Analysis Overview
SHA256
9d0e13b30050899624473e710d44cb372a881a38d2802cc6c0ea2e2f54580689
Threat Level: Known bad
The file Google Chrome.exe was found to be: Known bad.
Malicious Activity Summary
Discord RAT
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-26 01:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 01:32
Reported
2024-05-26 01:34
Platform
win7-20240220-en
Max time kernel
47s
Max time network
58s
Command Line
Signatures
Discord RAT
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61b9758,0x7fef61b9768,0x7fef61b9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1308 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2940 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2948 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3520 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1276,i,10569175667699028944,16659615531131980971,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_2588_OFILGOAVTOREARTN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1e9ce0fb0fb7821c8f88bc3cd72d028a |
| SHA1 | f2caa6cdc618eb7510630df092e3f58572f7c915 |
| SHA256 | 076518beb6b865b888693095dcbecc3b6c790cd3231be694f9c0c0afee12bb19 |
| SHA512 | 17b9cd810b0418ea8090c3e062f9092f4382d51246ee9b528ebc75098a62424fb57b8b1779ad8cb9bebd906c42560633e6631816770de0b98461e46f08a67e51 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | def39ebb39328c5da6c835eed62f155b |
| SHA1 | 85064c0860851cea499b5c4aae0a50d299821e0d |
| SHA256 | 7cf330d0671fb2c49dd1c2d04d7a445653a64bf6e017f7ed3bcb2326b4624c32 |
| SHA512 | 7e222d91e32ce309ce1604a259533b19a21afd01cb6c9673ef577b0edd2228270657b14707b5b571faed3b030dd5ed4055d8a3566dccf016e4106a9a99e1e5a8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bc87dd563fac05eb681934f4f86f0915 |
| SHA1 | 4869818eb706b1ef7239ce69f3f25229e153b90f |
| SHA256 | ffebd4ab604897e7e925407eedbecec492beedcf83027abab2a49d02cf9c5da0 |
| SHA512 | 94888686e16d76f22ee3a4886c130b67f29c381e685846a8069418c4756dfd6a52375cb40b66fa7bbc6d8d61ad32b7617a5eac3e7cbd5f32732b2cc3be3707ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0da03663-76a9-4a4f-9a8e-8878532b54dd.tmp
| MD5 | 94d362c80d141b4af85298fd71a61e92 |
| SHA1 | 7b2c118765a66b0d2c51a8e38c106131f7ca73ae |
| SHA256 | d47b439646ac83d522b2dc656fb8d0e3981b2f98efdc45163719875dd0410829 |
| SHA512 | 75d3899ce08237a8f62486c25316a9cc201e3b26babd4ab7087497c8663e3767d1f83506d663cb2d8401426b0f4e53a178e5294fc2efaacb6678002d437bdbef |
\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
| MD5 | 9553a880a3c466fa75a66e0c39227e12 |
| SHA1 | 792c1dad18fb2cbcec2d481521562f03ef87a349 |
| SHA256 | 2b10f66d9a5a6e56e89b939b3606ebb628035a96ea64fc45f792ecc59b30d286 |
| SHA512 | 0abe8444f4d80f6e40571a7e12340043a7ee42aafb8fae20f5d86c40c2429527c4d4def9a71965fd861474aee7a0d4bbc6c230400bb3eee39d37bb2145a83099 |
memory/2776-185-0x000007FEF51D3000-0x000007FEF51D4000-memory.dmp
memory/2776-186-0x000000013FC40000-0x000000013FC58000-memory.dmp
memory/2776-191-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp
memory/2776-193-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 01:32
Reported
2024-05-26 01:34
Platform
win10v2004-20240508-en
Max time kernel
84s
Max time network
86s
Command Line
Signatures
Discord RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611607760793351" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85becab58,0x7ff85becab68,0x7ff85becab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4264 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1952,i,15207683745504727348,17026892573333298422,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3902055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 234.134.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
