discordrat | hxxps://gofile[.]io/d/DIybB9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/DIybB9

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMDIzMjYwNzc3NDc0NDcwNw.GxAcGD.mnB92PW9-EMcDuoo3FjOhqODTk92OuERwKSEEc
server_id
1209136277253918762

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3464	flaminz-toolz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
99	discord.com
103	discord.com
58	discord.com
59	discord.com
63	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133530889178586694"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
5224	chrome.exe
5224	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeDebugPrivilege	3464	flaminz-toolz.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: 33	1188	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1188	AUDIODG.EXE
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 2596	4620	chrome.exe	15
PID 4620 wrote to memory of 2596	4620	chrome.exe	15
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 2252	4620	chrome.exe	50
PID 4620 wrote to memory of 4148	4620	chrome.exe	49
PID 4620 wrote to memory of 4148	4620	chrome.exe	49
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46
PID 4620 wrote to memory of 4668	4620	chrome.exe	46

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/DIybB9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef7619758,0x7ffef7619768,0x7ffef7619778
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:2
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4640 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5100 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5628 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4824 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:3708
- C:\Users\Admin\Downloads\flaminz-toolz.exe
  "C:\Users\Admin\Downloads\flaminz-toolz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6076 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4700 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5220 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5820 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6296 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6292 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6576 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 --field-trial-handle=1824,i,9908791821719693135,5198278663265784686,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5224

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1284

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4 0x250
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
da16aa6b8d2a2158997a9d43a4f88fec

SHA1
23e5dbe56353837120949a07419221c6bfe1f8bf

SHA256
9df3c12b38df6e5d5488608ab756c40a638fdca7bdb9af0cb6d77c40f2a7f641

SHA512
2ff8a3e1df437fd0439ae26fddf37bf814c95f3279d396e0388ae4f5ce27d4989077980ec6d3317cf4b815bf13cb0594e3d064ebe98fd0527f35e63870e1040e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4d4e83aceea58067c84be042f844395b

SHA1
0403c363aa41634cb8f677c953a044e1611f5c0f

SHA256
3a787634a3e2d290c00b98a157f0aca174848a62d1a76206032c138fbbab3657

SHA512
2701d5988fd6700cbcc1cb5221b7de350f3a21c06ade489519e1db5cd2e74ce74f55b1b373651ad0e1d31f974745ae07b09a63b9276ca01f25b590bfc106bffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
462fa3a6c8bf70ca4b2de8ec1769138f

SHA1
4d13a2afbfd61e68292e2f7caf51b381cdb15f07

SHA256
72a19af155a3d627bc8c5c74ced9d3c7056278da42e90f97b40574ffc96f164b

SHA512
d08a671ef624eb3e5812d4c258db03ef29ddf4a8d57f0e2c11bd5058102bfc245bb8358a0b4f14df9812f33bf6cf4941b20be119b2eed7cc8cefdd57131fe6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d721ef0ba872f7b194295694b19d913a

SHA1
bf0347c6e6221b0f50e7630bb84381408dd47333

SHA256
2b4c850e8d7ade7a80c9caca8e98b2cb89d7166096ef8aa61d5ff43a0af0dbd5

SHA512
8cdaa3cdab9ac2805d0b7b6590b16bb02e2eb77ef6754c5aa3122818f4da65586ba030104db6b552bed8dc8891ee50926f2e22ead419e81e1e8fa7b7fd1e399e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0bd54efaf44821dca0b200eaa889e9b5

SHA1
c905e27752fefa5485e0c24d009baccf286ef628

SHA256
cfd786285304d7f31be0303ad470a3a64ae1105b1d7f283bf6fb8c302b7711a8

SHA512
2c6bcce01e5c48e7a3075e3f5200b9895d9fa9e0bf98451d817fa4e5d33d736f35f03483d88e91660d0515a04e383221f91e7410a016a9454f511f37802a73b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1205365edda7a17ea0556008f40c46b1

