discordrat | 34d7b6170f738ddcb8673cafef7391b4d61672689e7eced71b519fedd7d8ac94

Analysis

max time kernel
117s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skibidi.txt
Size

268B
MD5

3e322ed7e3af757dfe49cd7dffb4d3e9
SHA1

9dca41a984e0d4bfc4c9297377f9b39c5771943b
SHA256

34d7b6170f738ddcb8673cafef7391b4d61672689e7eced71b519fedd7d8ac94
SHA512

914f6eea586f7d53c1f0d3d288554004d0147a26a73906f06f41ce398ca24f396a3426929b27ff48fbc64d2529ce43a0b45232f951477fb5d7bab2e6257ca8a6

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MjE0NTcxOTUzMjUxOTUxNg.GE068g.Ht6vAA5mH9PlGBHitUAiZh4YuyRS5ymwn2Zzvk
server_id
937847083044593735

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
4952	builder.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786827307652530"	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3980	NOTEPAD.EXE
3900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: 33	2272	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2272	AUDIODG.EXE
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 4776	3144	chrome.exe	97
PID 3144 wrote to memory of 4776	3144	chrome.exe	97
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3524	3144	chrome.exe	98
PID 3144 wrote to memory of 3392	3144	chrome.exe	99
PID 3144 wrote to memory of 3392	3144	chrome.exe	99
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100
PID 3144 wrote to memory of 3656	3144	chrome.exe	100

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\skibidi.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb2926cc40,0x7ffb2926cc4c,0x7ffb2926cc58
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1688,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4752,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5008,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3168,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3492,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4696,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4708,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5348,i,2853623263661623250,7699694769464669599,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:3624

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2744

C:\Users\Admin\Downloads\builder.exe
"C:\Users\Admin\Downloads\builder.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\builder.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3980

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
06683f143c7ed4f04f9a806b2d8f162b

SHA1
69167212acaeebfca315ac7f61c4c7f00a8ffb7f

SHA256
038f942fac2402861c8c4d95fa8557c58b28981a4c0e732c8852101ced5c67f2

SHA512
d829ea002c20198d01cc3f2be8a0dcac52449f0421ee60a2922e05fb48c26ce6d5a885c38fed7412322e74de18bf2f4ac9aacf45f78902cc89a869017ffde9a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
312b7878ad707eebfe6d47c95dc506a8

SHA1
45de29feedd5cc1341f6c18439857ed4c22bdba6

SHA256
0c785bde85d20e27b712f6b4c6ddccc6c57b37273b657bcfb8aafc24ec53f669

SHA512
84c2880346141428f550721df82bc6b9680313f7db636de62c76682ad73cfeb57b02151a6e8388e9a24185cac2c12d0b11f85e6842d14cc47d960a77e3a1574a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6a72ac0f19a9d3c1a65f9a31c0ebd94d

SHA1
9846ed0c790cb64e0551bd714c52ca03381c4c8b

SHA256
34ed193b8e2a1682ec51a8e3ada060aa9655761fdf3a02479c74a30d4ecef736

SHA512
72c449ab063cd5645c889a16b2c1ddab73781151199479afb9073ac8f37049ce6df87b547612d2d65d9e9785654c3a3c40c0db7fb3f3a6339bac178b7e9477b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
dc9b796d124ccad0fb865acaeab6eec6

SHA1
6500eceea1102e3044b5d4d522c85c82679d68ba

SHA256
7580500fb1fa13f63ef0a2131a8da37d0d5fcf2f217d9c1f139bce1b05842fb2

SHA512
287fc53986ddb3417faf4579a7c1eac06e2e44953780fbc2552849fe7866d0d60af848bb0966e94e8b5e9152c5bc8f9b835bc2707f048ea78af96d919a830aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
570afec4a6b705609dfbad5efc853a36

SHA1
82e2ed044610a3d351d85c6dfdcf79356cf6a1d1

SHA256
00ba4333b08a5f61c54b08af539f74e4731987955d007fd024ba19a428cd593c

SHA512
6872f4df857ce5e03d8e907d3ece0c07b8bbf2ecdd430f4fe7ab311212d088da2f89ddbdc2f4462edf676f13ee44f93766682470b40de77d2f756144760c0173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ece3c28a6b5d580cb7640f00a4b44349

SHA1
66aa4639a30ffdd09c72802dc0c523a3548c9bca

SHA256
748ee43c36e88f5eb5d3c7b759e5f5cd54b8ce48d8f923df03c656e3376cb6d4

SHA512
6afe49aa96a40c1acdf13949d57b0e999cf453ceffe959e4eafd97ce7289f6dea46042c9586fee3d3a5f3c82d3d17ea988ed4795dc27ca2f1b1aec1d7d87734c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca69b9cc0c48e799fcaaa32a459bb8d6

