discordrat | 9ddd3757585f55bea693a536e7ec6c4de0fd46f7df565f9cf6d10e339af2e845

Resubmissions

13-07-2024 19:37

240713-ybwfxavapr 10

13-07-2024 19:36

13-07-2024 19:36

13-07-2024 19:34

13-07-2024 19:29

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-ja
resource tags

arch:x64arch:x86image:win10v2004-20240709-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13-07-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rostrap.exe
Size

78KB
MD5

c806f00fa32f343f9849c77003bb4cc1
SHA1

4a80c5b110f93d9dbcc85885bbf231de5ac8ace6
SHA256

9ddd3757585f55bea693a536e7ec6c4de0fd46f7df565f9cf6d10e339af2e845
SHA512

bac500e08913263bcabab7622eb7d00443d3d426cee9000edcd7b6089cf6e42be2a6b8f93fa60ef703b5400016febf8fb4c922ff17f2c80024a39450440deeb4
SSDEEP

1536:Q0QhcOUX0RU1uB3Yec0OIwbJNrfxCXhRoKV6+V+ttD:Qojj03wbJNrmAE+DD

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MTcwMjM0NDQ4ODUyMTgwOQ.GyJxES.iPPznz14IbFotKTZ3KViTwuS9T3PzEb13fnomo
server_id
1261715255004762132

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service
T1102

Processes:

flow ioc

40 discord.com
70 discord.com
82 discord.com
5 discord.com
18 discord.com
41 discord.com
71 discord.com
83 discord.com
6 discord.com

flow	ioc
40	discord.com
70	discord.com
82	discord.com
5	discord.com
18	discord.com
41	discord.com
71	discord.com
83	discord.com
6	discord.com

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\INF\display.PNF chrome.exe

description	ioc	process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653730452101188"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3096 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exechrome.exemsedge.exe

pid process

2588 chrome.exe
2588 chrome.exe
1604 chrome.exe
1604 chrome.exe
1604 chrome.exe
1604 chrome.exe
3264 msedge.exe
3264 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2588 chrome.exe
2588 chrome.exe
2588 chrome.exe
2588 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rostrap.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	5488	rostrap.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exeEXCEL.EXE

pid	process
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
3096	EXCEL.EXE
3096	EXCEL.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXE

pid	process
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2588 wrote to memory of 4360	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4360	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4776	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 2992	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 2992	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe
PID 2588 wrote to memory of 4724	2588	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\rostrap.exe
"C:\Users\Admin\AppData\Local\Temp\rostrap.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xbc,0x124,0x7ffc73c4cc40,0x7ffc73c4cc4c,0x7ffc73c4cc58
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1980 /prefetch:2
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1832,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2272 /prefetch:3
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2348 /prefetch:8
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:8

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3720,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4560 /prefetch:1
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3576 /prefetch:8
2⤵
PID:5916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4864,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3584,i,16793927414458528642,13882135466680168501,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2256

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault791285a4hf7b7h4be1hb90fh1a1f4abda76b
1⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc746346f8,0x7ffc74634708,0x7ffc74634718
2⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,13123216552496350090,7562856367492598734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 /prefetch:2
2⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,13123216552496350090,7562856367492598734,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,13123216552496350090,7562856367492598734,131072 --lang=ja --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:1788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
adc5df1d7da93f3bc5f6e48f46b0dd6f

SHA1
800b275fa735586b9a97b1db239e8e8e50f6c2bf

SHA256
52433d28af7567842720d328d62976b7aa53aee3a46a799299c5f1c082f9e262

SHA512
e67a85ae57801db2b228729d7bf86fee2e23b480d3ee260be7a33f01937e622daa54d0e9db17c25f8669aadf207f700eedca9bccd7236ca660539f1c0ac8cbe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e9d7fd05f2a641c070e7681dc9eab8b1

SHA1
ebf5a8bdbd0c280c57a5efa30ccae041ca65a804

SHA256
6c6ea8e7e277ade6ec6e52cfc4996bd3a302d4e0cb4a95959aa62f972a3e4c33

SHA512
7b275cbe415b98568714038456146e392cb98c00819e66fa33bd86681fdd0d6034b8d61d8afc8471aaec24523ffef5b9d42b62d56e68a3ec33d7f0f21d3071e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
7c2c6b73dd2fcc0539bae5d0dc9400cd

SHA1
13fc513e081c2c86800594d69d5f0a8b56f2c1d9

SHA256
b10865ec06273fbd9b6e91ea191c0cfecfe1d7e1ca50a4d40b3ddd2b468c39b8

SHA512
40ce496c01a03286bbde0c78f8919c4b01e6f189b0eb8359ce470c34c29286f306a77275a69e6eacc4e6d8caf7fc80d924a3a64ffcaef24d8420e85ed5356f5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd64c1aad4a792bb459065c22efe09ba

