discordrat | hxxps://mega[.]nz/file/480lxSgI#YBDumPixSk_w1_GbfHkN54yjsi7xmBakKl8KFELdcaw

Resubmissions

06-08-2024 17:53

240806-wgn8nsyhrd 10

06-08-2024 17:51

240806-we8jjavhpm 4

Analysis

max time kernel
90s
max time network
93s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
06-08-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/480lxSgI#YBDumPixSk_w1_GbfHkN54yjsi7xmBakKl8KFELdcaw

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjM1Njg1ODMzMTkyMjQ0Mg.GsWmlu.iJhDlbloJxm1UAqvNXpHS-eoFJVnC-vXB0KSjs
server_id
1256347001440702494

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

pid	Process
3484	RetardScript v1.425.252.exe
4084	RetardScript v1.425.252.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674404516852727"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: 33	2588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2588	AUDIODG.EXE
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeDebugPrivilege	3484	RetardScript v1.425.252.exe
Token: SeDebugPrivilege	4084	RetardScript v1.425.252.exe
Token: SeDebugPrivilege	3240	taskmgr.exe
Token: SeSystemProfilePrivilege	3240	taskmgr.exe
Token: SeCreateGlobalPrivilege	3240	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe
3240	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3928	4116	chrome.exe	71
PID 4116 wrote to memory of 3928	4116	chrome.exe	71
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3224	4116	chrome.exe	73
PID 4116 wrote to memory of 3300	4116	chrome.exe	74
PID 4116 wrote to memory of 3300	4116	chrome.exe	74
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75
PID 4116 wrote to memory of 4648	4116	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/480lxSgI#YBDumPixSk_w1_GbfHkN54yjsi7xmBakKl8KFELdcaw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa83d29758,0x7ffa83d29768,0x7ffa83d29778
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:1
  2⤵
  PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4592 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5668 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5944 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1832,i,7596009116776552137,15481569367010827260,131072 /prefetch:8
  2⤵
  PID:3228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Users\Admin\Downloads\RetardScript v1.425.252.exe
"C:\Users\Admin\Downloads\RetardScript v1.425.252.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Users\Admin\Downloads\RetardScript v1.425.252.exe
"C:\Users\Admin\Downloads\RetardScript v1.425.252.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3240

C:\Windows\System32\q5ilm7.exe
"C:\Windows\System32\q5ilm7.exe"
1⤵
PID:1044

C:\Windows\System32\q5ilm7.exe
"C:\Windows\System32\q5ilm7.exe"
1⤵
PID:3012

C:\Windows\System32\q5ilm7.exe
"C:\Windows\System32\q5ilm7.exe"
1⤵
PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
55cbe367506156b8d6fc64845b3e6bcd

SHA1
9f907a049c5f81535b6b12372bc774a83ccae04d

SHA256
071f232674e670d1ea91f2dc46fc10d1d9f6ad7dbc1a2988e99a969e6c453e0c

SHA512
621e3610bce3b3df8acdc0f80b8a41a12a5d3447a2a9bbfb1d802b1b153481af74a6684730ead6982bb2d268914b6175dfcd5ed47ef020f54d66809341cfabbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
686B

MD5
bbee4cdf9d1dfeae1573a7dd7d726a57

SHA1
eae445cb56e8cd6e33c884feca9a314602685832

SHA256
c1e08f3ac1957331837dc9bd2333866821611f688a097903ebd583840f9d03d7

SHA512
825ed511a27020d426917f5444a8c31ecbb8a67bc388e0885ea32dced81877b94e460fad7968e2fc67253569f42fbc88eda9d40948765de6b2db63a435337a32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
38d54b09c00779f210760d06e2ead21e

SHA1
8be4058324a61e1e037ff93f2ea846c0abe61ee0

SHA256
535385902b186da400e00b4d8955de6cba2afc75b0bd0269eb4a7b56fc31a06e

SHA512
633a3c1c9de0f35cb079cc64ea9d5ab50e6368eae519213ed6782a6a5e90b385f174801beefd33a8f60667a22bc7a87df764fbafe97e22325b4f75a3a9a0ce45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a92b83e6b55836a7f00f0e1c463e657

