discordrat | 24de35651f2bd8ec4c45e912a6a988571593d7c751a946ca8bf2011a03ddb2a2

Analysis

max time kernel
152s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-08-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.html
Size

8KB
MD5

8e4e73201c7bfe283ce5920a0c9c49bf
SHA1

cc593df77fd5e6a4ecb08073f36760c525e31abf
SHA256

24de35651f2bd8ec4c45e912a6a988571593d7c751a946ca8bf2011a03ddb2a2
SHA512

be73f2ac8dc3e5565d315500ec1a14de1b7668a083d8b99aae9148f992badc1fbbff5ccece270dbb6db36ec211e4f3417892c4dfe8f35e6657876b2c0d6859ac
SSDEEP

192:gHQs+W13+IQZBftX24VtAFkWDzQK3zLf5nPiLElc2Db1:gHQs+O3+nZBftmWInzX4Elc2Db1

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2Njc1OTE2MzUzMTIzNTM2OA.G-SkgO.qg4E2E1OvIPfjMYw-hFLkrVx3slFID5ls7d0QY
server_id
1269916202600370308

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 12 IoCs

pid	Process
4852	Client-built.exe
3376	Client-built.exe
720	Client-built.exe
4500	Client-built.exe
3960	Client-built.exe
4364	Client-built.exe
684	Client-built.exe
2520	Client-built.exe
1784	Client-built.exe
5236	Client-built.exe
5272	Client-built.exe
5432	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
6	discord.com
103	discord.com
104	discord.com
114	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673180929712729"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built.rar:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4612	7zFM.exe
4612	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1152	OpenWith.exe
1352	OpenWith.exe
1352	OpenWith.exe
1352	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe
1456	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 3336	4460	chrome.exe	82
PID 4460 wrote to memory of 3336	4460	chrome.exe	82
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 2800	4460	chrome.exe	83
PID 4460 wrote to memory of 4196	4460	chrome.exe	84
PID 4460 wrote to memory of 4196	4460	chrome.exe	84
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85
PID 4460 wrote to memory of 924	4460	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\source_prepared.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa21facc40,0x7ffa21facc4c,0x7ffa21facc58
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1712,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2020 /prefetch:3
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4616,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3120,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4592,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5148,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5456,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4956,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3692,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5512,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,5721604474392748782,5194529162997283970,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3112

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Client-built.rar"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4612

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3376

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:720

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3960

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4364

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:684

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1784

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:5236

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:5272

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
582a08d1a4ddafa9cb77af6a382fbb6f

SHA1
324eb7db258fb218e3d3dd4ff9dbd6d98f39366c

SHA256
3750cd2a847eba6f92cfc9632216fb49b2cd5b9bf40f7f067205c9aa00c83a18

SHA512
4e1978dd500cdfbe705c68e601767e12b88cb17f6fcd4e514d96e4baa0211d8ad11a2cefef0bdcbe7654a059375c577137278f87e1d8dc22dcd600760461d0b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
7dc24e1e1de76aad6887331f20c37ceb

SHA1
60e576f9c51bd5c7094d392cf860cafff8030625

SHA256
c22e978ad52fc73c1dae31ba29d0f83c09a92fc1218f30452a63714b72912e15

SHA512
f89c9aa3f102a1b15f1a44a9850054fd4cb5ae1b307ddaabbb0cd624992950d224260e675987963370de307cc0386b240f0a77703d2e8c791224bcb2ceda7ccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
5959379f01f2405ee43eb6bff16cc3f2

SHA1
e1b0b14f5a8be13ffd599f5b1a63e1dd0a25caf7

SHA256
c1caa18f1dd232d6ffb483d10dfa55df7c712fefc474f8d8c02f95a2943f06ac

SHA512
f1eacce01a4b156ce83dad6faf0e384bdd0fc635745795e193432612e4c1bc04c06c1ea1c6c026fc723ceb6ad10c053de65fc82418df161db4f840269793ac7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
52e7293971aed7e302845ef48330069a

SHA1
1a5e6217cadd21aeedcc3eb72c36d3705852b1ef

SHA256
063a36a2f6b1830618cd01e93ed1fd597423e2712cb86e8122ea16a542af3891

SHA512
798177d5ff71352379d16815ae6b789b50d225d5c23555822f8db67574da28dedf4159a259e3835ac1e8b198cc5959aa0456c7c222a711a6692d231369d72d4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
75b684f942eceed4302d0be807b017c7

SHA1
9f2b9c2eb1856f2cba02a5a227cb50a93cc0f8c4

SHA256
aa2c3dc27120c1e64b548628af00f2ed5bedf022c3ea804d12d6279831132154

SHA512
035d8849f3da513a58a96ed9241ba9d1e3d5b822789de611638c84d1a431fe0109578be17c43c6a38d79566328033ef5279f72c87e724829f09aed19363d0bd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
77625ad8bab8b7def17ec8319c6c281a

