discordrat | f69ca83bc820f2e899c064d358911cfe8629cd150a27a923bcd3100f0fd1d6bf

Resubmissions

10-11-2024 11:33

241110-nn4myayphj 10

10-11-2024 11:26

241110-nkawfsypcn 10

Analysis

max time kernel
234s
max time network
236s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

976cab2ebf7feeca8bb2e878173bbd75
SHA1

cfc7ff003e2e02fd2d07ef9d599ad98fdd17e57d
SHA256

f69ca83bc820f2e899c064d358911cfe8629cd150a27a923bcd3100f0fd1d6bf
SHA512

ea65fd479795472344dd0564f605cb9ae64df75c5becbf545642414040a2dd5df59d9112280e304ce06207178fc5229056615ac3251efbee5b1308a218aa2d91
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+hrPIC:5Zv5PDwbjNrmAE+hDIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwNTEzMTAyNTE3MjUyOTI1NA.GRlgAe.qVBCGGPv5rU4uSU-RPVy0ngEUAvRwwx1LrJqZA
server_id
1305129586971119626

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757117798017702"	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

chrome.exechrome.exe

pid process

4152 chrome.exe
4152 chrome.exe
4152 chrome.exe
3940 chrome.exe
3940 chrome.exe
3940 chrome.exe
3940 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4152 chrome.exe
4152 chrome.exe
4152 chrome.exe
4152 chrome.exe
4152 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1596	Client-built.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4152 wrote to memory of 616	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 616	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 212	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5008	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5008	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 904	4152	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffabb1fcc40,0x7ffabb1fcc4c,0x7ffabb1fcc58
  2⤵
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4500,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3816,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3420,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3344,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5152,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:2
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3144,i,14850029102682777746,10371917189468238209,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5d1e84db-53d6-46fc-baec-0c9f4e6746ad.tmp

Filesize
232KB

MD5
ece77f0bc9261560ec330f667da30184

SHA1
b227dfec9e5be3dc7ffc58f40d3df263bddf9ed0

SHA256
3f8547299455899fee184dd6efc1e2ca55c75a6f753e92899b74499b177b3eed

SHA512
54cbf0c514fba32b76aeca890ee6daf2b4c85ac26a27cb08cb8b96900f74097f1ae033c1c788ef2dd50347c1b51bdec2390575041bf9c554ed7a548a9a124e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7015b2592361d436d380162049c84dd0

SHA1
e8c220f72f5bf888b4c93a8ba6296048ff2f38c9

SHA256
fa677863d28a1ffb01d40aa6314ab87bf313a1010b98cead142dc22f79eaee7f

SHA512
b3c5c744a61923ac950687bd2036589efa9e2aee7aa62ca1e72a2feb8f462d128150087c82d7ebca9f5095397340cf8c5ccb298ea4d437460e6dd8e02676943f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
576B

MD5
c1a932bec9b3ab533c90f238241e3cd6

SHA1
91f445d7edccdf1897ef63a53a1c599532862490

SHA256
1010e3d5824382feafc3fb030bc17d1d9a1441b4d5c17cb5f0013fb6e8ee6c47

SHA512
a320a3649939e0827eafc6ef877d5b6a7bc6cd01dc3bd4cbf0c9f2d1b6f3bdaa3405ee15fd2ea2f5aab290f3dc24956bbebd901b015602198c8dc401362e0e9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
aa854ab788d7ff7df05583cd16b1c0c5

SHA1
c002be384ee74001970064d33d7603183849add5

SHA256
a14ef0fad7ff058964a25c1aa120453643e15ba350a67c13c822550865a34491

SHA512
b03dcb792c80fd71af4c0dcd0813bd074aec19908b5065f42ba1d2631f9888e90349c8fa4ffad46b7dbd2fd68cd9e0b73a3d13ecd467b7d1329b2673b41ad8fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
361f908e305020dc98a427929c94c7ff

SHA1
c017482793ace8c8a73032d2fc4d743e4609b08d

SHA256
9224e2495006bb70112410a57d892006674f25910f067fb048c56a0c92abf64c

SHA512
4014ee8e256de2e95bb68cb61f575d4b8d00cacefc6a666a158c30179455804a5336a2427e8d5225742602dac2e8b68c21b6e2450b4e394148e2109a5bd09dfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
18b6465627999a1f00e3671c407b0bd5

