discordrat | 5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977

Resubmissions

30-06-2024 18:16

240630-wwqeaavfnq 10

30-06-2024 18:10

240630-wr1pfs1hpa 10

Analysis

max time kernel
39s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 18:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Discord rat.exe
Size

79KB
MD5

4a825505953f3f758e1da9bab73df39e
SHA1

ee7226735ea2d358d8628e037f35d38fc799ef50
SHA256

5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977
SHA512

43120fc749ee67d7b8371aa921ee9a7b3769cbc63db06c0dd5cadfa7a83aeeb51e3a54ac4e8c0738cc58b22bcef0d8c5198b753626955371823d11a54d0d12a9
SSDEEP

1536:UeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqik:rycDpiiSoH8ovTpFl+ktd2+6CHpHKcGw

Score

10^/10

discordrat bootkit evasion execution persistence privilege_escalation rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Njk1OTk3MzkyMjA1MDA0OA.GGLfYW.bDrMZAIyeTVgyJMSqQFO2gDeB0CtQKGKri6ACU
server_id
1256666099580403734

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe
PID 2208 created 620	2208	Discord rat.exe	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2524	powershell.exe
1520	powershell.exe
5456	powershell.exe
3048	powershell.exe
5916	powershell.exe
3896	powershell.exe
700	powershell.exe
4980	powershell.exe
4504	powershell.exe
4536	powershell.exe
1364	powershell.exe
5140	powershell.exe
676	powershell.exe
2144	powershell.exe
4396	powershell.exe
2312	powershell.exe
3784	powershell.exe
4896	powershell.exe
1368	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 19 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

NetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exe

pid	process
4128	NetSh.exe
3512	NetSh.exe
5940	NetSh.exe
5968	NetSh.exe
6088	NetSh.exe
4404	NetSh.exe
2284	NetSh.exe
4704	NetSh.exe
4012	NetSh.exe
2340	NetSh.exe
3836	NetSh.exe
4928	NetSh.exe
1660	NetSh.exe
5380	NetSh.exe
3884	NetSh.exe
4252	NetSh.exe
4520	NetSh.exe
5424	NetSh.exe
4928	NetSh.exe

Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

WaaSMedicAgent.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Discord rat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Discord rat.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord rat.exe"	Discord rat.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

17 raw.githubusercontent.com
19 discord.com
20 discord.com
26 discord.com
16 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

wmiprvse.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe

flow	ioc
17	raw.githubusercontent.com
19	discord.com
20	discord.com
26	discord.com
16	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 8 IoCs

Processes:

lsass.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 2208 set thread context of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 3188	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 820	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 4620	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 3676	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 5572	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 3460	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 2520	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 1184	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 5576	2208	Discord rat.exe	dllhost.exe
PID 2208 set thread context of 812	2208	Discord rat.exe	dllhost.exe

Drops file in Windows directory 7 IoCs

Processes:

TrustedInstaller.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\EventCache.v2\{4E3A2C56-F6CF-44DC-94A9-BA869AC1A54A}.bin	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 39 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mousocoreworker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exemousocoreworker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

