discordrat | 41112af8e2607ffffa2d3251374d36c2acd239e04012f4bd4b86d62b71061886

Resubmissions

13-07-2024 12:03

240713-n8hwzasbme 10

13-07-2024 12:03

13-07-2024 02:14

13-07-2024 02:06

13-07-2024 02:03

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
13-07-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

7acb83ea4e34507f021eb6d6141a8c9e
SHA1

058ae3035af017e16a1eeae3ca46b4e912420fb8
SHA256

41112af8e2607ffffa2d3251374d36c2acd239e04012f4bd4b86d62b71061886
SHA512

0b71cd12ac99eaa6d97a10386190355852227444c3765ced1bd3e50eeef8ab1c1319911cbf5a954aba1750154fc6356de6be8a9afd72b2b489424de7a8010196
SSDEEP

1536:K2WjO8XeEXF15P7v88wbjNrfxCXhRoKV6+V+3PIC:KZb5PDwbjNrmAE+/IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
https://discord.com/api/webhooks/1261501911916482582/DWfi1umSb2C2qMgkiBlA3CToo-Okuv-IDp-C5Sr28gd-eBo70-5l1Q0ASNbSY0fxONna
server_id
1261501863644368916

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2804	Client-built.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653105087038746"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	Client-built.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 3064	2656	chrome.exe	85
PID 2656 wrote to memory of 3064	2656	chrome.exe	85
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 1368	2656	chrome.exe	86
PID 2656 wrote to memory of 4632	2656	chrome.exe	87
PID 2656 wrote to memory of 4632	2656	chrome.exe	87
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88
PID 2656 wrote to memory of 3968	2656	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99756cc40,0x7ff99756cc4c,0x7ff99756cc58
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1472
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6b10e4698,0x7ff6b10e46a4,0x7ff6b10e46b0
    3⤵
    - Drops file in Windows directory
    PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3580,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4636,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4740,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5156,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4888,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3156,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1284
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4576,i,17749128846880710005,10927401447454087734,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3268

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
81696a5bc2d1919b1f569d105724e979

SHA1
2c9e476b3bcc762ea8f7e55e9c55d5eed2786a98

SHA256
facb1c1f15a4a0fd21fb0167d08159acd567c6321ea156da8b3ba4eb99e2f00a

SHA512
dfd59ed226d9a27dbcd186139625ed8ae6f3468394d20d186700cbbdfae7054eb26431b1647e6f47a8b28c9480c8b226f4f1ea9d1a778867be00e8e2be6d8052

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d2e0ba326293601959663a87691c54d3

SHA1
4d4b4c451dfc5caf724a2b5397fb97d9eda65096

SHA256
44edf5830f9f5ee1c78ade2d36cf065df29a52adc6104a1b699476b36db25691

SHA512
d960705b18b5234a2ce95cacfbe21b7519f287039a5e2a3cba2b61e9c34eb390bbb425ca018e0e12936828e4ca7f8dd391d0addcbc7c925ce87a05d3348681a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
9da65685d636b710f0e465a92e9ea29d

SHA1
c86418a93e4206a40609075e1cbf89ea113df71e

SHA256
98bbf3205c4612af8e4e9dbbbfa692825480ac6def551a0d043af116da4c8e91

SHA512
96a69986d71979aab19d58f7828eed333f2074c75ef27b6589d08c569b08892702747dfee08d836e2884fdcafddee237b25716113e3d8faef2b3a87256c79b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8769f70c20c9b59536ca9c856d4d9314

SHA1
44997786b66bef0229ceffbf909596c78f605da8

SHA256
00d2c7d8011f97ae8995b18e1bc4541513405b2e55d92adf5b2bf4ebf7ecaaca

SHA512
1511a74232cc9a91bb1138d55eed7830008afd167d32e3912c559825551a95b5b4d563db889fc86f413f34e42fb25f6078abbffe377c23f274b2c1f33d0c0754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9cd2b34f852686852212f197919484a8

