discordrat | 35d13505df0417e4336ca25dfa575e4164924cf1c4e4411a37e78c60ee49418f

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
01-08-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nitro File.exe
Size

209KB
MD5

4be96138987493db3a2ffc7a53ccaed4
SHA1

585697465bf85c77f7abc74f707fa238bda203a0
SHA256

35d13505df0417e4336ca25dfa575e4164924cf1c4e4411a37e78c60ee49418f
SHA512

d0d7bc465dcbadccc52ed8b8d7a2eb80ebe23421bdc06dd56392b8caca1ae59671a9976f8af51b97bdef88093e49030ae8254573bec427b84d00da4a6b726f95
SSDEEP

1536:t2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+rPI3iJJGcTJPkm:tZv5PDwbjNrmAE+DI3iJJGcTlkm

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE4ODAyMjM1Mjk0OTI4OTAxMQ.Gu2_uP.vLTi_dwhJzEADGTXokjHNmF5ED4bLR5HGYDIkE
server_id
1168062993934852176

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133669780790864615"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2632	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	Nitro File.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2632	vlc.exe
2632	vlc.exe
2632	vlc.exe
2632	vlc.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2632	vlc.exe
2632	vlc.exe
2632	vlc.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2632	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3060	4820	chrome.exe	94
PID 4820 wrote to memory of 3060	4820	chrome.exe	94
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 1440	4820	chrome.exe	95
PID 4820 wrote to memory of 4800	4820	chrome.exe	96
PID 4820 wrote to memory of 4800	4820	chrome.exe	96
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97
PID 4820 wrote to memory of 2992	4820	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\Nitro File.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro File.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PublishConvertTo.3gp2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4911cc40,0x7ffd4911cc4c,0x7ffd4911cc58
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2400 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3812,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4880,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5044,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5100,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4476,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3420,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4596,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=212,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3356,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4380,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4440,i,9575801909536290999,2031134512225454311,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:4984

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
759e8ea0b872697aaba7df72a0f68495

SHA1
a96f3c4b3228cb50e6966621869b79cd9ac24d71

SHA256
8c830638afe4291599d3e70bc50cb95fa3b9c54dc1e4277828ec3539f066735d

SHA512
b8d5fa99e55320e3fef45752d4e5ccd1854f6481d5a4d52b5ea65790b981952eecc4c117d772d115546a6721afc2866a73d9f76d4746ae6ff462e9daf22e3222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
f4950abccaadfc274c2526595779c2cc

SHA1
37c29ade9ce30fa1aca9ac71bbae8277d962944e

SHA256
06af0ce56acf0cb296725601d2d9bc1f881b80e469451e554322fad981f3c712

SHA512
38de15a6689584a2fbc63bbfc07b56c113f68b3a931cc427ff4719c402996a254a29fafd97e7a8026923e4910e1f8f98e57723752901a36fafaf8814c3578b15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
28e3783f882670e8340caa059e97fc7c

SHA1
15c56bf46d508ea8c73498335a14ae785407c5b7

SHA256
c7ec3a5e525efdf66c6d8c64a8b7307222da7c1552cd4f10320f45ac95e7c847

SHA512
80ae1be3ce8bc92e512529adc4567322785134fd780ead1945f5db10c3f38d9f58b74fbb290e6773ec4c307c5f9e7178dda38f02665af0c3af84a8db394dd7fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a54ecd0a65c8882faf1958f1144095b1

SHA1
002b8030748f696c1dbbb5b8d64576bc1b4fe705

SHA256
3a06bf13e072992820859523ddc6edffc209389b77796bc7f946db205ae7702d

SHA512
6a2275371867486a03524fdf5cd145cd42982a0becd275786505370ef75a356163dab0d7aad19b80cfef7b98855cd1b064b62411dac634f6a66dd045423c8989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fcf17b764ca2158a7d611e88c0fc9589