SHA1
99ef7ca895636392389b69f85520e2cfdd5a8a76

SHA256
eba3c9c91f2e924748d463a25ae01639cd34b59a8ec74bab0956ee403c0f69bb

SHA512
40a306290febb78e14bc5fd0f19f2d1f88518bf2ec6635a9e65b21216a08d9767e89454c7513cb8fd1ab13f8afaa5718dc1ca6bf0e395e70375fe3b6c47c37c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
af430443d9d57898970b03eec2e3cf80

SHA1
05950e992abe8fdf6cbfd8d41e5d94ad1c7fe0ef

SHA256
21f6d70ce5bbc29b2c71919b0e22853f926a4d9a35936b5ef78d63d6e08c49cc

SHA512
1ecfa049241ac95df869743728c5f152f2c5bc8b67bac5d3e6b31a12a9382f2eac49dab18fd82910582a5609c4d2a43c45a1d92015a25cf0bc261560f4f42e18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
905f89cedbe6db1d4574e0b0a9e05600

SHA1
4688679d2290f4033848e000e4fe656aee66d1a5

SHA256
c798b41f944ecff373dc2ffbf979a39f609989132aafe043d5b21b57ce34959a

SHA512
730fc40cbf54caa14d76d7730794722736662b19a9e9f218227874c703b80cf469102c8f90847c43e8b467ee07f431694a34e48eefa1ed3126677b0f0cbb4200

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e58f614bc6d80f11f951b316ff8f2c16

SHA1
38e1f8fbb572b201b8c16d46bcbfc72d115abbf9

SHA256
50f16a59089a886595d16139079f5e2101daec7038bbe4b47fcc44b25a6c6cf0

SHA512
025d230ab0b0a87d014b774299c202fecfb0265f5ce77cf8044cf45a28521cd6518af09802d20462b1fe573561cdc0888dd7fdb0d7cb75d763f9071d615d62e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2297df155181764fe0418b48df05dc76

SHA1
673b12f094ff25503b7db11e504ce27e3f4184ca

SHA256
7b456bb0aae938e5f191b2a1330730091c9f877284f69ad0f0dd80977f9340bc

SHA512
0998a1b3431a961f464277350234a8d1bfc3123b845626cf5902ee5fc61739bbaf47e5cbbc9f1b26f34f1184c51846d1361f50d23291a992356b0fa6cca7d5b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0559a536ec4c90d37eabffa6eb96945d

SHA1
0b26b800b2759fbc018e6f616a0e3f3def55cdaa

SHA256
2b0ad3d5692bff11633091c16adbc783c7681d85b7ac7228b10564fc44812486

SHA512
e27300687704f114465cd06a286748ee978661873d906dfda00010d91992cdd8bba5bb227a042a25315d901d06b4f93c1f1355460bb450e3097a7e729da10184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
65fb4f188d68c31d0c43389c784c5116

SHA1
0be8a12952ca127448c7eed6fb974a3f1378453a

SHA256
462753ba31ccbfd4c509ccabf404b83f89e38d4705026707ada635de93961ab2

SHA512
5f5bd98f016ad0dbf5c2045565d067741e06c10b27626f2f43fc36c75c04f793064645eed8224ee5a997df3e178868da5d48947c1736332a80a03e6a7edea5f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ce81cf672a83b4c897c243697540847

SHA1
7f4fcb51274ddbfb721b28ec84f8afc45add3962

SHA256
c55234f832d913942bb76cafbed23fd7661341acef69416521ebeb44de093e6d

SHA512
a0fb44ccb81e272af1e9cad280c6dc96df261445aec3953199122b4550279f654ba42015315c1e6b2a251efad9182fcfa914e262e7aab8a8db8600283e351689

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
262e655113cff1bdff3c1e0e4cbaf6d4

SHA1
85cbed6041cb74d5e64195cc9d6f55468e2182f2

SHA256
6053db1357b359174b47aedec7320016da24bfb34b112b8cada69b6b7aa74935

SHA512
cde0e269f887d398ceeefdde92f09b55d48efcc0b849b0532104a8ded026c2351df04a73c4dc5f964c95f2755be4f2b425f41350c47e4e76bac1f8e2987b2ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f1cb0d4050938b479861ec3c978c0aa