SHA1
34e85d145a3f54d5dd8057c699acfc151df243f2

SHA256
08ccca66d22a7684a93cee823deb00a7ba4ab195c9737f24151e5230d8291db0

SHA512
e8de185a53973a4ce0d18ae35b0cb3a9a51f799d521afd2240bd6d2a8192b4f36525dd1337d84bc4ab47e371b96b84dfe2f7bce41ef1208d4d1d1216fa62637b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
906c632d68ddac071682df4bb2fc4853

SHA1
cd716be81bad770ffd89823e96205a08246ac1e4

SHA256
abaa178642ce05445b15acf20222b5c6b0a3c96c57d6a239ce3195766bc7fa47

SHA512
2c60ad23168de4e1936756d4dbca8537a3b430acebe9293c88546c4e74f529933108802b1a844f5b5d17c50d26ea4d79d7010053ad13966e60341f92be21d988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0727568974e09b80acc84e3df353a175

SHA1
131eff909c18686881ba253edd39f1835eddd8e4

SHA256
85f981d2435b90f847b868c938337b677dfcdfd781679e6a61d84f79c6f992b3

SHA512
5aff17d855c989f1c5e2d24dfbb5ff360d2937fb51a741fb7e32302ef614ecaa0ab08ab7f1c8fa1abf863bb23388fb49a6cc2e78e5d96ea2334b587c457ec59e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
555f97ab36145c6555a4f29a769aaaa9

SHA1
8d2ffa9c7d331cec3eebf05b38097290746ee8b2

SHA256
a23ba0e5889264263453c738f4ef5098f775f6951c62e3d39138f2ff59aebf7b

SHA512
3a82c79c501f0c03557cc0bd2b6ccb265ee7a6dfd23fe7ed7ffcca68ef220dacdd86b9ac0f3625e9a9fd90161b01fba35eccfcff7195c65a88054d2bfcc405cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c39c55bb1fe8a67ce0ea38a68a519349

SHA1
c51babe42444a90c43dace2ae90d6f42f6eb8edb

SHA256
3aad885a05401979ed3df5d95866554d29e0de5cd951514851e3109afdb7df38

SHA512
ca15890b954ae59a2053ef892b25c33c25ada2717e959361ed4e8552387993ad2251c4eced88fae3ab4a27ba0b930640f213b545477a042ca3874e9f13c5b368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
10f92d8a1ea5ea1803fa61b05ef705ae

SHA1
a5179453aeaf82ffba9dc41b0b07d1a31e58a65f

SHA256
7eeea598a321bafcefe330c9ecd026c34e298345051678fc93e281828dde3cca

SHA512
cb1a181a8dd9a65b44f9032f6a186f18b2c6454046ec6ba8532ef4b40d01c2d16ddd5f83045fc21a848da1f676dc179cc5fc050d6013b2eb5b1909626939fed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
65caea0e93230984a73a0420e619c55a

SHA1
301e9f7f8e88256cf230d4b474dd7e17df55f494

SHA256
470fd98c0dc0ec03f7b0a922427608508bc2daffac27c4e9345c0a17cbdf4eb1

SHA512
1db780f07dd248b0bfaaa67857b0e54d539c6f2f9197f0e4bfca6b7393e58628af939aa1ddb66abf24dfc022b2b46d5c98c06e4513ca3302696291d5b9c815b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0aa1e910836b2098a39788e640e2afdb

SHA1
3a75a6ff761e5d355559b72d833da451933cf653

SHA256
ae7b398a57ee2ec77cbf7addeb8454f66c68854b4b811ad6d0e8242027ef07da

SHA512
c2a821c2117c4194ed5c61eb27375cde09e2349f6af991d223b434f646cd6f8bb113a3c3e6e714d050b81dcf094dd347ca82c1b44b39f2309b6e4de553a73558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2981928f544d33b4ff22d6d37cb8ed8f

SHA1
0013c5e014c2598e51bca378b0caf0bc6d767655

SHA256
1cb30f93f868b482b852bb5f0258d357b5be8083932f342fe418733521c60409

SHA512
1726b172e749c8c6a3868cde919419eb9014eee9950d02a05176cfb7ab82b260f7bd420d6c7a7d5c3a0ad1c9649f73c5c47f74730cc236a8c37e4758fae4adc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ac862288880199ddd69abb5e88396c24

SHA1
1cc01a8c7bcfc1f343f642854dfe7931a2804014

SHA256
a792f95d27ee374a6b97b7cd6254818e5c8ab2c4ffbe2fdaa54f3e7154ea254a

SHA512
5734fcbaab0517e142a97376a64044fcd928b6728cac3ad456a4399dbe11d373b79d19c366c8ffe00ad9030a1d6eea1fb9776a98863d9ec5a10ff94c5c0e01ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
529dc3bc50fc7de31e852d759da724da

SHA1
841c8e52ab8cf6d2a6c970d75aa323b4ec48923b

SHA256
4f8b420a9d40868b75e709f84462f426f88e9bea4b7b72807043bef67cb52a33

SHA512
051cefdb9479fb90c6266a0cb800a0022fa0d614dacc7e9f1f53889096661e2364f2b1fc1d6e16050fb71389c5efb4b71412ee4f7d9da2beac451ea3417cab7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a8496cc1f00546b68cdff90b4575fb73