SHA1
4794f17ccff635e617710427aff3a1066a2e8b2f

SHA256
6ff8f24aa054b773b38ca46cc08b2ac6abd25f57b606f2cf6e66a96a6fe69f7a

SHA512
0d2a8c6a3abd0685cfcb950ff10b662f8a27d0d598884273ef8afb8cedacd10f30654e7298df03a8cd0fa6906e8b4175f04e39a9489d624ba5ce604347bb37c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cb3516562873fc170a49f1e3a76fa0f0

SHA1
c297783d32cd3863e51eeb9dd8812db740e15237

SHA256
5b102e50ead60aed474841cb8c146fdda76f8e127686a99de8ef8dbdc0ccec04

SHA512
49ca41c7e6478e006ecdc580328b371bcede641002362c6eecb09cd9e6dbac9288b3a3ccea4ece5f8e2afb70baab802e1fce121d7fe012bbb7a0d9fcb94a116b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
59bf37635319905049ceee325db05262

SHA1
e267fee3c8ba8a4d3e09cceb365a5c08c94e81fd

SHA256
8f8801aac342e307d30ece813b9bfb99d386b93a9231dc08e0314831a944bce0

SHA512
f7d023ad02538809031d23192cda012cbe4248a31017b49778f4df37c3a6e28ef20993f65cfa00b6d53f577110b1608afb90fac95d523fd0fd3b24935bc0257d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
d6437fd2cd1cc80644b44853335ed4d7

SHA1
f3c0cb59125575b554494ee974b969ec87e74157

SHA256
91f3b0b1dd3109a68fbbf12a1b55c79824cdf8bb13d71a53159bbab703a88c12

SHA512
183e0ac01c3afa64a7664be3df1a7aabf71a4c876dc305ba02ab31f6cb4ff19188726f263d74557088a450c23dfbfb9085c04282e3e1e06ad6c83822aa13506f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
b62a9864c3303a2df1bfc99596be7383

SHA1
5a07f21975d281e53417dd972f939899fef981f8

SHA256
c871780b43d7b61f3319980f99b89901970fda9bb0e174655a7d478bbc757665

SHA512
e7cbc1484993ba409378287791eb69ba89fc3e772e06c318494498a39008f15235fb857f02a5350d7f06b5e7e6245f2ed981593b9c32fbdb073fac51ca6d8302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
8KB

MD5
1910f886d4651324bb438b2a49f18d51

SHA1
99badbe782e234e76e63622d88b1ba186089d99b

SHA256
a9e4284be36b5257d1a7ac9db65b35fd4da8f042b4b886d3633be89b46b51962

SHA512
e059f6428900b8ce9589b3619c686d19c7086ff6d3322e181b37ceb55d394cfd7d7c62bfa1ff8a653080b3f17579e031425bde11bde28911989dbb269e6927af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
14KB

MD5
53e073cff4b8c67c36e09c6346d46ba5

SHA1
f8f950caea9b659dfe2d83b474036c8c2c52de3e

SHA256
18fab33b4f8496e9a773271f71fa3a7886fd51e4daffcf21c0e9a39c04c37f96

SHA512
76092660e16167333fe372484d7efcd699ae7df3824e833994c0a1eec6740f17285b18c229278920ea3fe68cac9639408205297e9dcaa1f14c5ceda9a7d5225c

