discordrat | hxxps://mega[.]nz/file/4nFDUZDL#X78fPOLzSILTjoN6A_dNQFZeMnnvbme-DKfHHid-Pbk

Analysis

max time kernel
127s
max time network
127s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-06-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/4nFDUZDL#X78fPOLzSILTjoN6A_dNQFZeMnnvbme-DKfHHid-Pbk

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjMyOTc1MzA1NzY4OTcxNw.GfGkYR.4NIueWQiWsR14nSV_wd0Nsj-vv67vQzF7zcI9M
server_id
1256329683432112240

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 2 IoCs

Processes:

LX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exe

pid process

2716 LX Executor Version 2.0.0.exe
2392 LX Executor Version 2.0.0.exe

pid	process
2716	LX Executor Version 2.0.0.exe
2392	LX Executor Version 2.0.0.exe

Drops file in Windows directory 3 IoCs

Processes:

taskmgr.exechrome.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	chrome.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641186381489183"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000006d1a81e48986da01acf37e479086da01acf37e479086da0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000ac7c83e48986da0145751ee58986da011db119e58986da0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

chrome.exetaskmgr.exechrome.exe

pid	process
3300	chrome.exe
3300	chrome.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
1596	chrome.exe
1596	chrome.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

5056 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

3300 chrome.exe
3300 chrome.exe
3300 chrome.exe
3300 chrome.exe
3300 chrome.exe
3300 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: 33	1592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1592	AUDIODG.EXE
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe
Token: SeShutdownPrivilege	3300	chrome.exe
Token: SeCreatePagefilePrivilege	3300	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
3300	chrome.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

chrome.exe

pid	process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3300 wrote to memory of 700	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 700	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4148	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4216	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 4216	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe
PID 3300 wrote to memory of 1388	3300	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/4nFDUZDL#X78fPOLzSILTjoN6A_dNQFZeMnnvbme-DKfHHid-Pbk
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9d5ae9758,0x7ff9d5ae9768,0x7ff9d5ae9778
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5060 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5444 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5464 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5480 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5432 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5588 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:1
  2⤵
  PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6012 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5676 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5580 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4984 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3004 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5056
- C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
  "C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
  "C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5876 --field-trial-handle=1840,i,12310131837429071313,3078302606191620601,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4468

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ab64cd80fbe3296fe465d40a25bb197c

SHA1
637f2630b46b8a7af37620d1ee627f188e11bfe1

SHA256
ed8cb8388424c510871519148ffc4e7d2fd9cadb681762b5f103857cf71c5ea0

SHA512
12583a393e2d28ec7f3f1e9b7bf54bba02e6e1f825db6060b98500f169457a6a4f9d7965e44e5e406572ce2c4c7c8bbd5e65dea4bbf226a17c1d69a2dfc1f291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
385ce5b23a9cf32c2c0f81eededd2f75

SHA1
87af1e84d088e231e1cfcb95e6f62f8a68eb8ef9

SHA256
6ce064b81fd2397229e227a11298d6762047d2fec12d801edfe7a393717c22d5

SHA512
de88fb362aabc91ce96e6acd3ed82a74a6f27ef4dbc7c2fba8adfa6bced1c46910dabacfe102fbd812cd7185c8caaebecbf6fbb37b553a80e53bcf210326f492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
27c460db717040ad04dec92591246ceb

SHA1
a239347f7f555eeb366fff50f3fad4b10eac51e2

SHA256
9f5531a7f7eef960c5d7eafb6e15fdd52fd70d9f6b45a577c8212d27065a10da

SHA512
51a087cc5998040a996761c3862108f158c9cb129cfb7ced50848b2aba5f652371af018c41dbae43167239dde9394a758a98ac7fb300b3166b9599d984b8050e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6ee4bc4c293cee74a5fc527bfc443e12

SHA1
99b736399b6e0305044263fe3ba0fde0c51946e6

SHA256
9b9c298804b3805d1562c9ffb209f3f025d6afbd6faf54481ea813b39403d6e2

SHA512
f588ddd319519e2a6a9042372b041c296bc694b36da7cf8fc3036fe4aaae4d5b245b2a85252629b37fd0b06a4902ec02dff16510630542d32cc54d11983a61eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
47b06f6bffe697b56a5b5ce63a1a6153

SHA1
656ac91e938cba81eeecc068bbe0138fb50fb452

SHA256
1576b761d4a580a5f441fc59539f3e38f13f96ae6c4ecdaaf9c01c3f2020798b

SHA512
ae899ab4c0d1146df33148fafa7207a90cd5edb07ec14a029e4191e0ecb1d5c0a27ed773ec0c0f600c0cd8bd6fee40e484c89b1c7ee92a68986922f1236e7ef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2b9a2c5f124f9b78604400f443558752

