Malware Analysis Report

2024-11-16 13:02

Sample ID 240907-26b8as1alk
Target Client-built.exe
SHA256 a426b40512f00b3a895a1a9a7105aff8aaf9a065b63675f03bc9f3dad3b50852
Tags
discordrat defense_evasion persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a426b40512f00b3a895a1a9a7105aff8aaf9a065b63675f03bc9f3dad3b50852

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

discordrat defense_evasion persistence rat rootkit stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Discord RAT

Discordrat family

Downloads MZ/PE file

Indicator Removal: Clear Windows Event Logs

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-07 23:11

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-07 23:11

Reported

2024-09-07 23:13

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

140s

Command Line

winlogon.exe

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 448 created 608 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\winlogon.exe

Downloads MZ/PE file

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 448 set thread context of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 448 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 4432 wrote to memory of 608 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 4432 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 4432 wrote to memory of 948 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 64 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 4432 wrote to memory of 508 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 604 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1084 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1112 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1144 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1164 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1256 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1312 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1344 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1384 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1524 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1532 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1544 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1632 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1676 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1704 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1784 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1800 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1904 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1916 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 1924 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2008 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 2084 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2092 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 4432 wrote to memory of 2244 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 2252 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 2480 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 4432 wrote to memory of 2500 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2628 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2636 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhostw.exe
PID 4432 wrote to memory of 2648 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2692 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2840 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2896 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2916 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 4432 wrote to memory of 2924 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 2932 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 3144 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 4432 wrote to memory of 3428 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 3592 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 4432 wrote to memory of 3684 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 3896 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 4432 wrote to memory of 4072 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 4432 wrote to memory of 8 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 4432 wrote to memory of 2620 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 4848 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4432 wrote to memory of 4732 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 2656 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4432 wrote to memory of 1860 N/A C:\Windows\System32\dllhost.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{e8f33f15-0960-440b-83a5-05771648d155}

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.134.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 234.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp

Files

memory/448-0-0x00007FFD8BFE3000-0x00007FFD8BFE5000-memory.dmp

memory/448-1-0x0000028F0AED0000-0x0000028F0AEE8000-memory.dmp

memory/448-2-0x0000028F25470000-0x0000028F25632000-memory.dmp

memory/448-3-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp

memory/448-4-0x0000028F25D70000-0x0000028F26298000-memory.dmp

memory/2412-5-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-7-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-6-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-12-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-11-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-17-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-16-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-15-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-14-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/2412-13-0x00000296E4F30000-0x00000296E4F31000-memory.dmp

memory/448-18-0x00007FFD8BFE3000-0x00007FFD8BFE5000-memory.dmp

memory/448-19-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp

memory/448-21-0x0000028F25740000-0x0000028F2577E000-memory.dmp

memory/448-23-0x00007FFDA9100000-0x00007FFDA91BE000-memory.dmp

memory/448-22-0x00007FFDAA0B0000-0x00007FFDAA2A5000-memory.dmp

memory/4432-24-0x0000000140000000-0x0000000140040000-memory.dmp

memory/4432-25-0x0000000140000000-0x0000000140040000-memory.dmp

memory/4432-27-0x00007FFDA9100000-0x00007FFDA91BE000-memory.dmp

memory/4432-26-0x00007FFDAA0B0000-0x00007FFDAA2A5000-memory.dmp

memory/4432-28-0x0000000140000000-0x0000000140040000-memory.dmp

memory/64-41-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/948-48-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/604-56-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/1256-66-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/1256-65-0x000001A0FA3A0000-0x000001A0FA3CA000-memory.dmp

memory/1112-62-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/1112-61-0x0000021DB49D0000-0x0000021DB49FA000-memory.dmp

memory/1084-59-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/1084-58-0x0000023FDED30000-0x0000023FDED5A000-memory.dmp

memory/604-55-0x0000021519C60000-0x0000021519C8A000-memory.dmp

memory/948-47-0x000001E424410000-0x000001E42443A000-memory.dmp

memory/508-45-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/508-44-0x000001DAEAF70000-0x000001DAEAF9A000-memory.dmp

memory/64-40-0x0000029F07290000-0x0000029F072BA000-memory.dmp

memory/672-36-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/672-35-0x0000015687BD0000-0x0000015687BFA000-memory.dmp

memory/608-32-0x00007FFD6A130000-0x00007FFD6A140000-memory.dmp

memory/608-31-0x000001DBE4F80000-0x000001DBE4FAA000-memory.dmp

memory/608-30-0x000001DBE4F50000-0x000001DBE4F73000-memory.dmp