Download Submit
memory/936-0-0x00007FFD37613000-0x00007FFD37615000-memory.dmp

Filesize
8KB

Download
memory/936-4-0x000002827BBB0000-0x000002827C0D8000-memory.dmp

Filesize
5.2MB

Download
memory/936-3-0x00007FFD37610000-0x00007FFD380D2000-memory.dmp

Filesize
10.8MB

Download
memory/936-5-0x00007FFD37613000-0x00007FFD37615000-memory.dmp

Filesize
8KB

Download
memory/936-2-0x000002827A930000-0x000002827AAF2000-memory.dmp

Filesize
1.8MB

Download
memory/936-6-0x00007FFD37610000-0x00007FFD380D2000-memory.dmp

Filesize
10.8MB

Download
memory/936-1-0x0000028278180000-0x00000282781B8000-memory.dmp

Filesize
224KB

Download
memory/2632-19-0x00007FFD31000000-0x00007FFD3120B000-memory.dmp

Filesize
2.0MB

Download
memory/2632-48-0x00007FFD31DE0000-0x00007FFD32096000-memory.dmp

Filesize
2.7MB

Download
memory/2632-33-0x00007FFD33AB0000-0x00007FFD33AC1000-memory.dmp

Filesize
68KB

Download
memory/2632-32-0x00007FFD31300000-0x00007FFD3137C000-memory.dmp

Filesize
496KB

Download
memory/2632-30-0x00007FFD33640000-0x00007FFD33670000-memory.dmp

Filesize
192KB

Download
memory/2632-29-0x00007FFD33AD0000-0x00007FFD33AE8000-memory.dmp

Filesize
96KB

Download
memory/2632-28-0x00007FFD33AF0000-0x00007FFD33B01000-memory.dmp

Filesize
68KB

Download
memory/2632-27-0x00007FFD381B0000-0x00007FFD381CB000-memory.dmp

Filesize
108KB

Download
memory/2632-26-0x00007FFD381D0000-0x00007FFD381E1000-memory.dmp

Filesize
68KB

Download
memory/2632-25-0x00007FFD3DE40000-0x00007FFD3DE51000-memory.dmp

Filesize
68KB

Download
memory/2632-24-0x00007FFD3DE60000-0x00007FFD3DE71000-memory.dmp

Filesize
68KB

Download
memory/2632-23-0x00007FFD3F020000-0x00007FFD3F038000-memory.dmp

Filesize
96KB

Download
memory/2632-21-0x00007FFD2CE50000-0x00007FFD2DF00000-memory.dmp

Filesize
16.7MB

Download
memory/2632-47-0x00007FFD48FE0000-0x00007FFD49014000-memory.dmp

Filesize
208KB

Download
memory/2632-46-0x00007FF6F2C50000-0x00007FF6F2D48000-memory.dmp

Filesize
992KB

Download
memory/2632-34-0x00007FFD30FA0000-0x00007FFD30FF7000-memory.dmp

Filesize
348KB

Download
memory/2632-49-0x00007FFD2CE50000-0x00007FFD2DF00000-memory.dmp

Filesize
16.7MB

Download
memory/2632-35-0x00007FFD30960000-0x00007FFD30972000-memory.dmp

Filesize
72KB

Download
memory/2632-31-0x00007FFD31380000-0x00007FFD313E7000-memory.dmp

Filesize
412KB

Download
memory/2632-22-0x00007FFD44F00000-0x00007FFD44F21000-memory.dmp

Filesize
132KB

Download
memory/2632-12-0x00007FFD4CD90000-0x00007FFD4CDA8000-memory.dmp

Filesize
96KB

Download
memory/2632-13-0x00007FFD49BA0000-0x00007FFD49BB7000-memory.dmp

Filesize
92KB

Download
memory/2632-14-0x00007FFD49A00000-0x00007FFD49A11000-memory.dmp

Filesize
68KB

Download
memory/2632-15-0x00007FFD48E50000-0x00007FFD48E67000-memory.dmp

Filesize
92KB

Download
memory/2632-16-0x00007FFD48890000-0x00007FFD488A1000-memory.dmp

Filesize
68KB

Download
memory/2632-20-0x00007FFD3DCD0000-0x00007FFD3DD11000-memory.dmp

Filesize
260KB

Download
memory/2632-17-0x00007FFD487F0000-0x00007FFD4880D000-memory.dmp

Filesize
116KB

Download
memory/2632-11-0x00007FFD31DE0000-0x00007FFD32096000-memory.dmp

Filesize
2.7MB

Download
memory/2632-18-0x00007FFD44F30000-0x00007FFD44F41000-memory.dmp

Filesize
68KB

Download
memory/2632-9-0x00007FF6F2C50000-0x00007FF6F2D48000-memory.dmp

Filesize
992KB

Download
memory/2632-10-0x00007FFD48FE0000-0x00007FFD49014000-memory.dmp

Filesize
208KB

Download