WaaSMedicAgent.exemousocoreworker.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02ftcycytozmiloi\DeviceId = "<Data><User username=\"02FTCYCYTOZMILOI\"><HardwareInfo BoundTime=\"1719771034\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\""	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn\DeviceId = "<Data LastUpdatedTime=\"1719771029\"><User username=\"02PBZBUTMQJQJBTN\"><HardwareInfo BoundTime=\"1719771034\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018800F93212709"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Data = "ct%3D1719771032%26hashalg%3DSHA256%26bver%3D24%26appid%3DDefault%26da%3D%253CEncryptedData%2520xmlns%253D%2522http://www.w3.org/2001/04/xmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522http://www.w3.org/2001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w3.org/2001/04/xmlenc%2523tripledes-cbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3.org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253Ehttp://Passport.NET/STS%253C/ds:KeyName%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EM.C539_BL2.0.D.Cvq5n4CP9qwW/Vhc8CgY69F83CAeXBauzeFYheoZrrYP3RPR/AKFv%252Bz7ynD%252BF3ync9ObjiyXinhgxphL0GxUDog7LHlYKgGIhrOS/AzDQo4waZGK85LUeyCUts4Qei6tAg2q0RK0bA%252BGF%252BokFnomq0I1FKjdXAus3UipQg4xljGRGijqCDXpQsbS6sLHB4k9CFaJ3VCXqPSGyHXISpirMDNje6WuxxBjcPv7oIwLehx3N%252Bjh4BO44DgeHR6/RYIWiqAXqD5aAhoS5Jv1h3HfvAe6VI7fUDT8USRBnxrfnLHfWFC/z5oGZHKpEkseENZbacqhoXgvNJZ33qLG7gLcFCuzxgEFeuLqSExdd5W2IGE%252Bgwz7Cpt%252BAcQ5lurdb%252BcNQW2378w6b5pY6HqvsvxNdAM942xm%252BoS6Ehtw7U91Hzt7g1Thv1TR9tQAGkwFUgRv4qH7k2j2cgH2Bt2iMfbrMmhtSW7a9f29RNzlMvD8TfkN37RYRyte1P0EYtPoEXVFl/4XCY/SqrBDiZuxbdSPuoE%253D%253C/CipherValue%253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3D4Q9pd%252BCbEvEfTh476ILvG%252FY1v%252FEdhPzn%26hash%3Dq61ZzTuDMWbPHbGWRbLJJ3ZvDZC1QwKMvFL0JZ24qh0%253D%26dd%3D1; path=/; domain=login.live.com; secure; httponly"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nkuaprocqgzdqg\Response Sunday, June 30, 2024 18:10:34 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAnjh7m3eA4kG9TS1QEyUaLwAAAAACAAAAAAAQZgAAAAEAACAAAAA12kLPX8Ty3FicZpRRVtoXXaO6oO97aqNnreMuUB2JwwAAAAAOgAAAAAIAACAAAAA7LrLyXPXcilAu0aWRgjywKDukJ8oQSj8pZ7jWCBDqvpAHAABn5pfR+3mgLpjvBpRDgEPSlf3+ktLQ8ThrCoeKT9Cg/sWD9bGdh6UZRGMd++cwlmI5YiQgmp/R/3u/lU6DHbk+mzkUti5xR+I1byoDVKFiBqCOLRo0+yQG29DzHDLAodcjr7irHDszb1Ol+WLEaMiSfWI/DaFHOYpUJbGAuDZ3bsCy2J+C14yr2b4yBDfPfkSTsJM2lmUaRdHkX6nbJLQ4kFmj6ujiCn4dAkW/z7vXZmbdttATzzyddzvt6Zc3ea9S/8Aej/iGBjlQNq1IPvLsYSmyBL76m39Avfn+DfInp8oIN0J8FvgfP3rzTYLDvQ1CVG46B8hNQCAZOqQbZOLL0IxRlelA96I/2HxVGsEwpHN944o993Dbe1L7onpGwvOSiCzgD+w/akcKdvPUZPPC4PTkcDTusInmNLx/DDSbA/L7PlgF3vYgNJf+WwEv/mBihl5zsHYD2CNW7sfkn/EAu8vTFAHNZpNuOKtpWSkfMgLtsRwXEsMflROzIt+jJ23A5qkQjXbZv0Yk04GZcpC3XGUmW0yyuHGrUVdgop8iTJAbb43387eCCKkn8+vrB26dhSJR6WYxrf/N6eqFInMD7e1wI3LaSx27SPlWX/ryhDh/Px7zy/FvaoIAUeXhfAu+rCFZHJ8vDw0UVDt8zMXwGWumoiJAy/Rt0CK6C4jrbgFRqCQd0zf+MVreELgiix6Ib+0lm8egKMFbPxaJoDDPZFKFhyzIr4v9n+J+JjidhJeEh4TA5Lz0p0hMhNmJGC5o155wfjY7nVTXY4cNoV41KLWLDYzSna/dRwNhfbRX44WtrAd7FcJN/pFDQqhnRMEe88AnYJdTMHhRjuTSKIsTtaT/TgkdtuFHbGEuVaIbl2gj1rDU/LHtdlP2c9X0GjYurMlOzGr4lDfYjsEE1tZ8si/NX5ZOe0oyvslTretTuQDFf7DBxtgoJ4spD0iEpWzoUCR3d+wCq2GJ3k5C/Ji/gpo3pKwTu4CQb0mTAUEjzMqVOLQ7Qulg19WcFYNWzVnvHi8tefcty+Tj5eaHiP0LviYsUXRTGUEZzmIbbwC0v6IpJ6wnjZ7FjHRvDAovZFOciYXUWpNxDsJNQAimWZKvPBdwbYnOBxZXlme+P5vOEe7jkrnYKHmfsfNZlxSyZ663mU28QpBdnvo8ulqQwK1/6TggQbpD2AeJ2Z08FYU5xoY7B8fPRXrP5e9LuEpDKtUJmSDelvJufNhS8pSlYcVNNro5rrdTOaaI/JGAoM9CgVjG0SOyRgBZrVikJzoPefWgH5Upppm5/RUWVBJL4XaUmUQDB2aWZygLiDsy6+h2bw508xT+P8QnPf/VYWTdvKMd9US7dGfrOVrJiayJeaxk4MAZMbiNNx3GUp2TLDM5YAgw+PJ/PBZ8P/6CmcmEPHv6uGBSWQEuhO2khp5We0KVbiIB/ceLJrxuuTqnKaHDF/GcmXcuTwJq/IpK5X7eqzktzbSivGCZRxcIzT0CMXpkz3/t8bgOZ5D4mVTpHD1rV4068mbmaqwEoje+oMsxDOP+n61ls0hBjUaAx7fhlonobwB4ZS//ffT4lENjINyShLWnf6g1MV6Zds/6tbFXAG4Ins5GcU5AEB43tBBbHk9E/aL0tEcwcgz3YZ7l+2rpMvBMHphzkHApMP8GSco5zsLJLspNreGaXISavg5b+Iouk1PDUMXJgQZKXaX6vIiRgGEhpr0u3MZeU04PonNNu1oNg80Sunv8o7a9UB6jtYy8tJaQ+XAEzeBLqRvGbpWjNdkfwC3YTLYYY372PfHHBrgXr9dz5ctRXm9vaLUNOKs/kneG84Jb/cDffiLk2BSCsaF4ziD7MuvBzPhTti3hriBojsREe69oAL/glFvTV+WAdb3JTlf4xAThTPUwr9M1J/4/bcdlNg+2O+WeDGI73YeiyLss5BlvPMTEzYjQmtZqSUhHOBKkza8OiSmagav4H4PfTVmMKqqFZAApd6v9GMsy761n4kXLI7b1P2ccIO+61mmFKrmBb9eBGmdoapT8EHXNxqYgZ+MvWDO2xOihY3I5lBZ3Ap/DDChgzzaystDrn58LtTUKkOZHTE0I+gK4d0p1tUQ1Hefv2rX3d3/9qL8YBL6gA4/QEoOx821iH8LYmNIpkBGnwbSRHM1YiUGVrjC2pI7qCWTPyOjtHCqzwreSIhxI/fLR1sbfDVfd3GbDvXHhXfUuDm9Jytn4QWTL+iDXr8saj6hWy9gt4mqi2xtC7i0mxViezgCQFFT1vp+GTl5nU+0AGT2yo3wx721/u9oxnWxdXfK7fHD1+IhVPlR7AV8L0Kdq+C7Wleg9RGa/WTMoSkShJMWN3FcmlVTipCaY+euyf7X8+x/aLxtuUOeZ/R5Mjy8OthcRhwQqQCY6xOHn96Gb2ljxlZ5waabvmysuaFFXGrhflEBXWUVkDuCMNlXvFUjt73eCH10vnTfKEFqwMjJfQL9HsUGkL8oGW25ZyamqbSAexA/D3TTYfx2Bs3uuuf+PrQB0WdQjaVVmQBh8N/1tzBOUswb6+KRK7w/JP3fH6owf1j3R5hpG8kfUSJ1P+ey5i9dMl35EohUNQAAAAP4hLX/mJWrnji4UnQk9g6VL+PDvJZr3qGng+jJII+ZTSzJP5GnoWWuHsGHimf25NJVZcgOwhwtNZ6hSE69VR4g="	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02nkuaprocqgzdqg\Reason = "2147780641"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pbzbutmqjqjbtn	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018800F93212709 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000bafa4e1cec2ead41a6ab3c1b458ef402000000000200000000001066000000010000200000008f1d77cbfd503a26bb55a1bc9fdfdf5f8e164eddc1126efb11ce1fa5d8e8d730000000000e8000000002000020000000fa68a9aa90d744488acfa5715d352b70f2fca64e9fe984c3215cda628886d51480000000c691d1cb155e7a2799c22e1dc433e905b8e30d869bb245b728c1194d5165828fe2f9c98a25d0c50bd8257d0edddc690bc6fbc7a6053283e22bc7a492d7ddc8d66414e2e47d6fdde72aec9ae29c481706d423d593c2bf9590e78c8fd6da9b8753f87c0ee1a9cb4e9025447b0ab2a16e527bbe60db046b94a99798999225a01031400000000f4d09b240192bfdf321728d85f5e81993cf03e811313e70075f25f2b605100f60d09569398f5049a65c5ab43b178ec32e6ba638c05f6ea6a114288a2231c5c4	