.exe	39
PID 4012 wrote to memory of 2364	4012	dllhost.exe	40
PID 4012 wrote to memory of 2380	4012	dllhost.exe	41
PID 4012 wrote to memory of 2428	4012	dllhost.exe	42
PID 4012 wrote to memory of 2440	4012	dllhost.exe	43
PID 4012 wrote to memory of 2492	4012	dllhost.exe	44
PID 4012 wrote to memory of 2512	4012	dllhost.exe	45
PID 4012 wrote to memory of 2540	4012	dllhost.exe	46
PID 4012 wrote to memory of 2552	4012	dllhost.exe	47
PID 4012 wrote to memory of 2560	4012	dllhost.exe	48
PID 4012 wrote to memory of 2216	4012	dllhost.exe	50
PID 4012 wrote to memory of 2684	4012	dllhost.exe	51
PID 4012 wrote to memory of 3088	4012	dllhost.exe	52
PID 4012 wrote to memory of 3316	4012	dllhost.exe	53
PID 4012 wrote to memory of 3436	4012	dllhost.exe	54
PID 4012 wrote to memory of 3476	4012	dllhost.exe	55
PID 4012 wrote to memory of 3804	4012	dllhost.exe	58
PID 4012 wrote to memory of 3872	4012	dllhost.exe	59
PID 4012 wrote to memory of 3980	4012	dllhost.exe	60
PID 4012 wrote to memory of 4076	4012	dllhost.exe	61
PID 4012 wrote to memory of 4336	4012	dllhost.exe	62
PID 4012 wrote to memory of 4440	4012	dllhost.exe	63
PID 4012 wrote to memory of 5548	4012	dllhost.exe	66
PID 4012 wrote to memory of 5748	4012	dllhost.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:652
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{13eac335-4365-470a-a281-115139c34d79}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1376
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2084

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2492

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3316
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Client-built.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:5748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3364

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4672

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3828

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
80ea1c645eb99cde870001246000d1eb

SHA1
f10acc27d6d2cadf57e712317f647a71d5773ee8

SHA256
5345ef500f86077c809beaeb403aba6c6fccd6e9961563ddd858bf90c92c9397

SHA512
54f5e04ab3464bcb91f210cd6dcdbcb81aac223ac54703ff50924e5b1ed4857098869bb2ccc168b7181dfbb3fb8d132713fd0e7e8270ac14db90d4f4aa187156

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
538ea5e23bf284f2e8e4faae29308295

SHA1
cc0b05af12351fa898211ecfbbfeb789ef979e9e

SHA256
e480049187432536b52f6ee89723cc33da79484ce76a832baad6849f95d72f1e

SHA512
a5002c892df5a5175cb76ec9f5a1600b6cebe4a50b2143a20f92687cd78defa0b5f8761e9c99f670266068800a33b7f8756973ab35b97267fec1333aaa817e36

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
b941c09f061ef105b4ac06ab406a94e0

SHA1
325bdcc321f351a8eda8b66683b0145ec31d6a7a

SHA256
6f41ccb746f02fe16eb18c1896ad7d2c986a7022cf6f1118d05455c265d440ff

SHA512
6dd23afb8966bcccead7d98b919050d5622aa03799a11b15e415033d58ebfe8d9051f7422416024705e58dba028dd7bd353c0edc1608edfee9c2bc9905d93ee0

Download Submit
memory/448-265-0x000001F941A60000-0x000001F941A8A000-memory.dmp

Filesize
168KB

Download
memory/448-35-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/448-34-0x000001F941A60000-0x000001F941A8A000-memory.dmp

Filesize
168KB

Download
memory/548-28-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/548-27-0x00000215FF980000-0x00000215FF9AA000-memory.dmp

Filesize
168KB

Download
memory/548-263-0x00000215FF980000-0x00000215FF9AA000-memory.dmp

Filesize
168KB

Download
memory/652-260-0x000002ADF0970000-0x000002ADF099A000-memory.dmp

Filesize
168KB

Download
memory/652-261-0x00007FFA8E4A4000-0x00007FFA8E4A5000-memory.dmp

Filesize
4KB

Download
memory/652-17-0x000002ADF0940000-0x000002ADF0963000-memory.dmp

Filesize
140KB

Download
memory/652-18-0x000002ADF0970000-0x000002ADF099A000-memory.dmp

Filesize
168KB

Download
memory/652-19-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/704-23-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/704-22-0x00000261536B0000-0x00000261536DA000-memory.dmp