SHA1
6222658754c62ac553b0a80b679dd9ea96573569

SHA256
1644d27d2406a702e3bd936e9669a78272c45c4ddd8ab886940abe3c78e1b561

SHA512
32b542cccae30e160c621a742fd9df8354cc61eabd4a4ce9b6ae603dbca4a8fcf8b553e6f6ca23000f46c9a8b5da080893632dc3c004366006c98e531766fee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
373fe4787bd2ea3bf3aa370cdb36b0f9

SHA1
0109a25730076697f87328e18f00c311887eafea

SHA256
377d55dbdcadad36cf2e3daaf0ca534bdeb4af33d820291820f5ad0498c5496d

SHA512
9585a417f43e4da2430d3386138ded1645fcb91447b973525749784bb07d3966308291ba9a0f0c097f6025daaaa0d7b8b0d1c93ef5caf3fe39d569e5262a9c62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9f06df41f110bae0aefc4ed1b48d36a0

SHA1
0a1319010bce4cb27f3b37043c5321df9eeeda46

SHA256
ae39e07ddc9bd67d6ec2170f53fed268c8eb2955d1022556419e6c22108947e2

SHA512
83f26f2ade75cc09733f32f186f55ab8e5158303a36727e3ec26bede20f30ba2b1754d33948a40c9718e1ee6c87774cf832835da066f20265ada5b41a58b5b98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3a0bc3cf345dac9366b9f5a89f3fb160

SHA1
70d41263836e240dd39dc5cb12c497640ba980fb

SHA256
d39b75498af0a04ce7b4fbea5858d64895507cb12047d83f1568d5c3f039c81c

SHA512
7918dc58df79ef0dbf07219680c98996dfb9e52ff8b7efd1d72e146c9319a81809e996d6436a63dc64dd5409df0c40a31a5f0572eb428721d8410c70814c8936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ab103548-042d-4d3f-be3a-6ac8da065f88.tmp

Filesize
9KB

MD5
827301fd1b34213067708ed6936258c0

SHA1
127d62778133a635b85c04bcccc31a6963d82bc7

SHA256
123e5c30a6fd0897266fd44e68d6ab1d48511110b9cfc056c02b97cb28ca9f97

SHA512
ca53b89229bb4860e1624f038aac01fd828bdba14fa904f2ca7ebe51ff40af2a3eb15ecd05a4f9de4d1edc87d57c4faca6d39d421e489262669e5c8580f6df4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
29f1a233657cab2eb6e8dcf9f008e3ba

SHA1
a6c26464196f916f5892a9f4c42bc14688238d55

SHA256
c548ef7733e60b6f3c96477ad05df030779c0ceec17c2334777d669dbee94d94

SHA512
d0ad01b68d462eed4f3cce847df10efe2ec1d1ac9613519b3e6f00e8b11551d921dc8d774c4781e84229fbcfcbc59b7ab0466f594a43fa68d7eeb85c6fa45d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4152_1801313611\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4152_1801313611\cc70ef87-0096-41dc-8410-84359ee71d2d.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
\??\pipe\crashpad_4152_WTAOBFJESNZAZVZU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1596-6-0x00007FFAC2400000-0x00007FFAC2EC1000-memory.dmp

Filesize
10.8MB

Download
memory/1596-3-0x00007FFAC2400000-0x00007FFAC2EC1000-memory.dmp

Filesize
10.8MB

Download
memory/1596-2-0x0000026178EC0000-0x0000026179082000-memory.dmp

Filesize
1.8MB

Download
memory/1596-5-0x00007FFAC2403000-0x00007FFAC2405000-memory.dmp

Filesize
8KB

Download
memory/1596-0-0x00007FFAC2403000-0x00007FFAC2405000-memory.dmp

Filesize
8KB

Download
memory/1596-1-0x0000026176940000-0x0000026176958000-memory.dmp

Filesize
96KB

Download
memory/1596-4-0x0000026179700000-0x0000026179C28000-memory.dmp

Filesize
5.2MB

Download