SHA1
6c33db3f2485d626f3a319c98a4397668dc709e5

SHA256
16c637e92691fb510b5df7ea1cfff80b5a8350c9c221114966cbeed7db663821

SHA512
08639ec166025452acb4295d4daf4da35fc87f25b5443eec4ee94c89c828e02e0f71e599789464b499073879f766e2b56c1226cf86a42329e04d377646ac2ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a783deea9a5b2f341891bf44c8f2293

SHA1
810e5cbec4c47c9a5ed211c8e9162c6f1011b678

SHA256
476f27bdb14a235690c2345be387a1cc7e8ae4498ad0e49fe53f06a7a368b43b

SHA512
aacae10fc35113026db8cf1c2385eb9fe76ac1f3077058e70f52e57bf87d91448c97aad59938dccc7184d4fb33fea32fba072b3ad4d8e1633c7107e46ddaaedf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
745d2b077fea1a5c4136a75069673098

SHA1
93a21d40fddfdf77475ec82220666b9ded6a6345

SHA256
303a7bed2bb46416414d519fc622023c30ca810af0921f1eb67cac7e8af24503

SHA512
5c56a453d61765abb169478018428c402f5446f33c023524d5f1fa782512b66a02a359c3e473ef29edd277ca72b5e5d9573b79f086714dcc1c1746cbafbf14c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
48968bc391dc23b3aeddb2065751ae93

SHA1
6e61192ec27b51d0795dd61d66e4eedc033f2e40

SHA256
130fba879f0c1abcd267d5e0b5561b7f1360ee17097bb7888d81830f367213b5

SHA512
3fef09db51a948f448783eedbdd0308dd823cd8e20cf7bd96d9d2b74a9bc36cf942ae75b075e1704ffe11e2d4e0ef0962319bb6769d25964c77f5dd7de943112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a654bb48253f6c9e386bf7756376d52f

SHA1
397c1948bdc1142bc0aba60db394de12529d09b5

SHA256
35d0a8af5869af60e4e4e158972861d176b3f7b7467cf6b086f6bf4cb83e4c11

SHA512
4b6120081e932f7b103c703a99d9a3bc849c53688a31411f781975e6f97581b54dbbf68d59247515f5cce91d51a2d0ee93b81b1523a5f54376434aa9f07fc3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b00c2fc6b21985271191b4f51dc0d821

SHA1
336c0d16fc2d9c7f1b97503cfbf579e176b6b943

SHA256
d921669683e38283e9c41e1181598f83940e655a55671783624d61a752cc23fb

SHA512
61b045e4826635dc9bc2ad949d28403935ddeaa26413eb2413ab53fad25b4c0430c3cfd4282962b668910cd4436119a1a695ed6cc3512bed82accffe4ba5b0bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4791cd048736d8ac5c42447e66fe7f94

SHA1
ed292d227b96343e3d8e146b17c6f53294029b48

SHA256
bf1d75bb40145173df381efe1849322b133cd023aa7b1bed3147de39659caa0e

SHA512
887849bbda632c19ade5d27ba722974b4489d75a6a5b73cc7e00085428ea7edadbf82d908d96c3963fd98ad9d6aa30f2f74c7d8be2766a7f485551600c578abe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
57d1c071d32dbae3e47833904035a5fc

SHA1
838984a474e0a5ea633ee77c6c8451e293ebec6e

SHA256
588c5b659b284e277f19249c89379ae8961976d7de7e08f6494594a881bd8792

SHA512
a9a23a74ca19643c1483323c74c87bf694da7c0263c882167326b94d52809f249e7f1265a932cad5422b29e4552ea501bfc38576e569a9493df1e7e061dd583d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
3c912cc507b6953cfc15a194fb198067

SHA1
2d26143f78f238f56a18baf3a70d17af781828fb

SHA256
10fd3b7aa2b8a35272b61b89bf62d70eaa3ea6e61b70bb43fbf6588080597ef2

SHA512
249d6316555f5859932cdca59627ba1fbad5a55544353a9fe4403d24acdcd7775c6df9da8e4114b6f33f4d30a2ad2c70c3bae8084bcc14ea053c7c7552de3304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cc1a.TMP

Filesize
48B

MD5
7a51c531a42321acf137939cdcfb52a6

SHA1
8c67548ad26ead8c213631b548842e2adb70853c

SHA256
a93e4c415ced1452cd2d687ad490131d807bcf5b8c19bb1c8c31dffdc6be5629

SHA512
a8c789a21c961dd72c35859e998ffed00b67e7b64f2d11eca870392cd56cddbaffaa62d1ccfb7db9c50885da93c0f91578284cb1096411713143179c2deb9906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
f552abeed0a818f385307e8990b4abef

SHA1
910a30bb5ad69ff233a8b7e98517b9417da5a467

SHA256
a8e483ec2a552f54658b37b6bda2b2bf5b1132d628bb05d1522de74e9d33b97e

SHA512
7b9f93727af283774d089bcd282b66dd2ff7e134be99da316a1ae507ec0999739f1f002ca0568ef5785a6d4f6aff3bef47345947fffb760b2c91426780ecb702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
f59a0aa6039e7bdf0475a19a65057b4a