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn\DeviceId = "<Data LastUpdatedTime=\"1719771029\"><User username=\"02PBZBUTMQJQJBTN\"><HardwareInfo BoundTime=\"1719771029\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\URL = "https://login.live.com"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Name = "DIDC"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nkuaprocqgzdqg\Request Sunday, June 30, 2024 18:10:34 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAnjh7m3eA4kG9TS1QEyUaLwAAAAACAAAAAAAQZgAAAAEAACAAAACDuvmO2sNbFNcscLyQu5hwX2JBxvj/bQP/gBtDtUvHdAAAAAAOgAAAAAIAACAAAAC5N15w/3edF45ZdDNZKnmRfwn2HEF6UbOfaK4xqCRvm7ASAABU2U7GcWbVP5BxIMl/ZIId7VTP4Qc5JetTpIKUaT18K3DFrJE3qCulOA/4I8dPxDSYQr80ItsG/HHs8ZLU3/zSPesL48PTFyUJ2fgVbzAdoCcicm0/Heq689o6+1qyPcOO1OPMmBGSpnEjPVF9oN23oUy3T3jW5b4SrJfHJmzHkamu1J/Iya6yQvJ/aMJ5k+puMQZtYcCR3zvMpcPa40zvMKJE080mozIHLCdNY/q+q616NaJSEezyZjKYiitu/JHH0hgBbNAbIhbbLKKR3TX0egO8ysrwu3YYSdbq4vsez3D7GUkphB3m3EqceNWt50L6idfMKnE9YOicFAY6cNnNLo9FPYmsNRiPmYeKqZCI3vgS4KO8Yt74kmKTGluqRbMsJRmPCwTd5fw5g1HKuJ1NFK1LG45gHSILl9hcdghSbFkfEIjd5j1n9vFwAeS4EnLhfi17VWQuYJUK23CFRp3e+v9icdexdZSKkVB75c8X2i0tnHyIQxcGnLlx9m7meKMB+LkO+kHmUTYs3Qu1VkPXkPv1ODE/2tN6x985QtlFL2frzhP4gKjvZFKGVR35vb893zOIZN8B+gc0Am1Xw2A+kBUVoXdy6KMj2afkoWoo7NolUKxHITCLaC7N/pHrjGJ998inL1O+p3llh3zOKt6Nwm2rzhVg8TPQlWzXS5MpfjGVWTUrkSkL/2ey9pFsfR2oLTCGQYPTfyHVHPUhLfVi54kJAOX7iNS82Ih7VZTENqHDeiBjcbmZedAJOVncnyojLuGX/saWV7kkh17qNU2b+uPok8xVMF47dBd+j8Ex1wTO2mFNUol3kYAhgM0VgJW+S3T+yRIZYwq4/oPke688zex4azur/OLdbptKcxj3gX5SDtuFCsnTQCFJ8KGIRlA9A9SFA7aaH0OA1RKTNOqfql24twTnoxB1K9ZtudFegjoTv1RHAuWtZwVaT8eyE8+tK3Kjf/1xKWaOiI4AiYXGaMDvyyTrNMhMa1j09K06laaegj365z8EoVDah5slMe628vg7OhNG6v+dtgLRigDVjPQDveCixA1bVNbXExZ/z30+hLKsAYE+l+fGoFL7gEqb+QrIHMkXxk/xu7bkOzhqrAwrn2ID3Pi0gZwElyvticHnFd5HmWqSha7IUtVlAXz6LazZkPQiQKZVIjuSa+Aj2MsItzFg9DptKTXN92DMi+Si6RpBUxXjetgsjk1Hr6IWcj0Q/NiIJHjERN7Ziqufj25A9m18tMeVUWm9MHplQ+Dm85UONIAruV/ftyDVr05BsKZAs65KymeKZUjHoJ0fw5V07FRdtnypxRldxg8hpUt9L6RPRsqpJRpc0NOTSj1dsL0Yq+zavYomEPMrpSPJBoDeNneobsyAt6qXnydCdJ9QbzNj6wKPLdWE7rsKmHor0HYI1jThDf2AGOKlKE2gPuMnxGq4yxI9/gsws02EnaYNLVBsmitqKdhTFeyNNYIHG45HiT5aJHHMw7tv4Bs+TIBQ07ppxBESyCSFLCPv2YHZV39tYATTK9Y2pvvN1bxmHw/W94PRRKJGzQUxNFxGDfV6MlrZk8l9VzDaDlwyEoWtRsYV95czx1eYpfuPf8r0yl9Mv9uxmx4tkifjxkOsnfOP1j2Xz5L8f5hk/WHRMVSq3Q8Ie9UY6zS43C2evr5XbLqJaeEjpFRft0ZTpb8KPX1Aj4XeUgac7umJa6T6U+zXqtyQNhFnc+2PuPTDJFZk9zcqRZNPkktD8yeRfJbdaK4FbTu5DllyoQ61KY8H0q39mmWlRvWQ3lQvye9EoMLAAZoLmC0PYZgckqLK8Db22CwFLQ/2SbpYcOCpCUnUP8HhO/iOsFgP0exiuh7mOLZIUSnMsfL7bsQJCKEY7mxDdTDlPqJIgLrJYvq37G3bRhyOKspHtJeHg5q+Xx+Q+gB5IYFBxI7HuNFyMMG08O92+ePLbZ+3KK55JWAwzHoEY6H6nET2j8tx14hHtm5RVnVTlME/ReFSH3qOtOgOCXSUK8frSqnDEDdhLAAOT0pdkNBQ7HRzIkT9XHyK7rWmRogqL+TIf0CK1JfBvTIs90YGo1zIF/fr0cZnerLgoCAEc2gm6pBJtiVPIx69ClShM1B3H/tyV8q3Xnbr83q/A2+FzP0Oe25zsI+BpECpM59NHT8vrI74eya/rD80t72XQo4UKU/pKWbHEChAh+1i/cYx0+f2BdCSrwiYwv3KsSrBnagbWrniT3n32qN5OBK7rra/RiPGHrbYjNL8n2WYjSvr5HUqLbRenOUkxho5kPCsWc4Y5L4SRstkAi1fsy6DKj/9yr43UteiFyToOsDmiu5TroILgCixU3+h2g+miO0k7tAN7N9voKiHI3y+44IYPsyOY9jgPPyT50gB9lsACculJx/ClsG+mUeVfHYD/gl4AYW+LO3nYrg8t0Yjn6yaVY8ItmuLJ6/Uz3zFORPs0OuUXSYmr78pkK25P31i3n6PKBMqXINv5/LPhC+eonqkkZwmBzyQJxUaby88tnO6yq2n9GPwkO3AFhbaIv6qYBQ4NtRD5WK2ueqUFmPdgfhQ5YpwS42u9o7DQH6yd+hMmQcw9SftApHp+lxJABMT7lGv6gYeTXJiUH/N0+xJhRTzj8HlWRr+Oz/eQa3P20csTR7HocCJGe7Z8beqzNyFwv1sXwiiErKhAvRO/odqH15EjWaPZLdQM8Fwut1LcoLP4XIjGvmHev7EVVEMunKKtjxKwJhfeP2S8StQPUho8aNAX6BH/XWSFaxzLx4LncE57ZQ531O9M5jRhQswIW7AFVY3LFceyVvcq4qCpm439DTwyKPIcXK/fqb63lYU8CGzLzKf7iauVoWcW5ZlhHSK6ey2hbYCKSyzv8QBGxpfz5AsCYNnrAH1k3wyMCdDz+xNI2vOVARrOFnQEeuAw9P7RQvnbZ31kA7qziRkYkIXJ6FdwbTEj7+vWIqgkDMWVXea7LjFSzzLruVrwxhBmqRIMqCK39XRT/mTyq20uneGd4eC/K7ERPOSf77Zoa1XUG8TJEJ6L1zdqWG8vseRFsyKLTW9toXS8jcgjq+id6xhC2iSjJ6IQ1dX7IbaPCZp5W1OBaH4c+Qg7Yx0y4gFBJXzZkzDMltH/vOTkCAOOiY9kh0NDQxDZ6aEE+7EPa0eARp419orZv37cX/pqYl0xyNYIlMwF8ijyUYJjsK+CnSeY1rIj0swMIwiIUyfjAPAs0r/bDCMA3XuPb9GlOSnzA5PEki6KU78pn2yadTVyCjE6NCmV71r7czJVdw1oGTMlG0g8p0E3rQwQKVbn7+BrpBtFd7oicxS1u6CwCyurjqJPzJM84R+lXblAG7b4Yx321sOkTASntArKk6Ur4kGhfzspc7LXLAfNs1WJelGvtgtU5141Kh7jroRNT/TgzUYXvvYiJDzNZl+xN6y3Ar2RIzUEuUPz/7Rdh/IS5QQHwL11mwR0w/YMr7U3D7ya8lhMhRpLGoQ95RH16E05fAszJQbCO+gpW/16Yyx8Y4Fhht2zx5/sRXTEA9FsYpgFO7rlao8H2DfAKgi5GCKWG2HUwxr5dZ8Ht92V8PDTtPZ6gZI2HRkqz264GauE/hZ4wChOnaMDECCMv9m2agI3UGLEpPyZubFtB8j2ZvCZ9P+ngs8MlvmLxq4Ngob2pjDJYHiexatOqZTDAxTE/i6rUhGWzLg+ifA0fqeTHgMwsu+XJmHUyxwU9D14eD78oFeKXN+i/puQxPN7XWOt+burBShwW+vIw8Su8CNeCqL7juBFVJq7+VCOGV+UG0lcn6JoDk8Uo/gJ8J8uVZTvkzMzfmGLeNTsXWTyiMR/RXPrzNdebg19uDpfOThTRreGrAvlpFwfAJArGCpwX5C91CPOrMVC3ZJuEJMdPxPCUwTIFkkfS8AejBYCXSv59FAIY9C1Gcapd8FqJELcmbY0JMQUgIsQJgcgq8+3YQ3IbXQg35vjhm4k2cps5KJDAVAFiZdqCXBSxpCRdjq6s6KrFt06xBYAfSSQgB+oEZuiWrK2dsO3uTJgaK0e/dvbb9+HjxCJwJhfDZSh9bJaMwyoxQaoN1rlijcuGjCROq1HCq7wfs3U3KyNTaOpHsk/up0veV420n+G6tYIm0Vph0FCIw4DL1Se6mT3Ukz79KFvME3TGEUTdwiC7v0RojM8UUcb5UYqM9a5u/m03dAG4XJken97lvZp6YHcLIL6c8dHaplJLaAIC4xeKRy+my6G1uLaL1pG/ait3fKFPV/Qa6pyumnUdzXn7rgT9cpntPCktJCqWRG4jj2z7tmlW/Qt800sbRMIXm6qjaqgDLjX7wXC4gxbJG+0lT5JQsh2fDpH0fn0aiyKlnty7acfRE2d0sBIMpHWTmVEUaWUmZfLBryEov+mAvLVx2NOZOZCKaf7zVnVzBiNV/jnbFnHFYOALMyfMCNb2rqkq60RyGPASnGauqkRf36iE5ZTAmz5hV2dMOTLxLktNpG1HGNKyE8JhXYDfs3s0iM/xsMo5RrbDKhxrwYfOcKK4FiNaXqogJB79SVPqTHYZQrvpUnFBsj/PSvZcv1r+3tndt2+4Y9/tohv1uYWx+dNpFFX6gTiyHI0bd4uy8i4LnSdn9rcUF9+6qrqosDEvW4y2cNOD6pOQArYDCeOIlhRhlUQmrs61