SHA1
d8e29c6fdd85a908e7f84055a7c930a596db541d

SHA256
452e5c14a95d576de1abe380550c6701d4cc49168166927341fc606ec3965f3f

SHA512
0f9a91996933dea61463e57c2bfceee873995b6ad51184d1681602340586d662a40a798c7d3e21ed9aa322f81fd0b37d99183f8963d6ac00007194cb75f70810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
643b239c7794649308a6aaa37e8cb98a

SHA1
a4733e078348499e8cf05003bfb5e44d5aa4dc96

SHA256
03246f4afeeca8d279738babfc8c4afabb513c21e4857d39f1da20fd54bd9a17

SHA512
788655c8f849eb41575e26ab3f5d9a0a4142c174999640f1ef9c68f7a239bedf74146ae1458052c54ecb955671e4e1249a1d14cf96d6cfe507d5465c7f3602a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
22fab7de9b6a02063d9a1455c5767e5a

SHA1
e43d39cf88a26f6d42f6a0fef376d28706b37607

SHA256
7badfd0934ee2b01514a288ac4650f7e408efed8a40570861094ff3a1037dbf1

SHA512
4cef1513f2c9ab2908f910c17a8a7136f84e4279d1507d4e2df21d8b10a6b9275aa9aa89b22a51e21ea4666418b6b17a36708beec5c06604898c53d4a01b6521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
de711b7849f156154b42a2d5414a82d3

SHA1
632cbf65988799fd85308c9a85edca820809e6e8

SHA256
54c80a0de67a31ee7f5b0407c48236ab798ced9d71eb6be1c15af74f8fef1f34

SHA512
f8c4e44dce0bbe52504aee10ef79eab68756a6111fc29791c670e266900db4cf9d232b5b2dc9925dff7c7ef84d6f3d6655e5c464e9cf55ef9e2dfa5cbe3487b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
aeff6757784ee79a0506c45a18d3707f

SHA1
e5f0e1eb39995fdd243c3ec522b135f4db9480cc

SHA256
5a65b949c2d9b47de4816f8149a70dd4d5c4d4a59d1891ee3070e5a41ccc649e

SHA512
3bac992f0939af20c60e95def9802e0fbeda17682023c53909a851b708a8063673a239fce9a845573b8590e583ff669b99b2e3539cf5a14e8a5d49002e262160

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
deea95a9017d1d6e0750d9b1f579a81e

SHA1
7a56ae9b9c681e98c98e91e911f2e1a72c3c5138

SHA256
93d8d25ea82d111305d31bbcb85ddea332b840f50724f50ffaae6e85434aca9c

SHA512
943dfadc418e4c03e7e31ce7afbb33c7e77f3ffbf134ad5e595acaaa45bac78cd825050f75489a20f7df619e9841cb2c650a4ef326b42c0a7f64ddab9fc35738

Download Submit
C:\Users\Admin\Desktop\Client-built.exe

Filesize
78KB

MD5
40b5b03fc8c8d794189670536f385996

SHA1
e590d6f75ea6da45e5a0906021eb8603663d2922

SHA256
52b6917f89a07e71bf72bb2bac0be8c9c184c19daac10a1fc7bfe966b4b10ef8

SHA512
036efa4b72c1d0095cba0ed9143b6725c399b55a757117500455d10f4ccef6bd6dc09982a67c0b274d7c0bd8c17ad6f35ccceffb32e1884c82cb2f236eac29c7

Download Submit
C:\Users\Admin\Downloads\Client-built.rar.crdownload

Filesize
26KB

MD5
0d1810f13c1c5984d4777f347b85d5f9

SHA1
e977a14d3bcca98ce8b96587c9611971c0d7b859

SHA256
09b05c6c7f16211f86208d668021ecc8900d6d3b5c2dd449f7fbfe99f832cd72

SHA512
4178c8c409a4ac8db4c9dbcf1dd594712f643025241961c4d4a3b0de88a458bd29154b06ec9940681fe310b7d2f9129a8e5016519a506348527dc02446b2ed9a

Download Submit
C:\Users\Admin\Downloads\Client-built.rar:Zone.Identifier

Filesize
170B

MD5
29fce70aa530aabb6b09b253d60ccd52

SHA1
19f52b784eb8fc939a254ed074fa3471a0390b6c

SHA256
11d5240db354375aca9546964c4b53ecc9fae2131b64da3bc6c16b9e46740c7d

SHA512
b5f5df31a0f0a1a8c35330ba17beb84e9965c543156914996883e9f20f669a9474aa9526c0a349ed2b8e5a00d209b60ad0a33fb93568c37f264e8b59f3122079

Download Submit
memory/4852-318-0x0000018986970000-0x0000018986988000-memory.dmp

Filesize
96KB

Download
memory/4852-319-0x00000189A1050000-0x00000189A1212000-memory.dmp

Filesize
1.8MB

Download
memory/4852-321-0x00000189A1850000-0x00000189A1D78000-memory.dmp

Filesize
5.2MB

Download