discordrat | hxxps://temp[.]sh/uMbqJ/Client-built[.]exe

Analysis

max time kernel
53s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://temp.sh/uMbqJ/Client-built.exe

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1ODU2OTIyODI0NDQ4ODIyMw.GnIJVs.5zOhjSe19Xxbj-9HD6xp8S7SsR4uMRCuSTJDrw
server_id
1258830436147396800

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
4872	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
31	discord.com
32	discord.com
35	discord.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133646765490319311"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5052	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeDebugPrivilege	4872	Client-built.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeDebugPrivilege	5052	taskmgr.exe
Token: SeSystemProfilePrivilege	5052	taskmgr.exe
Token: SeCreateGlobalPrivilege	5052	taskmgr.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe
Token: SeShutdownPrivilege	4832	chrome.exe
Token: SeCreatePagefilePrivilege	4832	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe
5052	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2716	4832	chrome.exe	82
PID 4832 wrote to memory of 2716	4832	chrome.exe	82
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 4712	4832	chrome.exe	84
PID 4832 wrote to memory of 3100	4832	chrome.exe	85
PID 4832 wrote to memory of 3100	4832	chrome.exe	85
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86
PID 4832 wrote to memory of 1652	4832	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://temp.sh/uMbqJ/Client-built.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd07f4ab58,0x7ffd07f4ab68,0x7ffd07f4ab78
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4920 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5064 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4824 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5076 --field-trial-handle=1900,i,318298637815053406,6752019517990203327,131072 /prefetch:8
  2⤵
  PID:4584
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4872

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3132

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8809978978dc1a0e3b19c09de9206766

SHA1
6eb45d160c99eb42a617fe10590dff81130a88ce

SHA256
c9859292a87550a64631f2fddd34d5585ed0d3415fa0ad241724f2f838bfe67f

SHA512
6d6c81ba56ae68f3fe9b36f1c81d9dacca591ae3dc62310048749620f75860af80785e66c72e3af2c6b44dee23d18dc7dc6e7278edc0ea45d971a2d3173ffdff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5fc8f321fe28770687278d8921726574

SHA1
950c285b13a900dde2e1e3bc51ddfd9e1d021e5b

SHA256
92f2f87723fa8f7fe62017330cc5b8daf58f413351c525f8f56a5af7b18139ec

SHA512
1ae22ebf6dcfaf96f2643ada189b0122c0d66deefd8fc4e8bceca7c1d6edec70e2eeaedef9ee682e283fb0d264fcf45de8d9b0a130b89c53e6e673c308a8e193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
aa4754c287300e54bb4a10de5ad27e91

SHA1
78700d6833154cbe0bfc4db11d3d71f8e6692f1b

SHA256
0500f7126d1e1588584cc488f725598a0f3ab4216c27a4e7b9c4dd2bc674ac46

SHA512
a6cf2565b42d41547f37df771dd463fafec65aaa6eef6d667d2a1221a197d45b4e327d1faf2cee9595515e5980468eee6044b48f5599dac3e5bb4feb2551747c

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
78KB

MD5
3af7020c009f0a19928adfd6bb0c4020

SHA1
53d39065c64a083761be79f62b5c2f5575286403

SHA256
2d7bb996e36f5788d26e021d056c8ec48bc3dcdb57ffb0f4cd9380e6e84eabfd

SHA512
1ecd3ee565c181284492c37a518c5c3e34e6d34ddcf485c905e34fce95de1cda6ca8721bc5f56d905aa90341eb7f2cbaa3319c7127d3416d08d6f9b371f33bd8

Download Submit
memory/4872-54-0x0000017A339B0000-0x0000017A339C8000-memory.dmp

Filesize
96KB

Download
memory/4872-58-0x0000017A4F510000-0x0000017A4FA38000-memory.dmp

Filesize
5.2MB

Download
memory/4872-57-0x00007FFCFA120000-0x00007FFCFABE1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-56-0x0000017A4E190000-0x0000017A4E352000-memory.dmp

Filesize
1.8MB

Download
memory/4872-55-0x00007FFCFA123000-0x00007FFCFA125000-memory.dmp

Filesize
8KB

Download
memory/4872-95-0x00007FFCFA123000-0x00007FFCFA125000-memory.dmp

Filesize
8KB

Download
memory/4872-96-0x00007FFCFA120000-0x00007FFCFABE1000-memory.dmp

Filesize
10.8MB

Download
memory/5052-69-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-76-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-81-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-80-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-79-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-78-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-77-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-75-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-70-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download
memory/5052-71-0x000001EE84F50000-0x000001EE84F51000-memory.dmp

Filesize
4KB

Download