SHA1
b8f1755aff9cd10f36acd19a3006ea5065365be1

SHA256
4ab601590327d622d18829fe3af7960d034a5ab8056e888db79b00858c7a3bea

SHA512
908ce215b32b04607411e76c76419f7d26eeff2fc51fea54eed8b0291dc2c0a1813f3850c1551d6d8555c342bb102d30112d50bb2f9c5ad59d9a4c552342f6e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
79e4b1bc40f79edb6e0f9330998556d8

SHA1
85059ef7868cd79b22984266a6904db01fe245cc

SHA256
0bd40769df5f97442d16abdb09959c22df9f75030f56ea158fbf2c51a6c71ab8

SHA512
0ec890276931270c6d2d29d99efed6db6825c898600550f5201c2ff9043403c153d90888b376f7202d3ab3dff568bd4269ed268fc9251174dad8ad0ac2058eee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
e967ad9de7e9532445a0b685989b02cc

SHA1
d9df64fb65f7dccdee8a1d124a0b6a0bf568082c

SHA256
99778f15391894327e78a66a55889f247f6a8699d02f3840b6aa3bc43ca3452d

SHA512
0c06fea5042237540f01cc6769705df1fc186da77118ff9032de0d058cb028ed5f38e987e349bc895a70656b4caa07414a912576c8ce7531aeabea0ef5c7b426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
4febe485c78d5b8d05343c3c72179cb3

SHA1
edfead0551b71aa00341704f5d9a1fe90a29a06a

SHA256
009639bc4b4af21495e796e4c8b0266b0a850d0c9c25ded7d91013a71aaccaad

SHA512
6a915af6ed16cc413e1bcc1d2f81a951ee9dcc8602bceb7d85c45570e9f3db050b3822a5b7c7a06d39e53d523d7025cc6c0c0d0ded53d9da47af32a3bb01939b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581efd.TMP

Filesize
105KB

MD5
6af7cb75876661b6e615b4f613a45e7f

SHA1
9646e47c9c48300c2caee1c54747bd1c003ca64f

SHA256
dd26900c9ad65bd60e86437241d9d1c4b96f3f2dad87d8b971ec841ee15c3487

SHA512
2dc66a846c7784b29e04e3e29cfaccefb370f0c28a369d5a37b780d08dce959c18985e09ad7110b9ac8f5a3729fccb85932cc2154a539d7b823b33a1fa7ff860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
18121f2a3ba9d17c943c87f712d552e2

SHA1
935b19205a4007e5729e3ea7a3b9bc7835af3ddd

SHA256
77cd89729d2a2a1f06c15bf148832923bf8106eeda9419ebf1305c8990d2b514

SHA512
1e493030ed7e4c2bf8dadf48bdffc95bc5b35dd5d9db75345e0002e6e9c883b7a1d706cd7b23ab23655f22a3d386971e03b7b807dd816876cce2110425a87637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
f1e064e023e9c71c2dae254afb027ab5

SHA1
a90151a99affaadc2928b6c972941b03017ebc03

SHA256
51855d4afeb05275817c4a6902b51971f779756dd232dd4afccd17d99f62f7c9

SHA512
60851f54158a54d951ade66d535e619c0ebf828484eb0c24a9911ed2a138f698df5b154b6ca0160b36ca3855a4881ea77a94facb2806380502eb47e87561136a

Download Submit
C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe

Filesize
78KB

MD5
b9c844da75ac53eef059d1c96e1bd28d

SHA1
e4ab7a4017e231862e0eb30b986ba0fc20cf767e

SHA256
355356788b0f21e59561a73263baa7513e6558efc35ca72daa4acb36e13f8dd5

SHA512
2d1a8e5a785da1db6bd6a4c2b9b1f8ebcdb23ec2228007f25af9f324b666a07199173efdbcbfbebdb59c7189282004da670037d6ee208818ac83dd09f5b4f49b

Download Submit
\??\pipe\crashpad_3300_WIPCKLPHKLKHMPYP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2716-464-0x0000011F00850000-0x0000011F00868000-memory.dmp

Filesize
96KB

Download
memory/2716-474-0x00007FF9C0B33000-0x00007FF9C0B34000-memory.dmp

Filesize
4KB

Download
memory/2716-471-0x0000011F1B6E0000-0x0000011F1BC06000-memory.dmp

Filesize
5.1MB

Download
memory/2716-493-0x00007FF9C0B30000-0x00007FF9C151C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-466-0x00007FF9C0B30000-0x00007FF9C151C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-465-0x0000011F1AEE0000-0x0000011F1B0A2000-memory.dmp

Filesize
1.8MB

Download
memory/2716-463-0x00007FF9C0B33000-0x00007FF9C0B34000-memory.dmp

Filesize
4KB

Download