hxxps://cdn[.]discordapp[.]com/attachments/1167420096906539041/1167420382681235507/recaf-2[.]21[.]13-J8-jar-with-dependencies_1[.]jar?ex=65574a74&is=6544d574&hm=cd9600578d8412afe55ac0e87b1b45a9cc7cbb11f4ac346b9b9e00e281acd10c&

Analysis

max time kernel
70s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1167420096906539041/1167420382681235507/recaf-2.21.13-J8-jar-with-dependencies_1.jar?ex=65574a74&is=6544d574&hm=cd9600578d8412afe55ac0e87b1b45a9cc7cbb11f4ac346b9b9e00e281acd10c&

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3816	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133435173806633324"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
416	powershell.exe
416	powershell.exe
416	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3796	3340	chrome.exe	84
PID 3340 wrote to memory of 3796	3340	chrome.exe	84
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 4916	3340	chrome.exe	87
PID 3340 wrote to memory of 3068	3340	chrome.exe	88
PID 3340 wrote to memory of 3068	3340	chrome.exe	88
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89
PID 3340 wrote to memory of 8	3340	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1167420096906539041/1167420382681235507/recaf-2.21.13-J8-jar-with-dependencies_1.jar?ex=65574a74&is=6544d574&hm=cd9600578d8412afe55ac0e87b1b45a9cc7cbb11f4ac346b9b9e00e281acd10c&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7ffd9758,0x7ffe7ffd9768,0x7ffe7ffd9778
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1868,i,16992002738628535993,890872400747021404,131072 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1868,i,16992002738628535993,890872400747021404,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1868,i,16992002738628535993,890872400747021404,131072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1868,i,16992002738628535993,890872400747021404,131072 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1868,i,16992002738628535993,890872400747021404,131072 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1868,i,16992002738628535993,890872400747021404,131072 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1868,i,16992002738628535993,890872400747021404,131072 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1868,i,16992002738628535993,890872400747021404,131072 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\recaf-2.21.13-J8-jar-with-dependencies_1.jar"
  2⤵
  - Drops file in Program Files directory
  PID:2852
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:3816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -EncodedCommand JgAgAHsACgBbAEMAbwBuAHMAbwBsAGUAXQA6ADoATwB1AHQAcAB1AHQARQBuAGMAbwBkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgACgBBAGQAZAAtAFQAeQBwAGUAIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAARABpAHIAIAB7AAoAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHMAaABlAGwAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIABwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBIAEcAZQB0AEsAbgBvAHcAbgBGAG8AbABkAGUAcgBQAGEAdABoACgAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBMAFAAUwB0AHIAdQBjAHQAKQBdACAARwB1AGkAZAAgAHIAZgBpAGQALAAgAHUAaQBuAHQAIABkAHcARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGgAVABvAGsAZQBuACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAApADsACgAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAARwBlAHQASwBuAG8AdwBuAEYAbwBsAGQAZQByAFAAYQB0AGgAKABzAHQAcgBpAG4AZwAgAHIAZgBpAGQAKQAgAHsACgAgACAAIAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAA7AAoAIAAgACAAIABpAGYAIAAoAFMASABHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoAG4AZQB3ACAARwB1AGkAZAAoAHIAZgBpAGQAKQAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAHAAcwB6AFAAYQB0AGgAKQAgACEAPQAgADAAKQAgAHIAZQB0AHUAcgBuACAAIgAiADsACgAgACAAIAAgAHMAdAByAGkAbgBnACAAcABhAHQAaAAgAD0AIABNAGEAcgBzAGgAYQBsAC4AUAB0AHIAVABvAFMAdAByAGkAbgBnAFUAbgBpACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAE0AYQByAHMAaABhAGwALgBGAHIAZQBlAEMAbwBUAGEAcwBrAE0AZQBtACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHQAaAA7AAoAIAAgAH0ACgB9AAoAIgBAAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIANQBFADYAQwA4ADUAOABGAC0AMABFADIAMgAtADQANwA2ADAALQA5AEEARgBFAC0ARQBBADMAMwAxADcAQgA2ADcAMQA3ADMAIgApAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIAMwBFAEIANgA4ADUARABCAC0ANgA1AEYAOQAtADQAQwBGADYALQBBADAAMwBBAC0ARQAzAEUARgA2ADUANwAyADkARgAzAEQAIgApAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIARgAxAEIAMwAyADcAOAA1AC0ANgBGAEIAQQAtADQARgBDAEYALQA5AEQANQA1AC0ANwBCADgARQA3AEYAMQA1ADcAMAA5ADEAIgApAAoAfQA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:416
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xum2a2fp\xum2a2fp.cmdline"
      4⤵
      PID:1264
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A04.tmp" "c:\Users\Admin\AppData\Local\Temp\xum2a2fp\CSC8EB23A41710A4647A87B34B92C951130.TMP"
        5⤵
        
