249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697

Analysis

max time kernel
149s
max time network
154s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-09-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

swiftshader/libEGL.dll
Size

366KB
MD5

c51dc7e0ca92c9a45467a202aeceebf3
SHA1

5f35ec0c4e9b7663d7467a6c5f10062479519758
SHA256

0d4015adb1b1a4996378e06c9341b19d00e3cab8d18c002197ea9311feaf5d11
SHA512

8439f2a36f0a85dbfe12e786672278c6f6250be5029313efa285f851491357e134d6c9e03b339985eb255e80988e82d37540ffaef4f358c4428f6fc6aaec9ab0
SSDEEP

6144:z0xXgHVFDxkm2nh/nyce87Xi4dlwhNEkqZCC9uZaWPJqSpdZgOBJ4+b2T:Ih/Ze87Xi4dCC1uZaeZGn

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

DiscordSetup.exeUpdate.exe

pid process

996 DiscordSetup.exe
4108 Update.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

14 discord.com
15 discord.com
16 discord.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
996	DiscordSetup.exe
4108	Update.exe

flow	ioc
14	discord.com
15	discord.com
16	discord.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Update.exerundll32.exeDiscordSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699695201260091"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

5084 chrome.exe
5084 chrome.exe
316 chrome.exe
316 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

5084 chrome.exe
5084 chrome.exe
5084 chrome.exe
5084 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: 33	4616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4616	AUDIODG.EXE
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exechrome.exe

description	pid	process	target process
PID 4660 wrote to memory of 196	4660	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 196	4660	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 196	4660	rundll32.exe	rundll32.exe
PID 5084 wrote to memory of 3480	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 3480	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4432	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4400	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4400	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4428	5084	chrome.exe	chrome.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1
2⤵
- System Location Discovery: System Language Discovery
PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbdbcf9758,0x7ffbdbcf9768,0x7ffbdbcf9778
2⤵
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=480 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:2
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:1
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:1
2⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:1
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5220 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:1
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3764 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2972 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5644 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1632 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3168 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:1628

C:\Users\Admin\Downloads\DiscordSetup.exe
"C:\Users\Admin\Downloads\DiscordSetup.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:996

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:8
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=888 --field-trial-handle=1780,i,7720389789808743436,9103802550366012849,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
0f4b6a2ea6d98294f4667c3263f0044a

SHA1
d27d9bc11ed3f4584093692269eab00a392dc0c4

SHA256
0eebcf3ad07c649e91028021a6f94f2b4270ec4dfbe69107ee96a1a7dac5c2dc

SHA512
e63fae42378c1bbf498838700352a5d224d1e8e0d4fb9e183e795fab2df13fa57ab0222cfb9f2e1a125991819586b4e63e519e75bbc3f2b0222641dd8595dc99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
86bea7b021c31e4ab14833bb85fc1359

SHA1
cf00958449405d016401049dd8d0dd4fed3e68ed

SHA256
4bee838bfa26e55e7eb825b9d8fc36fdb912d8f42426e94a601389478271c0e3

SHA512
1ad63b9350d3525a92c4c8c166dc32c1288c13b04ffddb69561ae27bf21ace17b8bbd3882b7d0fe1129ac8ef14878498c7f34e5943138b9454503937d4b3ec58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
33390814f840dcc886482c856aca254a

SHA1
2096fefdbc48f44bfdcdb57b99432d8bab3915fe

SHA256
2f4214b0dc12a85cac973d0a8ade92be96ef021b670d42d9629fd19267597194

SHA512
164d0a1c54053aecd37c164a65569343c6a02337232dcc4dbd9e616326b7e1a2c1f01cfcd757dc2433851bad99ad455e7417bceb3800f09044d8f39314ea6319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0cea30ac15c6d7ab128db09a3aaa5f5c

SHA1
0350b5186d2e5a69b1d2d5259ef37165c5851e99

SHA256
a0312938dbf6024ff0d91f9f2752f539e424702b7363decc641bb8ad379aae2e

SHA512
ef88bc4e313515ac4e5933e9a750c25ce26bb93d28ef71fada8a7eeb4b2df752df1b9e09e83e22ba905b99eb0973b74848e8fc1f300ff6c4fa7c74bf30db49b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
52e51df050906f74863b5af4ca72ac1d

SHA1
41ac473f162644a2467702165f8ea54f99f3927a

SHA256
a4c477027d5ecf935120f21d83de3d87d86d58a95855ce5d3ac5c318767c6913

SHA512
929e8492082879323d5819eeb92d88f123e64bf7805aad9f78dd48e7c3e9aefc98f73806f59bc19e36357483dae0168c0bd11bb847b3ea621be134bccbce917c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f5277abde2cba165b711322ddffa7961

SHA1
f9057d9ddeb18947e1665c11ca53d34d84f163e9

SHA256
7a4e52925169149bca318a565c92c7b47f7c24bf1c30a5b186f59f14ecc6db70

SHA512
c72aab037fbfb8d0907b6589eb686b032511eae9f42abf219f80db4db672ac3bab1cc881c5fb9d3cc0b20d9531315398676762ddbc65918ec9e23a25e164ae53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
00a82d028d33bad23c307f6311c6a036

SHA1
e091a915da2cf55602c4b797944021090c7eb82e

SHA256
19c773eba580f7ba30b49fd1f59217e487a7bb0342830ea6b5216f51dccd8f56

SHA512
f52e17c1dcfb93c063bdbfe99928bf48d455328bf38318b95db2f9406c37f14906afa5fa9d9b5c7a2a192b3c38e28a7b92b86f756b968091abcf1f4641406c3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
26781f50954d56d84ad92b952bfc5859