SHA1
da7d8d9e4afab8524b06cf117f0a671976ffbcf2

SHA256
1f5e6b243c168ef267c6efd5c6cfcdfc4369bd16eab48ae15aced9d550e86d1c

SHA512
2531126bbcfe2a351baf4c22ccba4f70e71da966ffdaa3fc814a16e9b90f0854379461755f362374692352cd39f3e142fb63e4973253765a463c625ebc6f027e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a8d3e2426e33d3c40d0e23278ce28a14

SHA1
40396dc03886e2f8253da5612d370e945f0d1dee

SHA256
03022410b52c888772a8c3234116a9d05d21ec7e870788fbdb7d77274ebe5842

SHA512
55aa34dc78bf94830af0bbed27c993b00fcad9fbbb015910d8a6700f132f4ab4aa5e8f8bf49d370b82534b88776a5526b1d9df600c1fe4d746710b2bdd52cca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
956bc640ab7a66e0f6c643608b05fbb2

SHA1
64f1c55969cf57e208bd547c072cd380b2328700

SHA256
389e0830cafd3edf25b6f1ae955e42bbb38256c05ca5ffcb2975b46f37518d9d

SHA512
76a3be519375257f7ffc4343b180cc83ca6f32622e2c662d5f065a9369b809e75a868c9d84ff93f2325c1626d990fd67033186a6fcb70e82a88e282e63da2049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582788.TMP

Filesize
48B

MD5
49d8beb9e33971d69fa34e75e66af9ea

SHA1
03ea1ad0819ab76f4d241d46878c9cf60ac5ce5c

SHA256
fea5e6f7029ab3fb4df6f0af5bdba4da43dd951c551f256ad85c91c09c843392

SHA512
39b856ddea09345737a559bf77d15b15990c22b6043baf9732cf1ab893c3654da4a51419f9ece9eb18ea33b0db59b00b870ae3b902c430eb8eb859db4a7b872f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
6cf98e571faa7b09ac867018c0b4d431

SHA1
b7515c000eb9119e7b1b4db9c3da2a2e828b11e1

SHA256
f8312c55ac5395b65686dd37acbdbf8c8e40c22f1f76d4b29c3493e1ea52e744

SHA512
987184e3f2680861890e2f3f912bd46391bc3adc56ded4ebcfa5780183704a1035441e57f4f316c3f397efb47321aef29c74ee91da3a78c6187e4e4209ce206d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
f93f6b5eb1ffad8bccbb0237b3652e68

SHA1
a4450bd735cbca0fa0e54e71360c867b8c4b58a2

SHA256
a519f17f57a77cbd10f807a890da529496bb301a9d4821ef8950c4ad028eaf61

SHA512
e6def28515bf994963f8480fe65dd55556bfa6809b4f62a537dda9faf9510912b064d3a49af6234cdee2ae4098bb956f0872f9752388e0577746fb51125bbee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
c8534be70565ca72d3bcbcd4351be4fb

SHA1
dd994b0c0e6a452012f564f60f070dfabc5b65c7

SHA256
d4049af89d2190367d92f6a98fcbc2a8e4acf506b682232dd1ec0cb35dc95126

SHA512
ce7a21cb2679f958c6a6f6d2f2b234235d8cdaef7ec818a1b02691ab89f5367b4672bba75e49d5c889af92db6d3b118b45038ef786307bab71648a6158763edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\RetardScript v1.425.252.exe

Filesize
78KB

MD5
9fc35e2c63366c0dc97b523973a459fa

SHA1
f683850a3140e1c6531d63f119ee25e2442653d7

SHA256
4fafe19b563a96fbdcf8feae300b757341b93e43d648e04670f18593c4bd75ce

SHA512
23a6f48dd317a67369b2187698ea85cbf857446aaac09f3dc66d509401385d79da02876eaec53cfb5163a985f91f609dff583eed270d6dc70c55b07f6f255970

Download Submit
memory/3484-330-0x0000022B8D5B0000-0x0000022B8D5C8000-memory.dmp

Filesize
96KB

Download
memory/3484-331-0x0000022BA7D10000-0x0000022BA7ED2000-memory.dmp

Filesize
1.8MB

Download
memory/3484-332-0x0000022BA8410000-0x0000022BA8936000-memory.dmp

Filesize
5.1MB

Download