discordrat | a61e602cb784d78f33f6d18bd66181b99978665a5097c139b2846b87e1c4a063

Analysis

max time kernel
147s
max time network
161s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-10-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder.zip
Size

45KB
MD5

b34610d72838dde5c44bd6997a48c903
SHA1

e46153efe2a2bcafd9fa03be46ca67fe6ad20b8d
SHA256

a61e602cb784d78f33f6d18bd66181b99978665a5097c139b2846b87e1c4a063
SHA512

d4ee7a8bfddbe9c948955c64912f5588ba07abb7fac4da5c9b1267397e961a8aafec0e91044de25be7b77fe2f299b71969866fc3b842535553c6954a84f5da4f
SSDEEP

768:Yg/qN7Df5msVdlrz4XqaKScBdmFITsH9y4FtYs74yRybclk1gGdxR4PipLqHZu3+:Hqh5tVvrk6icBd6EsdyjskGrlggGdxrs

Score

10^/10

discordrat njrat farted discovery persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

farted

5.tcp.eu.ngrok.io:13824

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

discordrat

Attributes

discord_token
MTI5OTA1NDUwMzg1Mjc3MzQ3OQ.Gam-5g.mMYt_UiACKf3lceb5vBDHE9GHZi685c16_84bo
server_id
1299046739898011668

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\get cooked bozo.exe	farted lmao.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\get cooked bozo.exe	farted lmao.exe

Executes dropped EXE 4 IoCs

pid	Process
3164	farted lmao.exe
4460	Client-built.exe
5096	Server.exe
1568	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\Desktop\\New folder\\farted lmao.exe\" .."	farted lmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\Desktop\\New folder\\farted lmao.exe\" .."	farted lmao.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
3	discord.com
5	discord.com
6	5.tcp.eu.ngrok.io
8	discord.com
21	5.tcp.eu.ngrok.io
44	discord.com
45	discord.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	farted lmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133742681407156929"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	chrome.exe
4804	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1392	7zFM.exe
3164	farted lmao.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1392	7zFM.exe
Token: 35	1392	7zFM.exe
Token: SeSecurityPrivilege	1392	7zFM.exe
Token: SeDebugPrivilege	4460	Client-built.exe
Token: SeDebugPrivilege	3164	farted lmao.exe
Token: 33	3164	farted lmao.exe
Token: SeIncBasePriorityPrivilege	3164	farted lmao.exe
Token: 33	3164	farted lmao.exe
Token: SeIncBasePriorityPrivilege	3164	farted lmao.exe
Token: 33	3164	farted lmao.exe
Token: SeIncBasePriorityPrivilege	3164	farted lmao.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: 33	3164	farted lmao.exe
Token: SeIncBasePriorityPrivilege	3164	farted lmao.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: 33	3164	farted lmao.exe
Token: SeIncBasePriorityPrivilege	3164	farted lmao.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe
Token: SeCreatePagefilePrivilege	4804	chrome.exe
Token: SeShutdownPrivilege	4804	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1392	7zFM.exe
1392	7zFM.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe
4804	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 3572	3164	farted lmao.exe	87
PID 3164 wrote to memory of 3572	3164	farted lmao.exe	87
PID 3164 wrote to memory of 3572	3164	farted lmao.exe	87
PID 4804 wrote to memory of 3720	4804	chrome.exe	91
PID 4804 wrote to memory of 3720	4804	chrome.exe	91
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 2436	4804	chrome.exe	92
PID 4804 wrote to memory of 4364	4804	chrome.exe	93
PID 4804 wrote to memory of 4364	4804	chrome.exe	93
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94
PID 4804 wrote to memory of 2168	4804	chrome.exe	94

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New folder.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5072

C:\Users\Admin\Desktop\New folder\farted lmao.exe
"C:\Users\Admin\Desktop\New folder\farted lmao.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3572

C:\Users\Admin\Desktop\New folder\Client-built.exe
"C:\Users\Admin\Desktop\New folder\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffdaaf4cc40,0x7ffdaaf4cc4c,0x7ffdaaf4cc58
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5128,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4360,i,7379288965543651872,15191314196552137422,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4128

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
51adcf1e905aa2ee0a314c97de289bdf