SHA1
6f9004cd817e040dbdd3b24e541d1c164ff37565

SHA256
63da80150bf4e0c1f03f11d3d41edc2dfd6ec4d50aec777aa2bbe0e742de5f19

SHA512
58ea8bb4330089f47949810cbf1f9407fbaac5df05529c7e902fc29ad049fcddc8815319462e5197a070d1492f3c4e09c5772d6a7a87ba3c676084ea610227cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b819fb882f32cfc7db1c3a9521174cec

SHA1
48986af14e64b4a5b658ceec1530d50125d11ff5

SHA256
0d645e00976345a74be3ed39bcc24fb590b03dc1ff08295ca7c2678ee869d882

SHA512
d60b521b0b61d52f362ec108c92a002e3bf1ebb63545c9a6dad7616ac442921cd4767aba358252c89abf61e79191726fab757f83c4e3724b5cda6f140c646d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1535e51fbe785388d205646e3e29a7f7

SHA1
46c7a398cbd2dc1bc302ed851fd6778558fa95f0

SHA256
432c413b099a897bea4ace790f2a8e87f4a5185c07a3bb937050b9b8bc37c530

SHA512
dde5fed63e6f83e7c0f276605d3262150ccc68e1d081e34627842e7577f33ffa53e8602fbe094d52028eeab6bc3b1adb92b79aa5d9f3ddc4a65e8ebb1941ddb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e821823509e70c0e60704baf90d74fd8

SHA1
8bfd0309a68b78d3429653a72d15613626742a42

SHA256
21259098dc3077d1e18ed273385dc25e828f0e8fbdc830319ee623c7a6f5f109

SHA512
ecd07d67e70b3766be09068d3749c8ab21f9cc5abd7ab5b13eea96ccf3b1db79cad954ba09067b4b2e02d47fc9df155ef17917ba2b0d613c8553b925eb8f7350

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
f5bc9a21c19dbea4d43603984864bcf6

SHA1
469a225fcf2cdc02a9c2d9c46240479d4188ebbe

SHA256
e825f8fede0080a30a3246217479356e2f54d3a5d1e998545518da9f652701d5

SHA512
1a037975fc04bc5eb7e41d3f5bd8b1756527ce1844d4884867dd7e77f976b6894b3a3be4b551ec5497c0d31eb72d529612b570d441710ead7cc95fb7139d4bfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
8c2831ef58998a2a76adbcb97a7b3c2b

SHA1
11002710f2360f6d52d2da3304bc0c977911c4e0

SHA256
1932f4d0f739c642c283fec2f2b7b283e2adb9362a326461b78cc5e6825ffa2e

SHA512
39954dc0ff38513fcc04ab4da26f1a83af72373c259783a3a9913c510f27581eb355a40844f071779d5ac4f09e056d98433b4d2d5204861861c8f1a6d6a02dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
47ed31863e28e7ffca0137b112de654e

SHA1
49e5a76cb0c548cadf8c948c9e93ce5bf161b080

SHA256
70cfbedecb3884444e466983971b698015ded4a31e64b8157a4e667b943f2fee

SHA512
f55a8868cc6750e3ad79dfce6727efbf4bf2b7de98fd7e0c5756d4be018dc24e60373519a0636b3514cca810c8f53c6c84a25769fac0954e10f6eca8e0e59a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583803.TMP

Filesize
100KB

MD5
b36a1efb4354d77bf56500651bdf058d

SHA1
61c392607a8f3c038fc9d1a0bdadf4084b069407

SHA256
8428daeecf775157986af3b72bd0f031a7dffe34f19227f805c9b28566753d27

SHA512
5621de5f115e7c7c728cf950810843fcb637f84db9fa3d782d33e9760b40058503fa1fa21a1e106b590aaf67829d50e2a15688d86ff576795e4c24d59537b222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\db1b89fc-9932-4bee-ab68-48a4c0b6155f.tmp

Filesize
303KB

MD5
92826df8272e79a1834beddb518adff4

SHA1
ce11560ec831c60ee01a85d419650f7e44d73cc5

SHA256
abe33030c86fdd1fe209c23d1607d3e9308ca29110abcd753b6ff57e3726001e

SHA512
a8b201785abb3394f444a8668d190f46fa53748c382d1bcf04803f27d24b574c49e6c0c916b11871e6443667c01672f63ea8b6f20e496cd6b7528f88b195edf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
81B

MD5
788686205f4868893057541ecd48328e

SHA1
6088c9df47a7f68b1c75170d4b55e787d115f411

SHA256
d378962173ae4b4b27e07f9d243833d7327e93c0f261a01995f0db61a1a94eba

SHA512
e7a56d905bbb57bae9bc8068d1102e382b1ab2cb4d99da20ad9d68295926d66b1cf69b54d99bd2a5306ce3dd34f52c7d11905716ebb1acad8866d04636190f75

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
771974507467d78570b821f76626cf04

SHA1
2e8994c3f137d81e61eafa717ff234355e9053a9

SHA256
679f99c88d254feb46909c017d5a00d22adc508ecf62378e126d258b74f09a83

SHA512
17dea568b740346f4a9167a073b5bc874582945c44a6527c8651c4ead64214ed93d9c15636251e097a7ee5d35df93b67367cbafe1c435a40064be07cb5166426

Download Submit
\??\pipe\crashpad_5084_QILXZCPMNNTAXHIC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4108-286-0x00000000007D0000-0x0000000000946000-memory.dmp

Filesize
1.5MB

Download
memory/4108-315-0x0000000007590000-0x0000000007598000-memory.dmp

Filesize
32KB

Download
memory/4108-316-0x0000000007F10000-0x0000000007F48000-memory.dmp

Filesize
224KB

Download