WkW0+/JJJi6DGhsNiksmbxAsEKaVp3b/lW+VL5XcTSk70EvfCN7G8IpGms0UMglantelsENUwPBhN0fnNJ1VPTx4kxcnRn9l17fj3xF7xkK2reX4zQhmQ+Na+SbUX+yYdwMMnl3kI8tFoEygso7GtPgYb4LtK+NT+t+IGZIWYTm4DpAq62A+bhTYzmx1ZXOawPG6Y3XApYU3lM1YajRy9SMz2ubd/8rhzLadWCw3UXmlsU9Cqjmahmf/7RpIhHE9WlZkq/CFkgqHJdYioYpZ4/loyY64z7nk0YDf6K7D0speGX9jxpKk0ZCxvN+XkIeQ2hieteERJfrRcO71ALZjmH7rdcFfyYU9Hof0N+VTJUQF/FvWF79mVCWMaupXyX5bzLxXzgyl/PO95SNYhue5CVP2R+r9ZaCT/eGTERSTNMpziu742ypJ68W9JIWwrlArvpANvqDa7IKZpD+u/ODAkcPGPoEWcNKh2R40tG8t0AxyBb8jQNdw9UCSWYmpFR+qpylQlShsMlveyoNpNBrj2UGoYC4kZSmrub4frIoG1UwQ9uoxqO2ecr+uAuE7tQtYpTXsg5Pky0MRE2VNi5ANVynTcRNtx3dFELiLUNBxcUwqbIS4eo4pUn8nz3g1yS03MiIooywqe5ZIyjQ6pNlUWcOA5sbVdtGWAUbeylTsxf+cueORKn+UzFfW4lR8r1dcq6a4W+tGB8of5NiakBSg8X5FHtwCDAGKeTdSjWzG3xmnbN0mcNdioW8U/oTod9U0acBy6J2DuzNKR2kHgPmG5FrfmZPs+HVKEoZSRnJIXESxn0D0ddeoJaE/SMJbHWLQxxPphY/dztkoh9/ULO6oNoFzDUjucAXa03p969vaxSfbJ14nHhvLJ8968mD47m6H9ZJbH/t8aiDWfQ5pTZjKA1rrRq6pOPvVt05RZ/VapVK2MCBpsHcUAD/YsHIn4FY5K3Uj/LiktYBnrIFCdbB9vSyjnpo55OvjuL4teYk8VxNBcfdi+ot18faWoIGWxVmtgNp7T6xexMOHH3o935IY2AYkL60HPFOvZU7aNk0tNpiuacFFfOK23jE3y3xLaOncnWj8APNOfEL0kr3V+w96z89XA2icD5ewqieJ47QVd28hl6s4hdkWg0PMFtfuODsDRb4UqqtO98TTDcvpatnDJeiEE8/TpOv1XLfEQmqj1wFGTSKfz7S2gPkbTUOBwq5zp2gfhCxsiOs530g4Wv7VZLSd41eVpOH9/pOho/GNFaPK5WfgLvbfAycZIrhEShw1i8prRk7cgVKsMApSiAYAZtNqBqBSYGPPwmv4mXPSp238i2mOn3dWXwKCb3+oZgYFUridNO3ugW8c4rutsvD5CNrgA/+KGjGGbJt5h/Q691dx68BGHyjd548wqSNGNGoHG76PgKuVyGZIbmMdmxcktY1QIUccvWrzIlAHD/+ZAsKy/aoL31Sl+lxKsfnK+lF0UuudQwZEQTFxZvnyC5GU4twHh9zpH9KAqtd0sbJhQjFQ8ci0NTR5c6H27gA8IWprWf0PW9rQ5PhsTiyyiRRI9o6EWE72kME7hqzdsi/vUKbw5KVuCMX7/Pj9yDmnQr/sWzh1auq50JgFgIkHoL3mmyB6Adf+CKidJmZFqa67LQBtnKZYBXEA1Ts09TAGd5tCx+rfFcc3CyhcGxIrqLGdrFPMjx2NoiqtePKBI+R4IOcGPda0+YH2QPCBRt5/jbaUAAAABTK5YUJee9tvEQz1NXTJh1GG5m83ImnyiGhTtkTRuuwLNjjhtYPLVCxsrdw1ogaoyWjExHJLZxgSNNoR+eBWT8"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02ftcycytozmiloi	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pbzbutmqjqjbtn\Provision Sunday, June 30, 2024 18:10:28 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAuvpOHOwurUGmqzwbRY70AgAAAAACAAAAAAAQZgAAAAEAACAAAAA1GmXmgJv06nlUK30eMjGBZXfOjrjvsmV8P5qyanzUiwAAAAAOgAAAAAIAACAAAADK2SIIbDJnBPa2/jn87gPoypBxI4fm7DLvTI/gamaNjCAAAADZ1dsrhYcIekLKS/hvBtKbNok6WXsRE9n7zx/2IAWxUEAAAACvusdp6D8JRJtuj6/OwXS2ErbOwnWkejADaqVhVgp9pG9jBktP/P+P6KtNLgBHxRnnXFu+5/lySJnzBF44Tjor"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018800F93212709"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\ValidDeviceId = "02ftcycytozmiloi"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02ftcycytozmiloi\DeviceId = "<Data><User username=\"02FTCYCYTOZMILOI\"><HardwareInfo BoundTime=\"1719771038\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn\DeviceId = "<Data LastUpdatedTime=\"1719771029\"><User username=\"02PBZBUTMQJQJBTN\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\ValidDeviceId	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02nkuaprocqgzdqg\AppIdList	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02ftcycytozmiloi\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000bafa4e1cec2ead41a6ab3c1b458ef40200000000020000000000106600000001000020000000baf771b078ffed68753ee5011144d3caa7631b18dafe415fca345be2390a7404000000000e80000000020000200000009e1892eaca5686206fcc638570fd4600423a2d013cda205968443be8c5d6bd3db0030000bfaecbcc4907e724e9a1925e7057a6e8d378765386754e18ccd3754b630c531826fd1aefd3775395979e6a09177ac1000dfd1d6a856fd83989a03ff3c5579060ea660ea036e5ab2fd7b0118b337854f96de8d229adc0fee476be4874311efdbbaed945e5e6f0896a6196bcc7daa4357f022639a9b62a9a336803228d0fde0128012c487b4832285186ff471bb674f975deefaa071410f90b59e969f2eed652ea6401e596e35e953eaf9b4bb05b9f0a5ea5b67dd652c661f5f4be66aed48304184325fc74a777a12fa593523fd559740414ab2c125914ba6655079af5879f5dfffe52eec105e5116c413cff34d259e22b8e595efbab7f6734f48643d8bcc5292b2036c827fbad70393cab46fc13bced1e7b4d88f727e1911e4ac07cd714c5235d3619176ee171b2324bc91769c4294e7bd6cbe28b6c5708cc1262033ae6d4809844ed5ff89b7f17f9e34bc32b8ca5f7876c5c67bc968b8224d2988dd015da35b08749692f1e077ce040e2a889b6a81d7339d1f7b2b2357e87864a4835ff93bd017e175b373b5e7d9aa8f71ef5cf2e54a782cf14af91c9f38fe8df51b4a3fe27309bed0983e4857f282b99c632ebbf9965f2b58aca5fa5f1d067430ec5c6e3c6deb1e86c26e73e1447b5426a2afb0215ccb05f86f2871e60dd49c9ba6c9f6225e74f1e35d1e59cd28920a322f8b53b95c5c0964d9edee6ee7be450c3560dd97b42926895ef7b49bd4eb770eab11f349ccc85c459bc6e51802394f45dd5dcba8a204f043918392ca4f4bdb3ac1290404b2cc566cf6bd7b9ca3b03f7f1a717e6ab0f28cfa8f0e3fc2c1a626a903b7f849bc4189905f3da01d61cf0737fc230e786cb861163c6bb5f838bdad42d9eaab1227235b96e77cc158054509bc29d1e8e31be78fd92ce7c020a52dfba9977cc3f0f31a6bde24bbb94cdfbfc5e19e5e5b747f4998c73aac7f33697481de6753ff907b07562572e9f93dfe886dca7d9dd83bff9b658f7f069e601c507a728e772c7e677dbd85a5c7264de62a77e24fd75556ab68034e7096aa9adc18ea5ba01796514167837b6cb761c7258b40d2f363d013a21aa6be68946aebd7b1c5d0d64d5f1e0fcf5a5ba675fa7e13312f61249633ef8ba78cfdc250720bf7967265301bda8b2790e65d26effee55e108cbd59cc9d3438c4dfb3e94a1b51cfa487d7c1d802c5c73ab82ca74f3c2a92dfb2fce61d35f31754efd2a6c2a3c961547f33b72ea78b5481119a688472e56b8bf5016db61764fa1089ab1e0c5a1a7e1c46f0ce9c753c413209d709e6ecb72329b9daebaa2871129338f727bd91c99c5eea959107de943ae4000000008a27be1a2b51a9f4816fd8de135629802cdc37a9573eb3e65212521df82f79dc5064ed35de5fdcacefe9e0f5454b9afd4491b72768e4a34159692bf4e7a8c4a	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02pbzbutmqjqjbtn"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Discord rat.exedllhost.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exedllhost.exe