SHA1
756d1dce5c1dca8844ed0ecb74e2baad2f927479

SHA256
90edcc8d6888a2fa1e11a2c54beb353b1628fcc49422017b459b0363ab039593

SHA512
898c983241b50328ed398c324cb874a49de172f9b039e29d8e3696b833323f34584104ddfe6b2c9b3a9972595bb48d06adc9b7459a3a708ef0d8b5daa3a7ae72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
83ebe5cf2ff2809d9cd8cfdfb72370b3

SHA1
f9600089bf184b98faf328bb1654c7706ea08192

SHA256
6ea44e75d7a324cc1bfaf5b91dc7b43ec70396d99defde83b09cda327579474b

SHA512
ecd6f9d804edc82fdb9ffdc5cf3237175889578ff35f97a16c7770b424dab17554a31b5c292ad7dbb96349e51a696eef9757577c8ad1c429c4e2ed9666e3569c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9506cef3cc26cd629aaa05a66068feb3

SHA1
0e8e7c6b74da31221028081c95be796cc78b2df5

SHA256
850e8701314c2c259aa4d778526ab74c05d46d8c7b20d4bb2b61b57d8ecea960

SHA512
babcd404922fcb9fef649faf4b83ff50ebd365d02129a30ab7d1639e6f35ea8e45e42dac09878efee28646421f566c0a4ca3159391e3b801046d228998a50a9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a488a6213e580ff9febd5d1a1ab80c9d

SHA1
4243f54ad7e16330dd80494c4a18fb89948f4c26

SHA256
dc6cf7e0fd201f8d22bd07631e7fc931337f249d54c5529545dc8fe0bc1b3430

SHA512
8d99a12044f4e7c40a75151bef5dead4b0f33a19b3df8991a506bc27e19a68b65a1a0d08ce730bb8011f1eaef30fec2520476b17f3f8f8a889eb293c70fad676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2d3ebb700f64926a2bec48037d479f4

SHA1
1e376cddfe80f03b7776cda5620d8889a438b0eb

SHA256
6d617a6aa2e75b247ab5052a6d896ac7d326d2735d58aa11eb6edb3b5e241287

SHA512
baa6d603b5e1fcc2cb9538ecd84904cf313c55d7a1347fd23c096b064f81d8e085d7ef4d6a9b09719ac8af3014e0cfc86859f3705cf492c11c3b45c880338d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1cd2aad3a368209fc7ae75c9f9d598d1

SHA1
5dece912af808d231c56350044cff8098ed32310

SHA256
fdb27248666915e37e576f2e1fcdc32e2c7a913beac05acc706be63d3c8bb25b

SHA512
e398588cd6044d9703ac193d9792081c8b3ee2d51d7d9560b18816590d8501caf53918c83425f02cff64f3efd6536e7366e9418617fa2c6ca1157b5ee2fa0b99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f11776daf23f9fd724611b9081ca9339

SHA1
3ae8a86ed2c238b3d3289e20f6574c081fc0d7b9

SHA256
44a0f96a55065f321fda5155e90c1100ac663495ea9c82166be05c8911edc2db

SHA512
4f1c32986f45f67d936bff3830818844064aef9a13548a25cf7b218653b8da9939511fe786b8da05503c71fd6d76ddc24970974998f79c4f169b0a1b2c10c6c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
899c45529e1983b903f3a4645a52bcb1

SHA1
a9ec93dcc9cf58d2027a1dc5f026d72361de64c3

SHA256
bf8abe0490b0612345121e2d660a9330b50809661e0f1e96d23a64f147bee699

SHA512
960b5e9d6758ef92039fcbac0b175b92515973530ab49200fde3d9f1ed295e339af40eb168cd775f907cae4f96a61b49a0973d97ae4df7b0e65485db2bf7588b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
159e9c8fef9216e6547a9249c1c47c7a

SHA1
bc9d932f3019f4e1b2708007003f7e9df015ff27

SHA256
e6ed0711df6dc02b3775b44457e7a516669172c0df09cfaee0cedddd2dd841bf

SHA512
08ab92c8ccd80d6626c9fb0dc1893fac00efcdf13a019b56f112e29c1792d5e7c303f5d08d0f59245c00e2b888efe8c271ff930d285097b58e52730833b1d575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
edcb0ca85a20059860ff7979e6272240

SHA1
4ae194615425c1ed6cb194ac40cdbc43586b0977

SHA256
9c87c4a3c72665a3b86ba9961d597f8ea4122dcebd86d16e92cba0c68b91a02a

SHA512
c44427cb6df17950c51f0985b81837373c098e687acfcafc18e3807a4eddc045c172d59f6f762e946f6e18c12dba49553854de390d0ca001f3f2e40569248ae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6db6fe6c60dcaa163810466ff0684e94