SHA1
429acefa8ad87c39b03e70b83665920809dfb0da

SHA256
f8ed8031eb546708ec7e8f4a45a7f161328a9a426b931a07588ebce01d7e82ae

SHA512
a7964300c211b01e35545abfe9754dcae410ad9915cbdb91a694cd521b242a165e5ad948ddc86d4528775ee6ffad11a4458f5d13549d355f99d9da1f7a669c90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05f3907d02bdccd354aa77e8d76217a6

SHA1
665d7114cdf1a98a882a5c96904866217dae11fb

SHA256
60c43c0223a343e08a12bbef3cc2ed85b5ed077e9e7a0beb233c3e625082c971

SHA512
d280fa759c0f8a87b00c9e3217ea9b0d329c48eaf4a40c7646d21f50f3f7100fb6ece11d5ab6eb1434533bfab8c6481af37b9bcca4fa8f92e2c1ec7ad804ff95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4985003b1a3c75de1a4bd54977873763

SHA1
f4df19b0bcd2ec7e386ad8ac0492b09e0e276e95

SHA256
f5b0207df66ea7d6c47f49bac65c41d79d8c956139171608650613cc215b63b6

SHA512
20f140ff8c03d7b54b0701141d598b3b527cbe064a3bdcfce7422a3f020f43e8d1165953759d2afb2747781411e8d2a480b5f740f7e9a8a122a67e88392d117e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8779a5303be37cdd30e1f8e2066eb1b7

SHA1
40ba3d27bed011118b27bf73f8c1beca67b5b6e7

SHA256
43d32658c69cfa080176f1d5f328662ecbbe32821c1f41575edd25499ecfaf36

SHA512
cecb73de3e17f2a4fb75f47e37fdfd76222ead6d2b641a0b53d3572fd3286bbb1dac0c653802e362b16d4a2f68d9a98314698aba6726c5442ff4ce5e16d22f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bf4247875a9f6b0cc1cb9c2f6b7eb335

SHA1
d4780c310ef561e5271b68c8c6da25aceab10c4a

SHA256
070fca97523045f81fbbb1476f027a8768acb879f372df9dd94e1e29f5068852

SHA512
04a668f84e5cdafe7be8322cbbac9c6ce1a886d04428db346e136e891048727aef440956fe588b89bc757eff333226f73d3696e649087a5f12f62b2922e37f1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
25e48fed31c36e7086d7e9a90f076d27

SHA1
b9d1a808a72dc66b39b6184bd5b2fcb3e7a09eec

SHA256
fd70bfdd644860d75a2463ed1fa125cee10e4722c68769aecf8f8ead19095e7f

SHA512
e65a7d0a85050f28beb0a7afc54983db0fa92068077fa5e5b0383c2ef21873e488259218905c9bc40e86279495d4f89fdb57d92a62f67e988a9db198ffb7c562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3dfd912da2403ed0e7ecdf9a7b54f32a

SHA1
144b61b591bc57ece104c44c43015dfcb0034a36

SHA256
436049d15f2bf16ff5a56b57db060f46eb0ad33abd17ab0228db908ac1d59e63

SHA512
881a793dd42aa2e613aa3871b55277bcf498aaed5eb5e475dfb9654f8e8a1eb5ea0cab35e87e3c124602dd76bb53a10af0bd114275539bfa1e677df29ae1c3ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c4532cc56f2495e6e08fd0049728063

SHA1
f1e35bbe240f24d5bd7fb09f1ea6977f78716a8c

SHA256
18e14826015914e1dc5da26907f13b7d28de51e44e8e812e28baf281aa6f4b12

SHA512
d10466f81fc046479ff8ab9a5faec5088202026dee380fe54907fcef06a7c55723dbb26b4d5a3f4f7fd4b7d1a5e60bfcc2db66dd63e2be55c1899bd8d0c5ed72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0c4df6c7d3f0639e663d5305abe2f2c2