\??\pipe\crashpad_2236_FSZPDTNSPLYVDNLT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a476f60d5e5d6abf90c56a80bbccb9fe |
| SHA1 | 7bd1d0a94fb13aaa0b79f9a4c02bfe6305f60a05 |
| SHA256 | 981a4c94a452c830ba98f989554b6564fda6689a867b2fc61ec23d0188adb9b3 |
| SHA512 | f9f056c2f970d701311a528e7ebe07b7137195198fa366c8680c2647ffb4b864edd092aef37a3dee42642d7da8e5149bdfa4daa1dce9930f7d9e0b5fc4dc651c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 894b7cbb6068c504526e95dfd2f17695 |
| SHA1 | 929cc09bc5b9a87c8a20a593aed15c631f629cf1 |
| SHA256 | cbb437dce9409b713a09513aeb655c92d39c1451ea469ff4d110586eb78a6b5c |
| SHA512 | 267c6a73752698b67a0a24fcdd442272bfcc91154730db30a5fa7dcf70af9f5bd6138a413fc3e9cfad53fd9aae7438337238be007f06940afc6d28d5f183fabe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8c2873f1a31f09a85fb3a2fa16e3fd92 |
| SHA1 | 65c52ade98c0f13b707c658231a6e001f02895bc |
| SHA256 | 5d4d267cf4de7f4ac396f5ad42efc69773de0042c3a87f1147fdf33f70162d02 |
| SHA512 | c768c5d5025789e1f9343a479d55d7898796fe357ebb23a40d18d0beb19f1649cebae4663741c49f9c402e182e0150e35c891fe6d427e8745c5d50e97766afa7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d4eb7e6c2b1ac427624a4d9f99bdb5a4 |
| SHA1 | 71d3d34b207822c8c4c9fdb772a7e2914d1e0ce4 |
| SHA256 | ccc709f92ae1922fe99a59d81f9d9b979ce6c3a8ad7e6be53fa42c6ed5ce8f1a |
| SHA512 | 9d94bfde147ed60e1b970468d193cc2418bcc2e34b2d9ffe4133c3dacd1e93fdea60e6d6ef63c89b5cfb3e15360321511bb3fc53a51d72fb7d4b928e85c3eb06 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 0f5ec81823c58e751e246b7bd52ebea0 |
| SHA1 | 6b34b386b59d62ee3151763267e2245e3e22b981 |
| SHA256 | 8167fff6b2e54772d8a743ab28c7fc49e520d699b2823f9530df8c788b5470a1 |
| SHA512 | cac2349b28f65eaf501d0e214b4ad46a7cfcec4cb3d82821b3df7785a34280e8d50ec248af3e937df3843d73dab8e3d0d3190ec23934582cadd6c3fcb648217e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 67218bb637af9e356c2d58d7c66eb11e |
| SHA1 | 0bb524e8c7592bf5e6b5b5c03183c40c1fa8cb1d |
| SHA256 | ae0ca0a7deefd6d9903e9105e32adb3390cf607ab11b8775a7134b2a1d63ae5b |
| SHA512 | 8209d0be2f0d21c2799b214e6872c7a91153fba542a98aebc9e8031a065ecb99f7a1bb4f44280ac555b28958d48ddfc6815c2c7fd839890a24de036363d9ee8c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 2c55c1c7c85404a8c061d5c06e15144a |
| SHA1 | 07817845d32c536a65e2341efa99487e2a507dae |
| SHA256 | 32353908ccf59a37066e58a8e49138bb40c958f743bc50d14d65710b91ceb5d3 |
| SHA512 | 46c2c857ddab480119a903f62916cb5121f04f960ee8d6bf7cb8ede862e35c0f2ef62d1194ee72e1ae0ff9c4d97ee2386a90e9844f781166fcd7f7022c321479 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | fbdf1490d8356d46dca563ab82f503f5 |
| SHA1 | 61f8da4d9a73b7cc00cab465def436bc2bf7313f |
| SHA256 | b26a701052ed6f2166b5e8cc9ec6f6011393187100b084c1368bbb56aef8d217 |
| SHA512 | d0a65aa6f3206a7e57dc57db86d262cd8213f7848b2cb8600279f74f2e636163117a837ff4a8139d57a2318e9d34b5fd4938dcc32ff7c650caadda8c9cf9d40c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
| MD5 | 9553a880a3c466fa75a66e0c39227e12 |
| SHA1 | 792c1dad18fb2cbcec2d481521562f03ef87a349 |
| SHA256 | 2b10f66d9a5a6e56e89b939b3606ebb628035a96ea64fc45f792ecc59b30d286 |
| SHA512 | 0abe8444f4d80f6e40571a7e12340043a7ee42aafb8fae20f5d86c40c2429527c4d4def9a71965fd861474aee7a0d4bbc6c230400bb3eee39d37bb2145a83099 |
memory/3196-173-0x00000293AACE0000-0x00000293AACF8000-memory.dmp
memory/3196-174-0x00000293C53D0000-0x00000293C5592000-memory.dmp
memory/3196-175-0x00000293C5BD0000-0x00000293C60F8000-memory.dmp