discordrat | b62a2bcbfce49c39063720542621a36001bcacfd137ba8366b825020de82120d

Analysis

max time kernel
39s
max time network
51s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
16/04/2025, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kernel Mode.exe
Size

78KB
MD5

6119c2fd88393d762b0bfa24620b91d4
SHA1

ccd132085d4756f88e7d554c671cd7ba01e38887
SHA256

b62a2bcbfce49c39063720542621a36001bcacfd137ba8366b825020de82120d
SHA512

a6a43cb61c18414a49fca46ed39df7c1595632753ce36a54fe9b1f9311c641a2b5af096c5add40d6ae79070760b7f9314ff8796bf1475246c7db6dfb94ddcc77
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+iPIC:5Zv5PDwbjNrmAE+OIC

Score

10^/10

discordrat defense_evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM1NDkyNDE2MjYxOTAxNTI2MA.GE89pU.6SDUNoquBQfG7ltjuIHlLjl_DRADwSdfVSug-c
server_id
1351601990072795178

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5996 created 624	5996	Kernel Mode.exe	5

Downloads MZ/PE file 1 IoCs

flow	pid	Process
14	5996	Kernel Mode.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
16	discord.com
3	discord.com
5	discord.com
8	discord.com
11	discord.com
12	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5996 set thread context of 2584	5996	Kernel Mode.exe	81

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5996	Kernel Mode.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
5996	Kernel Mode.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
5996	Kernel Mode.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
3300	taskmgr.exe
3300	taskmgr.exe
2584	dllhost.exe
2584	dllhost.exe
5996	Kernel Mode.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
5996	Kernel Mode.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
5996	Kernel Mode.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe
2584	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3612	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5996	Kernel Mode.exe
Token: SeDebugPrivilege	5996	Kernel Mode.exe
Token: SeDebugPrivilege	2584	dllhost.exe
Token: SeShutdownPrivilege	3612	Explorer.EXE
Token: SeCreatePagefilePrivilege	3612	Explorer.EXE
Token: SeDebugPrivilege	3300	taskmgr.exe
Token: SeSystemProfilePrivilege	3300	taskmgr.exe
Token: SeCreateGlobalPrivilege	3300	taskmgr.exe
Token: SeShutdownPrivilege	3612	Explorer.EXE
Token: SeCreatePagefilePrivilege	3612	Explorer.EXE
Token: SeShutdownPrivilege	3612	Explorer.EXE
Token: SeCreatePagefilePrivilege	3612	Explorer.EXE
Token: SeAuditPrivilege	2264	svchost.exe
Token: SeAuditPrivilege	2264	svchost.exe
Token: SeShutdownPrivilege	1056	dwm.exe
Token: SeCreatePagefilePrivilege	1056	dwm.exe
Token: SeAssignPrimaryTokenPrivilege	2224	svchost.exe
Token: SeIncreaseQuotaPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeTakeOwnershipPrivilege	2224	svchost.exe
Token: SeLoadDriverPrivilege	2224	svchost.exe
Token: SeSystemtimePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeShutdownPrivilege	2224	svchost.exe
Token: SeSystemEnvironmentPrivilege	2224	svchost.exe
Token: SeUndockPrivilege	2224	svchost.exe
Token: SeManageVolumePrivilege	2224	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2224	svchost.exe
Token: SeIncreaseQuotaPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeTakeOwnershipPrivilege	2224	svchost.exe
Token: SeLoadDriverPrivilege	2224	svchost.exe
Token: SeSystemtimePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeShutdownPrivilege	2224	svchost.exe
Token: SeSystemEnvironmentPrivilege	2224	svchost.exe
Token: SeUndockPrivilege	2224	svchost.exe
Token: SeManageVolumePrivilege	2224	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2224	svchost.exe
Token: SeIncreaseQuotaPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeTakeOwnershipPrivilege	2224	svchost.exe
Token: SeLoadDriverPrivilege	2224	svchost.exe
Token: SeSystemtimePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeShutdownPrivilege	2224	svchost.exe
Token: SeSystemEnvironmentPrivilege	2224	svchost.exe
Token: SeUndockPrivilege	2224	svchost.exe
Token: SeManageVolumePrivilege	2224	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2224	svchost.exe
Token: SeIncreaseQuotaPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeTakeOwnershipPrivilege	2224	svchost.exe
Token: SeLoadDriverPrivilege	2224	svchost.exe
Token: SeSystemtimePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeShutdownPrivilege	2224	svchost.exe
Token: SeSystemEnvironmentPrivilege	2224	svchost.exe
Token: SeUndockPrivilege	2224	svchost.exe
Token: SeManageVolumePrivilege	2224	svchost.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3612	Explorer.EXE
3612	Explorer.EXE
3612	Explorer.EXE
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3612	Explorer.EXE
3612	Explorer.EXE
3612	Explorer.EXE