pid	process
2208	Discord rat.exe
1068	dllhost.exe
1068	dllhost.exe
2524	powershell.exe
2524	powershell.exe
1068	dllhost.exe
1068	dllhost.exe
2208	Discord rat.exe
3144	dllhost.exe
3144	dllhost.exe
2208	Discord rat.exe
2900	dllhost.exe
2900	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
676	powershell.exe
676	powershell.exe
2208	Discord rat.exe
2208	Discord rat.exe
4980	powershell.exe
4980	powershell.exe
2524	powershell.exe
1068	dllhost.exe
1068	dllhost.exe
3188	dllhost.exe
2208	Discord rat.exe
3188	dllhost.exe
820	dllhost.exe
820	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
676	powershell.exe
676	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
2524	powershell.exe
4896	powershell.exe
4896	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
4980	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
676	powershell.exe
4504	powershell.exe
4504	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
4980	powershell.exe
4896	powershell.exe
4504	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
2208	Discord rat.exe
4620	dllhost.exe
4620	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
4896	powershell.exe
4980	powershell.exe
3188	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3488 Explorer.EXE

pid	process
3488	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Discord rat.exedllhost.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exedllhost.exepowershell.exedwm.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	1068	dllhost.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	3144	dllhost.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2900	dllhost.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	3188	dllhost.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	820	dllhost.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	4620	dllhost.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	6064	svchost.exe
Token: SeCreatePagefilePrivilege	6064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2168	svchost.exe
Token: SeIncreaseQuotaPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeTakeOwnershipPrivilege	2168	svchost.exe
Token: SeLoadDriverPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeShutdownPrivilege	2168	svchost.exe
Token: SeSystemEnvironmentPrivilege	2168	svchost.exe
Token: SeManageVolumePrivilege	2168	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2168	svchost.exe
Token: SeIncreaseQuotaPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeTakeOwnershipPrivilege	2168	svchost.exe
Token: SeLoadDriverPrivilege	2168	svchost.exe
Token: SeSystemtimePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeShutdownPrivilege	2168	svchost.exe
Token: SeSystemEnvironmentPrivilege	2168	svchost.exe
Token: SeUndockPrivilege	2168	svchost.exe
Token: SeManageVolumePrivilege	2168	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2168	svchost.exe
Token: SeIncreaseQuotaPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeTakeOwnershipPrivilege	2168	svchost.exe
Token: SeLoadDriverPrivilege	2168	svchost.exe
Token: SeSystemtimePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeShutdownPrivilege	2168	svchost.exe
Token: SeSystemEnvironmentPrivilege	2168	svchost.exe
Token: SeUndockPrivilege	2168	svchost.exe
Token: SeManageVolumePrivilege	2168	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2168	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Discord rat.exedllhost.exelsass.exe