SHA1
48a4815bd15d670d1f5609d7eb24e91a8ac3a2c2

SHA256
454e32df92b9d881d3ad724d486056822f5443bbd57cb0e44775fb349e7d9d5e

SHA512
61b3af52e992b1af2a454449cc4b3ce9ab9b31722b6ffb920f152c670fd7e5ec950f5d6f93960b8a9cd8153f6e70e23f2ccd2178afc53698902db65d8825e462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
7f29dff7b9c368d68299137560b08cd0

SHA1
fc5daf85c9cabbe5b12ce3f7410219be08e7d2ae

SHA256
7252903c72dbbc0ae3e96faf97f77a133a07f5f9588fdba125c43474174acab1

SHA512
c429ed1b7502a25bc8d084e4fd75357d29d13521b7b453944f7a13413e083938a7c02ec822d2ac70fa0f2dcf584f7f8c23a99dc71ff109ccd898463b62e69b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
95dec4bc6c35ad7d4244464b78a5bf4d

SHA1
357881d0797908bbd730f416dfa56d6cb93b54ed

SHA256
c0a2721a725cd7166801f494a0dde4e745623cf6d5d65c99b5c694555b12a50f

SHA512
34e0984f259708f2bb40e0f805046151b1198962785453f9c6b642ade8117bf4de0137a87f6c0d57db6bdd225ccbf30c1c9940375138795c3a242634719f16a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d6ed82e18a36b1bd7c7e7c5d3efad889

SHA1
70502bd88e52a78cba7a148c888cd8848df54670

SHA256
1d5c7b7d727fab15b0ffd484d1f85b420fd0f83242acbaa4cfd175dea83785bc

SHA512
1c2422ad71f1c1723ef530ca464efa5488bb3a42c288e12d8c889b32157e733af6aef7781e62db4941bd22fa0eef006ecc8b073afec50abbf848ee50dc1531d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a97813ac7ffb7a69c5c80164cd58b6b4

SHA1
3bd3ca18ea890168a7c2fbf69e5a96532ae07e4a

SHA256
5a4a6989a843e43ff2321f3f7af8a5ea6f3f2ff0936081dc43c81b03dc49064f

SHA512
6cb77c9b06bd8612ea7fe68419ddc23f6966b905c62f9d04424518ad59806eb932993adc4c0dfc9d895a6e19bbdb5d3744057b97537e22bde5e174de49963ea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
06edead29e3452af7848543b5211626b

SHA1
b70012c7efbb93eef205f4bf65a02a883f22616a

SHA256
4f88bdeaf5f2d38656aa59b03ea9021b49d46335be49a2db25245c16c92de12e

SHA512
b1cdf0216c59fcd40675963fbcc485f01962dddbfccb657ce2c269cf49480b935f6d3ee2ce86e1bb9b4fa9b4822195aa613127c03a56bee9798bdf0a6f9798b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3ab49c6cf08f15969c90b602561b56c

SHA1
2e734e3853f4ce797df63940d19e881dcfc4076e

SHA256
9a187d578afced3a0608758407d161d437783285dd1415fc800725fabbf15fbc

SHA512
937e37c3aca59de0af3e8ad46d024c54b3c76c5c52dca06745a4c26b0969955bcfd2aaeb222731ff8ca7a02da6b0a4c25ad090a2d150a127b94ad6ebc356c0c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
084020312d51a7e412badf707f243201

SHA1
dfa7d55905da71b0e1e4ba8f8a2ef8b335139152

SHA256
6b976622c763ea4761c1917a67ed83b3bcbd37ee42f5a9145c66e11dd5a0340f

SHA512
7ccc102f7d337beb46ce1214f742e66a0a6a107fb27423130edd91a4b0b7f2f29472ad79731a4a9beadef06b00373a1cf7c87e4266343d9995e95ff0c2038739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a35317e03db5ba8bf2d475b4a4b6a31d

SHA1
306826ed70d40dba472b54d29de21016a6879a24

SHA256
5e94d9433b3e8c4f4503a5eae8041d479b6c75823975798d90ef5c3166a6cc0f

SHA512
2506a2d6f7ab9671224389c6892e66ba937e6be6a897c9cd2b4b3e38dd430cc3808b097d69fb0c3b1472cbbbf1c6cfacba13e70e877e17ca07e40f7b17f77c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b1021bfe4dc09a7263cfae502bae3606