SHA1
56cf764127a2234490b7295cfcf89f4c7bac5f2d

SHA256
4ef3da7089f9094f58a96b3379131179692889d2f40af8fd6aa288be1e67c6c7

SHA512
9d96e419f7832db96c9ae488c539a6fe9dfa21fcaaee57d7c9b2bb67c9fc7bf734d31094f45201634f548b3a256e5034ce675bb06ff8b19371d8ed9ac34bef46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bd476a7055054ebbf02bf6e4554f192b

SHA1
39aecd45991639645517006364c4477f29b80bec

SHA256
b82732f732c03b65519b069646bd39797778d4d52406ece6f6ae0458b3fb8084

SHA512
fe164c26f27bc2b7c1f8a4ab6b4545addd7d4ba9d2dd830b6da4b1a95d78340e9fe13414bb2e10e808e05c0990d41317775928a9e77d7c350190b171f46d5371

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
f8e59be99806337c43b3fc59aba43711

SHA1
0e0ba3bdf279788aa8faf297e7b658804fcce268

SHA256
4714f3e37b9c2ed965e8b46bb861737f51665f5f4e61ffbb6502815d6a67445b

SHA512
7159b22d28db4b3aad79abf97796493307043b164ac2c83ef60ab30a56c7c2ddb5be447ab35c23b64c64c1fb7827c6a1b29552154ce1eaa040f5561ceebedc19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
9aaa5809ccedf6c1a63c200be635f558

SHA1
024b7bff9d7e727232aabb7b7a142ee01592ef80

SHA256
cde6d24c0181dac78c7fe72fc6ba147efab93a9d2634c6de132b38ca25b5aa55

SHA512
c2397ac689e39f2878b6bc593a0cf6a8ab726d823b0f41b98c8ba20fdd82d28f4c2f9db95da970e7af88aa57981dfc47ab266fbbf806f044d9a8ff3cc847fe9b

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
78KB

MD5
0cac41b42ebc9190352d30f803a65d75

SHA1
805e6e3af9924476e51486f60cb7c0bc4e287410

SHA256
2f002d855d0e2f3284a8df5a2394b6f4018e1418c9d638cb87e563da8c56f549

SHA512
18dc52a363834129f137dbecafa613587c124f3b2aecfc2410e5af54c0531fdf04df8c02f201c4f7bcc6bd8d1a382c9c893c92f8e01ab632bfc756bf19b11dd8

Download Submit
C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier

Filesize
159B

MD5
7a4aa808e37bf952c315615803c31295

SHA1
cc4e38726ade51c2c912d23bb632f700e584b358

SHA256
dd69befa9dbe84190d98097adeedae4e2c0c9ec0a1e5fdab7b3ab42b0e430b41

SHA512
467412f09bc498bdec58107bd8ff5fd1efeda7491d6011ab7c3d5008ec2bb92eb0a51a41f6cd3fcf625fd1fc6cb15ade794a488f3ee1f019911d3535ec23e41a

Download Submit
memory/1388-58-0x00007FF985B90000-0x00007FF986652000-memory.dmp

Filesize
10.8MB

Download
memory/1388-57-0x00007FF985B93000-0x00007FF985B95000-memory.dmp

Filesize
8KB

Download
memory/1388-0-0x00007FF985B93000-0x00007FF985B95000-memory.dmp

Filesize
8KB

Download
memory/1388-4-0x0000024549570000-0x0000024549A98000-memory.dmp

Filesize
5.2MB

Download
memory/1388-3-0x00007FF985B90000-0x00007FF986652000-memory.dmp

Filesize
10.8MB

Download
memory/1388-2-0x0000024547FA0000-0x0000024548162000-memory.dmp

Filesize
1.8MB

Download
memory/1388-1-0x000002452D940000-0x000002452D958000-memory.dmp

Filesize
96KB

Download
memory/2804-154-0x000002475B7F0000-0x000002475B808000-memory.dmp

Filesize
96KB

Download