SHA1
75cf4abf44b1f364a956537ecb21b034276241af

SHA256
8166e75da4aee3e1bfde999e8b5ea1a1f657cd4ce40d8affdf2a589f007ead32

SHA512
934e606de617885777c8d71182c612c3ddcf035eda20629bd9801c7952836ba3e573ed8b6023347bb0dd86344490a8c6b5ce1595ae5a342cfaf9e0c3cde1acc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e57356be11c6952e9424a450129a6732

SHA1
de511517a02185203c58918b541085fad341d93a

SHA256
7525a35311c650e2c821459a1311ce17daea6efef6da182224fde841453e0f43

SHA512
b3f2d0e7785caabadb5e4da365a7359fda81e3aa8bad57c44c10bada4ea4f3b7d8bfe67d72a76dac69e86424ded624bece94c83728da4f5337ad701f8dcf52a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
9c5c5e8d8954ac6e0fcd99c9e87d78be

SHA1
f0ca09539578c01eafc0e77881d7ddbfcd4f37af

SHA256
274b1bac58e2841e7da655fa7503597c84fa3d5c25d2e7d6ec54613d01cc74ed

SHA512
37f9560f35302a2dddde6721599cf0d06aef713d88888cf72a5c99ca7d4a326aba0fc45e373ce41eb9304b9d1a4d9a771dd2c000bedd008f14d53163257ecc13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
178986105554bfc2d1240104e92cb97c

SHA1
a810355be1a62cf75ecfb137e216df9fe863d76e

SHA256
872211d9707b769ed1328a4b8df50e55f256a5b01afc12c7d14b4fed1d657c08

SHA512
021e19aced4d3926584700ccd26bcc9f4f8f874912bf597e4285d0201b07c10a1f775844575090326bb9546dd60251afd4255782ed72a4671efd515f392e77e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
116KB

MD5
b483976ea5ed1576d6f5edbd0a6ddbcd

SHA1
ac66a8959f8f0c34f5be14a7a4f6165c9a8e4c0f

SHA256
fcbcef79e186d00183374a421eff2df2cdff7e62408a1bb3adbca63cf4fd0b24

SHA512
2225f8aca44bf387733b55ab4e8103e0285573dba43bc209255718c6e8bb2150eaa29d2d52183681b152b3db5dac733b3a7bbabb0aed13f0e091dab54f0ca7ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ae80.TMP

Filesize
114KB

MD5
77f5a4047124ccc501347d9c0243bcc8

SHA1
e9065ccdd09883a97230f3346d3cd314fe4d2601

SHA256
40763c9b39adc3c590ad2602a2673ebe2126f761d915a2ac5f65c1a7383db3be

SHA512
2eb072598520768e9f145ec7494fd2af96b19d939712aec9adb783d66d82c27d49327ee540dad6759127d44ef3d95edeff19037674e166aea7cc74481fd6ead9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\flaminz-toolz.exe

Filesize
78KB

MD5
19fd570fbcbe2ec23fc46733efc7f823

SHA1
e3d392f2233ee6aacbbe78c0e6d13e14780ebb3e

SHA256
12da161cf24cf674a7d157e615128e7f3ee90f33f8c00cf9a668cb9a90ded738

SHA512
3b232e63cee0e0fc42f8885292f83a0011b417befa9fcb1c7cca5e8d54dd457cf93c87c22bab994f3b7c436e992743ef2ace2bff425725d4611ec561cc5f94a4

Download Submit
memory/3464-79-0x0000013A81490000-0x0000013A819B8000-memory.dmp

Filesize
5.2MB

Download
memory/3464-77-0x00007FFEE4970000-0x00007FFEE5431000-memory.dmp

Filesize
10.8MB

Download
memory/3464-78-0x0000013AE6F90000-0x0000013AE6FA0000-memory.dmp

Filesize
64KB

Download
memory/3464-76-0x0000013AFF990000-0x0000013AFFB52000-memory.dmp

Filesize
1.8MB

Download
memory/3464-264-0x00007FFEE4970000-0x00007FFEE5431000-memory.dmp

Filesize
10.8MB

Download
memory/3464-75-0x0000013AE5290000-0x0000013AE52A8000-memory.dmp

Filesize
96KB

Download
memory/3464-283-0x0000013AE6F90000-0x0000013AE6FA0000-memory.dmp

Filesize
64KB

Download