description	pid	process	target process
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2524	2208	Discord rat.exe	powershell.exe
PID 2208 wrote to memory of 2524	2208	Discord rat.exe	powershell.exe
PID 2208 wrote to memory of 4464	2208	Discord rat.exe	cmd.exe
PID 2208 wrote to memory of 4464	2208	Discord rat.exe	cmd.exe
PID 2208 wrote to memory of 2340	2208	Discord rat.exe	NetSh.exe
PID 2208 wrote to memory of 2340	2208	Discord rat.exe	NetSh.exe
PID 1068 wrote to memory of 620	1068	dllhost.exe	winlogon.exe
PID 1068 wrote to memory of 684	1068	dllhost.exe	lsass.exe
PID 1068 wrote to memory of 956	1068	dllhost.exe	svchost.exe
PID 1068 wrote to memory of 60	1068	dllhost.exe	dwm.exe
PID 1068 wrote to memory of 744	1068	dllhost.exe	svchost.exe
PID 1068 wrote to memory of 1032	1068	dllhost.exe	svchost.exe
PID 1068 wrote to memory of 1084	1068	dllhost.exe	svchost.exe
PID 1068 wrote to memory of 1100	1068	dllhost.exe	svchost.exe
PID 1068 wrote to memory of 1172	1068	dllhost.exe	svchost.exe
PID 1068 wrote to memory of 1244	1068	dllhost.exe	svchost.exe
PID 1068 wrote to memory of 1264	1068	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 684 wrote to memory of 2820	684	lsass.exe	sysmon.exe
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	dllhost.exe
PID 684 wrote to memory of 2820	684	lsass.exe	sysmon.exe
PID 2208 wrote to memory of 676	2208	Discord rat.exe	powershell.exe
PID 2208 wrote to memory of 676	2208	Discord rat.exe	powershell.exe
PID 2208 wrote to memory of 2180	2208	Discord rat.exe	cmd.exe
PID 2208 wrote to memory of 2180	2208	Discord rat.exe	cmd.exe
PID 684 wrote to memory of 2820	684	lsass.exe	sysmon.exe
PID 684 wrote to memory of 2820	684	lsass.exe	sysmon.exe
PID 2208 wrote to memory of 4520	2208	Discord rat.exe	NetSh.exe
PID 2208 wrote to memory of 4520	2208	Discord rat.exe	NetSh.exe
PID 684 wrote to memory of 2820	684	lsass.exe	sysmon.exe
PID 684 wrote to memory of 2820	684	lsass.exe	sysmon.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	dllhost.exe
PID 1068 wrote to memory of 1304	1068	dllhost.exe	svchost.exe
PID 684 wrote to memory of 2820	684	lsass.exe	sysmon.exe
PID 684 wrote to memory of 2820	684	lsass.exe	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3528cb3a-19fd-4601-aaf6-0788097cc33e}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ac0af1b6-74a2-45e0-8102-7c02ea6210d3}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f84d4a9c-0093-4989-988f-237946c7d4fe}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f04b0a5b-bc3a-4269-b7ca-2e91330f2a7b}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c590336e-8f84-4e4c-a530-831f6e0a3340}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c5b79031-5468-44e5-ae55-b75fc316876a}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{96b6097e-ff39-4d39-b609-ed79959ae9cc}
2⤵
PID:3676