SHA1
dd2c48416a19399277cd377b0ed5816ecf050dc8

SHA256
f854dd0e9c08c9cfeb03921faa7c1edf2cfb48d04311080bf3501f27a296b74e

SHA512
f7992af2474f8001418e9504b310472391b9f6fedab8ebed9283fc60c920cd79f184a43f96bff5183257daff51ecabd2a7f2d6d4bd6cc69bd622bf22ac703379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
8edbb770617bb80a1c07635619fe007e

SHA1
605c5e2e2e34105dd4200c3ee26eaa2d7a9dd31f

SHA256
f88812236873fd87cc8654d73bb523e63a490f4480025c292b17806b5243e479

SHA512
e197e69a7ac8119e540f3a4f09cb5ff45ac061af71a31d14abeb5c0ef6b0b8a06ef3133cf85b2f0adde70f70ee866a42f8a4b66ed91df224e4fb3f6968f2bedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
d26ff6edc5ff14dbfd38b56e77a49a62

SHA1
de68fb3cc1c60e4320bc7c8e1a1910eff6641f2b

SHA256
8b76543d125cd1a96a7084118efee9a3e0e0ae0142f18dd15852967c8d0c7137

SHA512
eddc7ddf17f720f69b0a8023bc83828afbf007cc85f15d35f41f262e3c029952705136df4134cc060961b38ea7f511b694bac6e1b522f248b903027d8644382c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2707999e-ca17-4641-9b9c-f8af39a36fca.tmp

Filesize
8KB

MD5
2ca6915ee0360d3466e03f0e6d99e78b

SHA1
08d6afb566e298cab57eb8fb1a4e7f119c94dc42

SHA256
2f9f6758c426bb089a0b4247a2524d10593eec9c1379d9d5cd3a013cedf47509

SHA512
f103f3e4faf431e12338b368d08b0b64d0216e8780123b0de91f82bb1d41391e3635c720b02e4f8cff91864d5d1fee99005c7ef34884b625e3d8f994555b3f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fe888d90-a844-4956-b426-85717e2fd505.tmp

Filesize
6KB

MD5
16e5691cb8672c3d7528f37b79d4b8a5

SHA1
889cdd93e3573229437b8a3dc3a08dda12f0b15c

SHA256
b9ed0f5c13eabbbb88ca87b7a397f98428cb3231409b0592b9de74a408b45da5

SHA512
591902c582b7e6cab5c3d78a5d8b042dfc5df8b90da7e7d3a9635c81bac453a0f852fd2eaff6aa7595b57adf072185d3bc3d6099222401dcb8797d9aecdbc330

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
291147e2df90918d3b53923315b44bd7

SHA1
4cc7c0258dc67c966453a4aa9f4ae80616c48b53

SHA256
8d5f8d2725111231bb9d8cd4e8c73300b602b5c80cfbfbba1deb482124d50ded

SHA512
8b5cbf5eab316083ae45c7154b1753d742772108561670be747d0cce6fd7859e406f72e15b7932ea3fea0cac523a921a6269b3cbfaef3d138a8ee449f6d0a3b8

Download Submit
\??\pipe\crashpad_2588_NKSSEXPBQXSZCLLX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3096-100-0x00007FFC55600000-0x00007FFC55610000-memory.dmp

Filesize
64KB

Download
memory/3096-90-0x00007FFC55600000-0x00007FFC55610000-memory.dmp

Filesize
64KB

Download
memory/3096-86-0x00007FFC57930000-0x00007FFC57940000-memory.dmp

Filesize
64KB

Download
memory/3096-87-0x00007FFC57930000-0x00007FFC57940000-memory.dmp

Filesize
64KB

Download
memory/3096-88-0x00007FFC57930000-0x00007FFC57940000-memory.dmp

Filesize
64KB

Download
memory/3096-89-0x00007FFC57930000-0x00007FFC57940000-memory.dmp

Filesize
64KB

Download
memory/3096-85-0x00007FFC57930000-0x00007FFC57940000-memory.dmp

Filesize
64KB

Download
memory/5488-5-0x0000014371970000-0x0000014371E98000-memory.dmp

Filesize
5.2MB

Download
memory/5488-2-0x00000143709C0000-0x0000014370B82000-memory.dmp

Filesize
1.8MB

Download
memory/5488-3-0x000001436FEB0000-0x000001436FEF8000-memory.dmp

Filesize
288KB

Download
memory/5488-4-0x00007FFC78090000-0x00007FFC78B51000-memory.dmp

Filesize
10.8MB

Download
memory/5488-0-0x000001436E170000-0x000001436E188000-memory.dmp

Filesize
96KB

Download
memory/5488-84-0x00007FFC78090000-0x00007FFC78B51000-memory.dmp

Filesize
10.8MB

Download
memory/5488-83-0x00007FFC78093000-0x00007FFC78095000-memory.dmp

Filesize
8KB

Download
memory/5488-15-0x0000014371550000-0x000001437165E000-memory.dmp

Filesize
1.1MB

Download
memory/5488-1-0x00007FFC78093000-0x00007FFC78095000-memory.dmp

Filesize
8KB

Download