Filesize
168KB

Download
memory/704-262-0x00000261536B0000-0x00000261536DA000-memory.dmp

Filesize
168KB

Download
memory/788-266-0x0000025AA07B0000-0x0000025AA07DA000-memory.dmp

Filesize
168KB

Download
memory/788-41-0x0000025AA07B0000-0x0000025AA07DA000-memory.dmp

Filesize
168KB

Download
memory/788-42-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/1008-264-0x000001E4F9DC0000-0x000001E4F9DEA000-memory.dmp

Filesize
168KB

Download
memory/1008-31-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/1008-30-0x000001E4F9DC0000-0x000001E4F9DEA000-memory.dmp

Filesize
168KB

Download
memory/1048-45-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/1048-44-0x0000017E454D0000-0x0000017E454FA000-memory.dmp

Filesize
168KB

Download
memory/1068-48-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/1068-47-0x0000026B48700000-0x0000026B4872A000-memory.dmp

Filesize
168KB

Download
memory/1148-50-0x000001FDE3290000-0x000001FDE32BA000-memory.dmp

Filesize
168KB

Download
memory/1148-51-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/1216-58-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/1216-57-0x000002C4F0340000-0x000002C4F036A000-memory.dmp

Filesize
168KB

Download
memory/1224-60-0x0000022A215A0000-0x0000022A215CA000-memory.dmp

Filesize
168KB

Download
memory/1224-61-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/1280-63-0x000001D137030000-0x000001D13705A000-memory.dmp

Filesize
168KB

Download
memory/1280-64-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/1376-66-0x0000028E94860000-0x0000028E9488A000-memory.dmp

Filesize
168KB

Download
memory/1376-67-0x00007FFA4E490000-0x00007FFA4E4A0000-memory.dmp

Filesize
64KB

Download
memory/2764-8-0x00007FFA8CBC0000-0x00007FFA8CC7D000-memory.dmp

Filesize
756KB

Download
memory/2764-4-0x000001FB1D230000-0x000001FB1D758000-memory.dmp

Filesize
5.2MB

Download
memory/2764-1-0x000001FB01670000-0x000001FB01688000-memory.dmp

Filesize
96KB

Download
memory/2764-2-0x000001FB1BD60000-0x000001FB1BF22000-memory.dmp

Filesize
1.8MB

Download
memory/2764-3-0x00007FFA6D390000-0x00007FFA6DE52000-memory.dmp

Filesize
10.8MB

Download
memory/2764-286-0x00007FFA6D390000-0x00007FFA6DE52000-memory.dmp

Filesize
10.8MB

Download
memory/2764-257-0x00007FFA6D390000-0x00007FFA6DE52000-memory.dmp

Filesize
10.8MB

Download
memory/2764-14-0x00007FFA6D390000-0x00007FFA6DE52000-memory.dmp

Filesize
10.8MB

Download
memory/2764-5-0x00007FFA6D390000-0x00007FFA6DE52000-memory.dmp

Filesize
10.8MB

Download
memory/2764-7-0x00007FFA8E400000-0x00007FFA8E609000-memory.dmp

Filesize
2.0MB

Download
memory/2764-0-0x00007FFA6D393000-0x00007FFA6D395000-memory.dmp

Filesize
8KB

Download
memory/2764-6-0x000001FB03340000-0x000001FB0337E000-memory.dmp

Filesize
248KB

Download
memory/4012-13-0x00007FFA8CBC0000-0x00007FFA8CC7D000-memory.dmp

Filesize
756KB

Download
memory/4012-15-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4012-258-0x00007FFA8E401000-0x00007FFA8E52A000-memory.dmp

Filesize
1.2MB

Download
memory/4012-259-0x00007FFA8E400000-0x00007FFA8E609000-memory.dmp

Filesize
2.0MB

Download
memory/4012-12-0x00007FFA8E400000-0x00007FFA8E609000-memory.dmp

Filesize
2.0MB

Download
memory/4012-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4012-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4012-9-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download