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e247e1d2-7cdd-497c-b817-44cf54f3ce41}
2⤵
PID:5572

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3465f334-96b4-4d66-aec5-7bc7b21915f0}
2⤵
PID:3460

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8cd24587-b620-4972-a841-ebb1e6baae50}
2⤵
PID:2520

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8c2e9d3e-acb7-4a4b-94d7-f9fd9fb07e15}
2⤵
PID:1184

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d0a3d9cc-8e29-4d73-aeb5-d94c1a4d1cbf}
2⤵
PID:5576

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7d06d93a-74b1-410e-adba-8288c511ae63}
2⤵
PID:812

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6b292cdc-0a42-4c8c-aed2-91a465576e26}
2⤵
PID:2944

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{20c61bd5-7c15-4d86-9570-cc943ef2dc9e}
2⤵
PID:4828

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e9f11a30-0b16-4de4-8e3e-8cbe43533131}
2⤵
PID:1208

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f0a505e2-d03c-4a50-a892-baffe5991aeb}
2⤵
PID:5968

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9acccdc1-59ae-423c-868e-b8ce45651e9c}
2⤵
PID:2728

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c469a456-c1e8-4ed4-bd54-c68293611085}
2⤵
PID:3716

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1172

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1424

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2808

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3012

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3488

C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3656

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2452

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:412

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3192

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3512

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2544

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4584

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4564

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3740

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3104

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2772

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5056

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3128

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5588

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1208

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:5556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5312

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:908

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6112

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3268

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2260

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5672

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6108

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4356

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4008

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4208

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4560

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3048

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6020

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:5380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5916

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2952

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:5968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3896

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4588

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1364

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:432

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5140

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:5136

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:700

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:5296

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:776

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2612

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4992

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1728

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 016ae9b219b9aa4ffaf55292243bb991 db50Wjwkw0aGML3uq5hN2g.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:5964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:5972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6064

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
PID:4168

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4288

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:6092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
21a9418825c5bd0d3d4e27e07a7fdb46

SHA1
2b1742947788771ed20ee55ffc7e222ec4568de8

SHA256
bb073567f10e4d90910b9a7f6c2ecce180e10630491431c6e2974f9699d65137

SHA512
cda334632ea4ba343d6e3c15683bbdac0adfe1d536d525965bde33813e1a1e6cb6662e62c8aeba505a7077c5fd9698b2ffc8acaf2f52f749e4ce0efd6f8aaac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62100fa13ac26dfb82304e621fd8e239

SHA1
0ccdbdbe6a7977f9b03ff219d568ba227c7bc9e5

SHA256
f37283a10607df750235c26c3af153c8db573b0d73791c3301d22f5aa462b3b2

SHA512
79094bb89b5d72f931ece7c6add2dfd05ba7085e99ff00d9435176ee352d5becf750c5ad65adf1bf3d5bf02bbd2c8842114c3fcd632c1198900437f4b3603d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
20ccd8eee8fb63b0f660c38299f815d4

SHA1
5882e3b12448a5cd6ab57008c1be852ac84cade1

SHA256
cad714968818e2c4fec544ad7aa0faf5da04809f8efd1a8699d2861d0c0809e3

SHA512
28b87bd117a752ce699bd00c651c095dcfdb2a6cf71687177862c9062c3f73243ac32ac1b709804f940eef8c1f3e233593c73c4831449742c931d8c845c9fd8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
f41f42c322498af0591f396c59dd4304

SHA1
e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

SHA256
d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

SHA512
2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1c967279560ca1b998d82b009aef5186

SHA1
62c709063e480bf14963e3fd60a0407dc62428ae

SHA256
d22931bb06423504c44c02967f060449b9cd76e2599a3dfa2d5ad7e638b3cba1

SHA512
629defeba5f242fd8e8493749a79e3e07e0a98b8be13d0eb29dc5c0fe609b3b76027efa0cbcf702d990014b0844f5f442d2da3e2171fd25f2063a6b6280eb04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
68aa133b7248ec0a25a56cdd183935dd