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3300	taskmgr.exe
3612	Explorer.EXE
3612	Explorer.EXE
3612	Explorer.EXE
3612	Explorer.EXE
3612	Explorer.EXE
3612	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3612	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 5996 wrote to memory of 2584	5996	Kernel Mode.exe	81
PID 2584 wrote to memory of 624	2584	dllhost.exe	5
PID 2584 wrote to memory of 680	2584	dllhost.exe	7
PID 2584 wrote to memory of 960	2584	dllhost.exe	12
PID 2584 wrote to memory of 480	2584	dllhost.exe	13
PID 2584 wrote to memory of 440	2584	dllhost.exe	14
PID 2584 wrote to memory of 736	2584	dllhost.exe	15
PID 2584 wrote to memory of 752	2584	dllhost.exe	16
PID 2584 wrote to memory of 1056	2584	dllhost.exe	17
PID 2584 wrote to memory of 1136	2584	dllhost.exe	18
PID 2584 wrote to memory of 1148	2584	dllhost.exe	19
PID 2584 wrote to memory of 1216	2584	dllhost.exe	20
PID 2584 wrote to memory of 1312	2584	dllhost.exe	22
PID 2584 wrote to memory of 1420	2584	dllhost.exe	23
PID 2584 wrote to memory of 1448	2584	dllhost.exe	24
PID 2584 wrote to memory of 1456	2584	dllhost.exe	25
PID 2584 wrote to memory of 1536	2584	dllhost.exe	26
PID 2584 wrote to memory of 1568	2584	dllhost.exe	27
PID 2584 wrote to memory of 1640	2584	dllhost.exe	28
PID 2584 wrote to memory of 1684	2584	dllhost.exe	29
PID 2584 wrote to memory of 1764	2584	dllhost.exe	30
PID 2584 wrote to memory of 1792	2584	dllhost.exe	31
PID 2584 wrote to memory of 1852	2584	dllhost.exe	32
PID 2584 wrote to memory of 1976	2584	dllhost.exe	33
PID 2584 wrote to memory of 2024	2584	dllhost.exe	34
PID 2584 wrote to memory of 2044	2584	dllhost.exe	35
PID 2584 wrote to memory of 1156	2584	dllhost.exe	36
PID 2584 wrote to memory of 2088	2584	dllhost.exe	37
PID 2584 wrote to memory of 2160	2584	dllhost.exe	38
PID 2584 wrote to memory of 2224	2584	dllhost.exe	39
PID 2584 wrote to memory of 2264	2584	dllhost.exe	41
PID 2584 wrote to memory of 2460	2584	dllhost.exe	43
PID 2584 wrote to memory of 2688	2584	dllhost.exe	44
PID 2584 wrote to memory of 2696	2584	dllhost.exe	45
PID 2584 wrote to memory of 2828	2584	dllhost.exe	46
PID 2584 wrote to memory of 2840	2584	dllhost.exe	47
PID 2584 wrote to memory of 2864	2584	dllhost.exe	48
PID 2584 wrote to memory of 2884	2584	dllhost.exe	49
PID 2584 wrote to memory of 2964	2584	dllhost.exe	50
PID 2584 wrote to memory of 2980	2584	dllhost.exe	51
PID 2584 wrote to memory of 2988	2584	dllhost.exe	52
PID 2584 wrote to memory of 3112	2584	dllhost.exe	53
PID 2584 wrote to memory of 3188	2584	dllhost.exe	54
PID 2584 wrote to memory of 3204	2584	dllhost.exe	55
PID 2584 wrote to memory of 3552	2584	dllhost.exe	56
PID 2584 wrote to memory of 3612	2584	dllhost.exe	57
PID 2584 wrote to memory of 3752	2584	dllhost.exe	58
PID 2584 wrote to memory of 4028	2584	dllhost.exe	60
PID 2584 wrote to memory of 3156	2584	dllhost.exe	62
PID 2584 wrote to memory of 4328	2584	dllhost.exe	63
PID 2584 wrote to memory of 5380	2584	dllhost.exe	65
PID 2584 wrote to memory of 6128	2584	dllhost.exe	66
PID 2584 wrote to memory of 1756	2584	dllhost.exe	68
PID 2584 wrote to memory of 5840	2584	dllhost.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7d0013e0-6506-421b-9b8f-cd8e2c1d3680}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 680 -s 4100
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:5500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1312
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1640
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2828
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5332
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4260
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5140
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3256
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2604
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2884

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3188

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3612
- C:\Users\Admin\AppData\Local\Temp\Kernel Mode.exe
  "C:\Users\Admin\AppData\Local\Temp\Kernel Mode.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Downloads MZ/PE file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5996
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5380

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:6128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1868

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:6104

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2780

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2600

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:552

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4800

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:2180

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 00000084
1⤵
PID:5332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:4260

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c4 00000084
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
f088e5303d7c78dcdcb0b61469f6588e

SHA1
66e5ad109a76ed540638abb1f3de2f9aeca20c52

SHA256
76e977196c51704a1b7050a5e5ffd49fd33cc488e2acdb1e939d41b3b58b3797

SHA512
487a630a852853568f20cfa1ec59809bb1561d12563824f400da2a25302e6c8801efa919baf440584512288fb8d3999179b32a0cac61acdbaf5c562939afc388