        PID:2116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
76805d5c462ca5ff3b9eef3b66f57c2e

SHA1
dd77bf280b4c0cd4fa8b5c113d2275a4d3491573

SHA256
4b97dfa50276eac8262b3b3289041e79750f582f6b96c3ff86384fa09bdc6056

SHA512
d9329aaad4e1eda82f2cda7f45c4f1c1092525f1d2ac98945fe7dae5dd9618561407aceecf4be8d04e30a6097db5ec9db63945dd025e74b22a698c17bb845dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
79c8aa41a7fafd3095da4890203b6d04

SHA1
00d8c8866ea41d44478c08ed677c325b5cb107eb

SHA256
aad8d21d584ca3dd8e88c6669ae9ba1d17468f4bd3ebc8653e78f49e901b5b59

SHA512
58f87908a36d350b116dca7c46176d2a4811e78a76cd389b43ff40a80009a63e3b4b7258f4b13d8b2fde9f8d771f4ff20aefa5a70110e9c00c32f5ccd3d04fd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
89c0d82942da316314b53c2b39a4cb66

SHA1
8890dc328fd4e1371019b1e9466eaba769c53f7b

SHA256
0f99ec55850f17fea5b1b841bee24ccc005fb24fa20f0753ebe77596d9ea1ff3

SHA512
e437ad61e4876273d104ea5cf8d3c8d159a7c61682d23b280abdd1941058d70e1c52c0b51fcfdca5db7518787a97760008426331a739624c8bac9a737028fcb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1a5e3e4598756799119c3b4c7cf5bb80

SHA1
e7b3de23d5e5ef522790bc365523d513ffd46eea

SHA256
9c2c16522e267969230a4eda5a3be9e97dd095fbcd01c79df332bd47c43a0ac8

SHA512
cefb3233241b970639f2b6fa3fdca3b9e0ce96ccc639d371a458b2dccbe48a1ecd8c9d08346ed3e57fec2b7bdfbefeb217d97375229e8144fe81770d376f276d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
985a74fcf5fc160c64802c86bd1401f7

SHA1
28387aa7760850e85d55aedd835ae12ed1dc2ecf

SHA256
17a977465638f3af0019207001601aa6b585976c6090fe38e2bdeec3d743b321

SHA512
a8f2328a178b29dc142ded99ece57dfb21db61322a534a84a51a347d8205681a29c37980934840ab859f3f936dbcbadad1320b5e6ea6e55c3a739d791f5d2511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A04.tmp

Filesize
1KB

MD5
d68bf6a9cf22ce02b6e9562a44b2a62a

SHA1
2f93b133bd25910de283e83ffeca72106e802448

SHA256
8bd27f4acf8473d9b671461e76ec290fcf2c364e6d1af92821870b7dc78bed54

SHA512
032ece5dddfeb81c3de54fe6cf6104154593d6b238c9d6c20f4c209f72a0fc4dd1304db49f339504657a38970361296a33ce782e06850cd7ded83cc957d9210a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5vj02jj.xdc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xum2a2fp\xum2a2fp.dll

Filesize
3KB

MD5
973fdf6ccb61a3d354ad496991515a7b

SHA1
1d86cdac38bd5b9af62359b5da8ea07c426b539b

SHA256
2c2e97851155ded7fdacc7bf8b3521f2c489b6c22ddb2eddb41480a8a408a079

SHA512
b0a1d39fa2a5f5a49d3fb12129455dd3dfe2c4206a808abae169d7a869beea65d668c87848c92e64937b9d09d0c1120f1154adcb6bd7720aef122433d3c916bf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 108114.crdownload