SHA1
d7ed271276fbd115ac117341e52752196ece0613

SHA256
bae551dad802623d716ddccbca4f0b1883b58ca01032f0ab1656a68202e3e542

SHA512
8678d8c17a4e5bc44a578c9e56b3a11a583bd9f209f1a4dc45c4547a8a0e8043d6091e38a540e74d07a02ac04b860aeef41a59021d58323691ab52996cfc4009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a3769ad4f521a690c97086efc0bd2a17

SHA1
fb685e5afa817b977c0ad5163ab949eb2c296936

SHA256
9e703316c825d991d9ca9be9d39d6e635f2b505670873b2985c897e6c03ef4ba

SHA512
86a585dfb08341a5a85d8f6e66f20869e21c4d3bd2712b82f11bd89ae54a8e9f88829d5c171dbb2fbb1c8e2ebcd513358891ec31f64bc79dcdef1ca308dab80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
04114c0529b116bf66d764ff6a5a8fe3

SHA1
0caeff17d1b2190f76c9bf539105f6c40c92bd14

SHA256
fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532

SHA512
6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8ab6456a8ec71255cb9ead0bb5d27767

SHA1
bc9ff860086488478e7716f7ac4421e8f69795fb

SHA256
bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2

SHA512
87c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
87464e393daf752b6ecfb78d18da8e6a

SHA1
6392cccae8dbc462f7e832844491f42bd384562c

SHA256
8cb8859c51fa5cd3221e9196f886a05e22705d2dbff54b442f0ffe1b9660c290

SHA512
3794dfe8723dafe0053d90395d2edd57716596f130e05895a4298ce91d2afb97842e30ad8131b73b7649de8ae24b4ec0464dc9cf2a76ace515ddca145551f87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iid4fgne.jnu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Logs\CBS\CBS.log
Filesize
1KB

MD5
a418c5470c6ce193c0a551b79b88f8bb

SHA1
701b82a95c63c50c947a1c777c6ba91050f7d701

SHA256
b3b16c170655c0d3bba10b124b0367021d04f3354172e773e91d88bf8f589996

SHA512
94ea161d27fd8a175902259b08c5c755247435269e30911bed2b3808ec3b1ead9ea735389eaa0c41eea421cc95308a3a0cab7a848d93375a6fb15fca8fca69c2

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/60-40-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/60-39-0x0000028A30DF0000-0x0000028A30E1A000-memory.dmp

Filesize
168KB

Download
memory/620-29-0x0000027D5B2D0000-0x0000027D5B2F3000-memory.dmp

Filesize
140KB

Download
memory/620-30-0x0000027D5B300000-0x0000027D5B32A000-memory.dmp

Filesize
168KB

Download
memory/620-31-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/684-35-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/684-34-0x000001D104AA0000-0x000001D104ACA000-memory.dmp

Filesize
168KB

Download
memory/744-47-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/744-46-0x00000192F18A0000-0x00000192F18CA000-memory.dmp

Filesize
168KB

Download
memory/956-42-0x000001FC3FB30000-0x000001FC3FB5A000-memory.dmp

Filesize
168KB

Download
memory/956-43-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1032-55-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1032-54-0x000001FDC3990000-0x000001FDC39BA000-memory.dmp

Filesize
168KB

Download
memory/1068-9-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1068-12-0x00007FFE772C0000-0x00007FFE7737E000-memory.dmp

Filesize
760KB

Download
memory/1068-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1068-11-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1068-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1068-8-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1084-58-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1084-57-0x0000014AA0CE0000-0x0000014AA0D0A000-memory.dmp

Filesize
168KB

Download
memory/1100-60-0x0000022A10E90000-0x0000022A10EBA000-memory.dmp

Filesize
168KB

Download
memory/1100-61-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1172-63-0x0000019A789A0000-0x0000019A789CA000-memory.dmp

Filesize
168KB

Download
memory/1172-64-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1244-66-0x000002C5B8AB0000-0x000002C5B8ADA000-memory.dmp

Filesize
168KB

Download
memory/1244-67-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1264-78-0x0000023ED5F80000-0x0000023ED5FAA000-memory.dmp

Filesize
168KB

Download
memory/1264-79-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/2208-69-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/2208-7-0x00007FFE772C0000-0x00007FFE7737E000-memory.dmp

Filesize
760KB

Download
memory/2208-841-0x00007FFE5AE83000-0x00007FFE5AE85000-memory.dmp

Filesize
8KB

Download
memory/2208-845-0x00007FFE5AE80000-0x00007FFE5B941000-memory.dmp

Filesize
10.8MB

Download
memory/2208-0-0x000002B4EF120000-0x000002B4EF138000-memory.dmp

Filesize
96KB

Download
memory/2208-2-0x000002B4F18B0000-0x000002B4F1A72000-memory.dmp

Filesize
1.8MB

Download
memory/2208-3-0x00007FFE5AE80000-0x00007FFE5B941000-memory.dmp

Filesize
10.8MB

Download
memory/2208-1-0x00007FFE5AE83000-0x00007FFE5AE85000-memory.dmp

Filesize
8KB

Download
memory/2208-4-0x000002B4F1FB0000-0x000002B4F24D8000-memory.dmp

Filesize
5.2MB

Download
memory/2208-5-0x000002B4F17E0000-0x000002B4F181E000-memory.dmp

Filesize
248KB

Download
memory/2208-6-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/2208-70-0x00007FFE772C0000-0x00007FFE7737E000-memory.dmp

Filesize
760KB

Download
memory/2524-26-0x00007FFE5AE80000-0x00007FFE5B941000-memory.dmp

Filesize
10.8MB

Download
memory/2524-15-0x00007FFE5AE80000-0x00007FFE5B941000-memory.dmp

Filesize
10.8MB

Download
memory/2524-14-0x00007FFE5AE83000-0x00007FFE5AE85000-memory.dmp

Filesize
8KB

Download
memory/2524-22-0x00000139CA860000-0x00000139CA882000-memory.dmp

Filesize
136KB

Download
memory/2524-603-0x00007FFE5AE80000-0x00007FFE5B941000-memory.dmp

Filesize
10.8MB

Download
memory/2900-83-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/2900-82-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3144-74-0x00007FFE772C0000-0x00007FFE7737E000-memory.dmp

Filesize
760KB

Download
memory/3144-73-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/3144-72-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads