discordrat | ea5cc81ce53737a0d2d23c3cafb1414ea26c86368f301eed01fb00ddfec0ea1c

Resubmissions

01-08-2024 23:08

240801-241g4swcpc 10

01-08-2024 13:26

240801-qprqwaxakh 10

Analysis

max time kernel
129s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
01-08-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

2c2a80b7bdf3fa8cb1407163c66b2184
SHA1

5c1521787bb363b91510c6615ce387a81888dde2
SHA256

ea5cc81ce53737a0d2d23c3cafb1414ea26c86368f301eed01fb00ddfec0ea1c
SHA512

9271888b5ad1ddbc8394a34af1d2a2c9c3f6c7d762cd18717ac5c12e4a9e0dfa02c80eebed54dbc0e80290a7afcfa10a1cb847f382250f4ebb97b941915cd9b2
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+DPIC:5Zv5PDwbjNrmAE+bIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2ODA5NDg2ODg0MDc3NTY4MQ.GMqsKG.fTOtFQtG4XIs5szmOaKluXcSYy6jMs-9mbxvoU
server_id
1139953620696191017

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670274800867482"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	Client-built.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5264	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4560	1576	chrome.exe	82
PID 1576 wrote to memory of 4560	1576	chrome.exe	82
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 1204	1576	chrome.exe	83
PID 1576 wrote to memory of 3916	1576	chrome.exe	84
PID 1576 wrote to memory of 3916	1576	chrome.exe	84
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85
PID 1576 wrote to memory of 532	1576	chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3676cc40,0x7ffe3676cc4c,0x7ffe3676cc58
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,17379045595017435591,8968077809798294836,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,17379045595017435591,8968077809798294836,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,17379045595017435591,8968077809798294836,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,17379045595017435591,8968077809798294836,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,17379045595017435591,8968077809798294836,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3584,i,17379045595017435591,8968077809798294836,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,17379045595017435591,8968077809798294836,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,17379045595017435591,8968077809798294836,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:2108

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1012

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4240

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2332

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5264

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5912

C:\Windows\System32\kgqkym.exe
"C:\Windows\System32\kgqkym.exe"
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a5c7837ba2ec897a6c1855bf04913ce4

SHA1
564b55839167caa08408886a105d1f14f67a6879

SHA256
7a8eefd7ae3a42fd628c9d46c7a9fba0bd543dd921094216676e15b4095542df

SHA512
fd80669c9800829d34b85e983fd6618a0596abf3c11fda40202d06d041c4c58213db451d013d73cff1e4235897bd8c091934a1bc4334c189a1b671a389112745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
361390eb28abdaa67e9e9796a2260314

SHA1
bb0815223fab78df124369e6cf37b12cfacc3258

SHA256
35544a16fc96dee4ccc3d50f9a8a7bc1293ff41ac75e32933408048655bbd831

SHA512
51f640d686c914fc71a1adf61bbe2e06404f939fab3d2f5c76b046d16031f12e7d58dfe6b515021619be023c170cedb8cf58470c8e4fd4c91e8d10e3c761b286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
09043eef39e485d850f8d01679e3a309

SHA1
d3564055d7cc34cbe2e060b6e1da0e81d6c71bc5

SHA256
2999e5413b56072fd4e7ceecabb484417fd2234732c1630301787c22397b17e4

SHA512
50f16f973c93c04533e14660fe625b7d022d2f63260f8382758425de2df493c02d2248058efe2aecee34d843b82ee6e1481a9c70b031a54b57d3057046c427ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
41e9c1b78a6dbdccf09f88e2172f7c30

SHA1
eca96401997cdd6770f518ad02a57b99e9acc050

SHA256
0188747d0cb8bdd011716360ff575dde2baeca6a12b977de6af1b34455597012

SHA512
abb8d629f7fe244acc6b14cc2212b82b0a4106d302f1f03dc25424e8ec370a5ebdaae95f752b3b87c6f6609e2ddb1f2bfbbc07f49a3ac0a9c9375b6296280bbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
801028b90f4e49881a978eeb52f00056

SHA1
c822a7b2d7c57b0e9c354f3ee625ab86647b446d

SHA256
f67e6ffa44e85588efd8769269580469a580ffb2cb4feaf0ec6b1d2d2193503e

SHA512
a4ab646210ce02d785e622538894914c5e26812b59c31c0bc155851c19986c6af047a1628e588bbecd529b8f4ad6f3af2c54432c0683694e9d24002bdb2de074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cb8e1c4291a932851c44cb7450ff4782

SHA1
45c4b16d2eef23bec49030a09e88dbfdee275124

SHA256
b9a2f83f0e96b83c2415c932315d6e6207499f540b8338967546133592e76241

SHA512
972c787718deab4f6090c6f338a71b2826a230305c042c00611d18bc64de0fc15f28a58166e6e448b240719bb130f95d26cf40c0c1cf0f018cfe6ee74678e01c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ef99764a1a7764947be80d959041d50c

SHA1
ebd210428938101fb5a7cea9901dcd654e496f70

SHA256
332798860ab1a32252dfe3be12b761c27744ca20cf565a4b57c44eb45062b538

SHA512
03c5d8ffc44dcfad13e79671fa3d33df56346614705ea54faae8ba9b5d48b524acba81ae245c30354d31deadfbb719f09f7f19a46ff9a79316c287d19b718d98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
dabfa62eb3adca915942cebb2beb2b09

SHA1
cf0e3b7b2554b0e555c1f5bdd00cf100a90c2361

SHA256
e98b08b4266a7a7525476efe4f58a12cb2fd3d36c165756c6d990e69d7e640f5

SHA512
b0cdd7324b2ff3a9895dac7f17df9386ec1fab1c855ee16e97cb6aedc24b943fd2d4f33727583d67d7ff9cfee57adcbedfa7d87e523dea2cb63c051847df2fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f9079e4a69b58945d9051049dcf6654e

SHA1
00231f5691b6ba8ca80ce0c81d638441dde6a091

SHA256
1a9f706f6400a31540d2e789647dba9e7e23f02dfae7128d91b2bc1091bd7381

SHA512
b4a7a0827e1ba94374a305ef91451609c3953292f4d3e05caaeb1ca6b97346c1d28a1c35d1e0c593808090f9531abca94fe137364c76fc9e1c7102fb2b96f1f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f9a72837fa4fe69f289b93602f40114a

SHA1
13893f7cd541b0eeef04d41030f6a70a288a6c63

SHA256
3d6dcc68de7b868382cf315f83b412a43e5fa76adc91e2080e82270203dfe0f1

SHA512
47258b9d4a512dcd9fe3c931ae38961c68c76c18555d60c5752be249f9decf4d7a52aedd4bd58050ba38f934f58bbe59b2f92fa967071a709a198a65cf74c688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d3ab411e9a951aeaebc9e0f39eb4b6ba

SHA1
69ecb883ed0ddcb993c7be4315a38a29f0fd3e00

SHA256
c4e8d3e0ecce8caeafafd15e36fbf747e205785c5e9ede804e01baab08b5843d

SHA512
2ba23f92e1d5eaf28c3d742ba505fbdd765591805197fcd3c22e3bd1a62a0e3dd5f265763f03af8f9711261b902a60616558eb4a5eb2f9d8c0d24ab8ab04df7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
28f2e4a690dd8abba8696cd8956925c0

SHA1
5d68766a0e5e12d0e379227f3b3a59bc4989e47b

SHA256
fc800dbdef2968d6318a77e02dc69267fc926a483b4df7c52d98c304a767dd10

SHA512
df09a796f7d6da593edf47918bc81c11e7c871aadd43bc55019cf9442fdcce147782ad581de45e6e95a6db8c63647adeb33b7fbdebfa89559a389faeeb2c779a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
3612edd282e375ee75601fe0896eaa48

SHA1
2ba569f2e7e2ce4991570b26d09a98e3ef270572

SHA256
8ecba5ab9eccab23493b8dd1dd79b798bc7a0a4e9c94d3cd840b4a7c2861c845

SHA512
8aae36c025f01665bb688de05693e62a0e384b7fc8ccb3cc49e06126ef99813a0050719ff65129c7b319d6fc326f8e521a864c2281cffa66614cfd61a21a12ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
33e867e0bb82e7618bd1025bf8081c43

SHA1
0bbc412e7972c2ae4aa22c8a94d835d269bd340f

SHA256
8a53ffc2b8da463ec73e6f605f35fd6f6b97197ee938ff231b43b1fbd4c026bf

SHA512
0e02f63c904e287028748892b6c9bd52e80912f67c6a6a70078f927ca5ebdc3f5004911b368fc507c64cef2cca7486944cef11441191b951a0c18ba1bb2591b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
cf2ba48b47cca5da65416e00e0caa6f2

SHA1
1c6e2e69067eb812b132e8df7ee071b00dd5ade9

SHA256
69b731bfd762976c27fda5f0e5a52c4f423390f846922172a97251ff1fa7086a

SHA512
2985c6056861982e9818c215f182b48a7eb791dade2475b204777ebec036e5acf4403742123f61c07dae51610c47a5163a24ac8bf0629610c92281f138f73a83

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
9fb0d1760c83927e5bad2908e066c05a

SHA1
853d5c95391d5fcf6fc05a7507cfdd68ce01786c

SHA256
64c3d0bc86079fae06666a0617312e0552145aeabcd2cbe8984bb98298904f4c

SHA512
52f65d1af901272b5736ef5ebe96421ea0c022bb30d9cf14bda433fa91166e5f0bf16de8c5daf206859607f72dfbbc0c1e819811449321199a2a354d32df8952

Download Submit
memory/4968-0-0x00007FFE25333000-0x00007FFE25335000-memory.dmp

Filesize
8KB

Download
memory/4968-29-0x00007FFE25333000-0x00007FFE25335000-memory.dmp

Filesize
8KB

Download
memory/4968-4-0x000001AF80000000-0x000001AF80528000-memory.dmp

Filesize
5.2MB

Download
memory/4968-3-0x00007FFE25330000-0x00007FFE25DF2000-memory.dmp

Filesize
10.8MB

Download
memory/4968-2-0x000001AFFECB0000-0x000001AFFEE72000-memory.dmp

Filesize
1.8MB

Download
memory/4968-1-0x000001AFE4640000-0x000001AFE4658000-memory.dmp

Filesize
96KB

Download
memory/4968-33-0x00007FFE25330000-0x00007FFE25DF2000-memory.dmp

Filesize
10.8MB

Download
memory/5584-75-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-85-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-84-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-83-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-82-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-81-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-79-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-80-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-74-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download
memory/5584-73-0x0000019669F80000-0x0000019669F81000-memory.dmp

Filesize
4KB

Download