Download Submit
memory/440-33-0x000001F5EA340000-0x000001F5EA36A000-memory.dmp

Filesize
168KB

Download
memory/440-34-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/440-269-0x000001F5EA340000-0x000001F5EA36A000-memory.dmp

Filesize
168KB

Download
memory/480-31-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/480-268-0x00000188DFE90000-0x00000188DFEBA000-memory.dmp

Filesize
168KB

Download
memory/480-30-0x00000188DFE90000-0x00000188DFEBA000-memory.dmp

Filesize
168KB

Download
memory/624-20-0x000002C8626F0000-0x000002C86271A000-memory.dmp

Filesize
168KB

Download
memory/624-264-0x00007FFBBA04D000-0x00007FFBBA04E000-memory.dmp

Filesize
4KB

Download
memory/624-18-0x000002C862300000-0x000002C862323000-memory.dmp

Filesize
140KB

Download
memory/624-262-0x000002C8626F0000-0x000002C86271A000-memory.dmp

Filesize
168KB

Download
memory/680-265-0x00007FFBBA04D000-0x00007FFBBA04E000-memory.dmp

Filesize
4KB

Download
memory/680-22-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/680-21-0x0000020A4D7B0000-0x0000020A4D7DA000-memory.dmp

Filesize
168KB

Download
memory/680-266-0x00007FFBBA04F000-0x00007FFBBA050000-memory.dmp

Filesize
4KB

Download
memory/680-263-0x0000020A4D7B0000-0x0000020A4D7DA000-memory.dmp

Filesize
168KB

Download
memory/736-43-0x000001380EAB0000-0x000001380EADA000-memory.dmp

Filesize
168KB

Download
memory/736-44-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/752-47-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/752-46-0x000002B0F9F40000-0x000002B0F9F6A000-memory.dmp

Filesize
168KB

Download
memory/960-26-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/960-267-0x000001FCEF1A0000-0x000001FCEF1CA000-memory.dmp

Filesize
168KB

Download
memory/960-25-0x000001FCEF1A0000-0x000001FCEF1CA000-memory.dmp

Filesize
168KB

Download
memory/1056-40-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/1056-39-0x000002C986850000-0x000002C98687A000-memory.dmp

Filesize
168KB

Download
memory/1056-270-0x000002C986850000-0x000002C98687A000-memory.dmp

Filesize
168KB

Download
memory/1136-50-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/1136-49-0x0000016F19C60000-0x0000016F19C8A000-memory.dmp

Filesize
168KB

Download
memory/1148-55-0x000001B7ACFA0000-0x000001B7ACFCA000-memory.dmp

Filesize
168KB

Download
memory/1148-56-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/1216-59-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/1216-58-0x0000019ACEF90000-0x0000019ACEFBA000-memory.dmp

Filesize
168KB

Download
memory/1312-62-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/1312-61-0x000001E8A7260000-0x000001E8A728A000-memory.dmp

Filesize
168KB

Download
memory/1420-68-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/1420-67-0x00000125E79C0000-0x00000125E79EA000-memory.dmp

Filesize
168KB

Download
memory/1448-70-0x000002D930FA0000-0x000002D930FCA000-memory.dmp

Filesize
168KB

Download
memory/1448-71-0x00007FFB7A030000-0x00007FFB7A040000-memory.dmp

Filesize
64KB

Download
memory/2584-12-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2584-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2584-14-0x00007FFBB9FB0000-0x00007FFBBA1A8000-memory.dmp

Filesize
2.0MB

Download
memory/2584-15-0x00007FFBB8E10000-0x00007FFBB8ECD000-memory.dmp

Filesize
756KB

Download
memory/2584-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2584-16-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2584-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5996-9-0x00007FFBB8E10000-0x00007FFBB8ECD000-memory.dmp

Filesize
756KB

Download
memory/5996-8-0x00007FFBB9FB0000-0x00007FFBBA1A8000-memory.dmp

Filesize
2.0MB

Download
memory/5996-0-0x00007FFB9BC73000-0x00007FFB9BC75000-memory.dmp

Filesize
8KB

Download
memory/5996-7-0x000001F4B8750000-0x000001F4B878E000-memory.dmp

Filesize
248KB

Download
memory/5996-6-0x00007FFB9BC70000-0x00007FFB9C732000-memory.dmp

Filesize
10.8MB

Download
memory/5996-5-0x00007FFB9BC73000-0x00007FFB9BC75000-memory.dmp

Filesize
8KB

Download
memory/5996-4-0x000001F4B8FA0000-0x000001F4B94C8000-memory.dmp

Filesize
5.2MB

Download
memory/5996-3-0x00007FFB9BC70000-0x00007FFB9C732000-memory.dmp

Filesize
10.8MB

Download
memory/5996-2-0x000001F4B87A0000-0x000001F4B8962000-memory.dmp

Filesize
1.8MB

Download
memory/5996-1-0x000001F49E110000-0x000001F49E128000-memory.dmp

Filesize
96KB

Download
memory/5996-420-0x00007FFB9BC70000-0x00007FFB9C732000-memory.dmp

Filesize
10.8MB

Download