SHA1
cb150977234c301a7c7fb93f86de782589033df7

SHA256
aa291e36eadc8c9dae06be24ed81f1a03cc42f2ec509c658efe84bd680391c84

SHA512
8255a9fa83b0d61fdb63b650b1ce386f14de5a86ccfed2503db698085e26fde7a26205083b8b32ea942db67871b988fee8ea92e1f3bd5b3ea5870aaafe46fddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
803b0406b226d843a117c54f41839cff

SHA1
c059f679a083d5467216c08a306663c59ba0f294

SHA256
50f144488f51aa21105d2dbf4be4464757ff1f95108b570cfff4ff8a7bd54434

SHA512
cb42732fc707af0255b91f55a3a4fb054d829f39ca8f9e6e68eb730978a619680cbb1341df3e6d7e036e58449ccfd36984fd20f9eba11f9385f89c4bfb818c59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e77e745bcf06636549014f13b096e4fa

SHA1
b946333f88e6e8ad846b1fe529a809c0e8e883dd

SHA256
c5b70060c8799649f4d98f6154678a4d0ff4a843bb48415ebb14a70cf9f1c15a

SHA512
1f9466c1798bc22aa20c712530e30dadc5333fe18997d3df039388623833dacc204c06e8ac5bf63abe3dfb27e6a0f6a75594afec8a7d9e84a06f9677213f22d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
1617b6a946a044fee901c44befb53506

SHA1
03a54bb2cf4c0bb06174c13436daee854ff74b89

SHA256
486e9cf51dc0c4d86c39680c9e0d12d63e55451cda0d72c3d60f60ffe74860b0

SHA512
ed83514133ce4c12cf1b2df3143ff716a70683935a590d8ebcf0598f21d5c00bc0ae5019550c77b2e2d8323aea3de4154d106ea589db9b315b5916480a7ff193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log

Filesize
408B

MD5
4338163b0a952ee13772dcaa8e005be6

SHA1
b08b4666d855da02ce46aa4dca059e9e2c353a4f

SHA256
5fda32bcd2006c3a7b83d0be172d1aadfda31fabdd519a168f2cea676fba832c

SHA512
a36ed33ea34a8ab0d8887cda134db49eeafdb5e34594f047463de059d56c94875c2f7f3c0d9755ccabaa1a75c1b15b577e89e2de9ef4d3a231bc78de188665f8

Download Submit
C:\Users\Admin\Desktop\New folder\Client-built.exe

Filesize
78KB

MD5
623f9705e81e545bc3cb058a60bd8562

SHA1
f07e26f819b00fce21e048776c86681b766b9cac

SHA256
a7a0be31f89c3b9bc7b19a7c857159aec636cd371dfe9a4991d916b48e87505b

SHA512
041546e60176ed35dc4a3bb7254624ce44a5f6db82cb9a852df1bae6dd286fc8319729d839fb6e93163855b498a4e5ac770c2944fbdc52c217a52fdbe31d05df

Download Submit
C:\Users\Admin\Desktop\New folder\farted lmao.exe

Filesize
43KB

MD5
b5fafa1e77736b195c74f2b1e4d4c6d9

SHA1
c4517ed186ce5805c8ccb1a34acc984b9d9ba190

SHA256
f9da2cb52d6f9718bb791260d5ff2e55a67e158a30d8f873a9bf64e459809a1a

SHA512
b2d5ce8482f09e8f3a9a18a95e5865413eee8548719864efe1007a8e25175478405d9257ff3c91359661a47d9a22db6f036e536f52b913db15720ef3b210f07f

Download Submit
memory/3164-16-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/3164-17-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/3164-8-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/3164-7-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/3164-6-0x00000000749C1000-0x00000000749C2000-memory.dmp

Filesize
4KB

Download
memory/4460-12-0x000001EA64F20000-0x000001EA650E2000-memory.dmp

Filesize
1.8MB

Download
memory/4460-13-0x000001EA663A0000-0x000001EA668C8000-memory.dmp

Filesize
5.2MB

Download
memory/4460-11-0x000001EA4A810000-0x000001EA4A828000-memory.dmp

Filesize
96KB

Download