Filesize
19.8MB

MD5
2afa4c55d98d7f8834550126d303ec43

SHA1
991efc54627ed3bc9849f2f68a19cb40c4f1d538

SHA256
9d6cff1f9d4a7363027f53f4e85c8b74e235a2884463b7475fc1b83aee2d000e

SHA512
97e9bb1beb066a5fdab7976c956ebb66e891069cdfd857b2673702137bfc19d63fb23bef438f80e768a6b10b8c16ed18ed47e02d955bb0fa196a873320745816

Download Submit
C:\Users\Admin\Downloads\recaf-2.21.13-J8-jar-with-dependencies_1.jar

Filesize
19.8MB

MD5
2afa4c55d98d7f8834550126d303ec43

SHA1
991efc54627ed3bc9849f2f68a19cb40c4f1d538

SHA256
9d6cff1f9d4a7363027f53f4e85c8b74e235a2884463b7475fc1b83aee2d000e

SHA512
97e9bb1beb066a5fdab7976c956ebb66e891069cdfd857b2673702137bfc19d63fb23bef438f80e768a6b10b8c16ed18ed47e02d955bb0fa196a873320745816

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xum2a2fp\CSC8EB23A41710A4647A87B34B92C951130.TMP

Filesize
652B

MD5
fe6bf14db8be523523ffa988e7a958a9

SHA1
efe173fa6a02fac5fb66516b148a9fbfa7cebea5

SHA256
6f31d0f4059f367ec63693c50e678392e6ef8c1452886973e115beb6c9657c91

SHA512
b0f8507cacfa9d5206edd3e1f31e3fa1e472174b1f20f1633ea0f2217d746f9d142ac789ca2f174286db0ec4c703aaf1e2bb924507fbcb8b495b61d100af0215

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xum2a2fp\xum2a2fp.0.cs

Filesize
526B

MD5
19cf785fbc390f5627236a4b664e3467

SHA1
917d102da7222d6a0477f3932c1d9014601ca71c

SHA256
35d145e5758625b5cce58aac031766c6816c0971dd8a0f4240e7a791dbec24b3

SHA512
c069fd68db3b30c18612e21052e94fa48dba7f8f624e513fcb938d79e7722a38cab5c2f2dd5d309f01f14c2565ebfbfc4d0ea6a3a078b0dc685b6bbec77dd649

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xum2a2fp\xum2a2fp.cmdline

Filesize
369B

MD5
ce44f52931fb60360c6487bc4b190a20

SHA1
1feaa85b5962f5a5f7960dd48f8693f925b130b2

SHA256
45dc4d9a7e1d3824eb8e509814a75eb5790841940f38f06f2f18ce19978f27a2

SHA512
c044fcdce1997a40757484a29c4d63c9842fec58e42ec9dda7074e4db50eaf1bb635955270c4cae2bf547fd00f46c55f8773de9684e9d0fe2b7915d4afece456

Download Submit
memory/416-69-0x000001DCEBCB0000-0x000001DCEBCC0000-memory.dmp

Filesize
64KB

Download
memory/416-68-0x000001DCEBCB0000-0x000001DCEBCC0000-memory.dmp

Filesize
64KB

Download
memory/416-66-0x000001DCEBCB0000-0x000001DCEBCC0000-memory.dmp

Filesize
64KB

Download
memory/416-65-0x00007FFE6BBA0000-0x00007FFE6C661000-memory.dmp

Filesize
10.8MB

Download
memory/416-82-0x000001DCEBCA0000-0x000001DCEBCA8000-memory.dmp

Filesize
32KB

Download
memory/416-84-0x00007FFE6BBA0000-0x00007FFE6C661000-memory.dmp

Filesize
10.8MB

Download
memory/416-64-0x000001DCEC3F0000-0x000001DCEC412000-memory.dmp

Filesize
136KB

Download
memory/2852-49-0x0000020A398B0000-0x0000020A398B1000-memory.dmp

Filesize
4KB

Download
memory/2852-35-0x0000020A398D0000-0x0000020A3A8D0000-memory.dmp

Filesize
16.0MB

Download