SHA1
1c8a8163570e165d8d0c3faa64c3d908688af76f

SHA256
f5ef1d6bbba62c6a2057721f84d1b08f7354ef09e6cf4bbf0161b9ff18fcaa4c

SHA512
2731b1c29ef824bc5d8af6a24157daddd6f14e1d52820edce49360d9863208fc0457810c85ef6f4440191756c6c94aaae05f46127992a40dd004abaf7e4a53dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c6319a9b5dd639d36a82f3286cc1999

SHA1
c0e56d10831182a0d73ae595be319abf8ba40616

SHA256
c4bf7d322330191b07bc1430f3c6de5555ad31a2ff5508c26ce242a3b0270fd8

SHA512
4fa4fff5e4046f4bf02d614d35401cca1d9473a565995bfc54ca4cd37ad9ceaeb6b26805e7a9ed4d749d53dc6e93c9d27e34bf40063c776a3d8c0243060af828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7fb708bf74be4b3e5b79b4ece86739b

SHA1
2e137f051f7838d4bdbd1e1e689f4432bb0f177a

SHA256
00a1b1a5eef5d78e23015a7fe15b3ec2dec1c6af2c56578183e701812165e2bf

SHA512
d26fb1d94bec59a3ccf87787033edb1638b225dab69fed190bd9ccedc5109aca14ab6818df1891fa00b6358b4dcc282df68bf8df5689ce898b2deef5ed44f37c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d7f0001cee91e1bc6085d073e5ef94b

SHA1
fe27f824c96ec43c5d3a04eec8df97b580101304

SHA256
7db7e3224148f167cf839edd633d3465ca43c68c4b7fdf2db12b916818e2947f

SHA512
bbb593f698606a46450de5674b904ba68c06c6ebe358e1d310f440c5bc30fe5e689cf2a99b894fb1720a94c2e9fb3224bb24c9f03ef39fccabef074d3f104f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
623b5f49fc458ddf2481a27a2019db70

SHA1
31aaa5a52386c536a6871f9c452af5711bbc7541

SHA256
8ddc18fa174fde997b14254a9bb9127ef744d85822666935f155b141a46cd3fe

SHA512
bdee34fdf6834bdd3f5c68c4a8ff47a0571352d4126883f091831e7be5d35839ccb6f52e5f90a059167783ad74433b20f9dfa2bcc39bef87c4b5a7cb6aeda19b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
484317a5002de4ab71cbc4b60257528f

SHA1
585a1e8ad5c36fd9f7d24f8c4c001c648d35b99d

SHA256
957a04446560ad8ae8f7095a46d532598db43caa3772e2c39295eeb0eb7da092

SHA512
3ea77527ae8a4359b0d6b2ad7cd81dbb65ef3554400b364406be45ac787cc64e42c84c53d4d5ea3762caac43c64407088b6f6a3e707490138564e66e18594155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d27f52839d7e4bb77d98fc73fc512834

SHA1
8e9daafa3cc73f109d1934e683e7179147d6e383

SHA256
65210a933c3a199301f980aa133ca60796cc4fed5b80d7daa3c249dcf906649b

SHA512
399707f2395b684aaa3ae2477392877be62b73736d4770d12e2a2cc94228ef3c147916f04dd346da33ead3b54a4e37a2b891652d533214ce84d69b3068d89909

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
4a97de75f4a6098c891e8207888efd6f

SHA1
5437c363f66a642f91402a02a3517262dbffbaf4

SHA256
7c05373cff05713c38326c8a39e9d5f117a54b0f2879c30f5db5a5761b7d1db1

SHA512
444e6adddd838e12703580518ccabe1f809f1ade21aa81b650e94044a1e2739b3748b40e4ef8e0d888d7cc7284cdb471f5d48ebda18f13ce3bf7a2964e1377c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e0682571a1fcb0cfc3ad714d7d598dab

SHA1
8b7bfb8d1d399dda2ecc28cd3f6285b1d0bf5f7e

SHA256
bd60656db9358965b1f57f5d8c61f57746c85cfa6f58b7eb8e717eb02750267a

SHA512
8a6b2ee9669a6b02cde9d8482a5ba7e47ab6515a3fe0016da6f93459230d8580f1441e63edfba2b530387d985761f7f00c87b5ac8d07b60ec6a209365491055c

Download Submit
C:\Users\Admin\Downloads\builder.exe

Filesize
78KB

MD5
a12865b4fa8ebf5fb882163673cdeddc

SHA1
da44bdc13f5cd9daef0e5e57dd55c4fd0130da2a

SHA256
7386883cabf20e803f69427d9ca0c10cf3fc4a61a2f3fdf6304e332eab142b16

SHA512
6f2ab73f9f3433cf2359b6e9294e4d426956b5b752951a38fa0ff9909add65a19ddfd21c2ca28a1f7fb23da42e25cb5ad57ca3dcfcbf36c5e7744837537659b8

Download Submit
memory/4560-267-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-266-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-268-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-278-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-277-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-276-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-275-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-274-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-273-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4560-272-0x000002B8C7B50000-0x000002B8C7B51000-memory.dmp

Filesize
4KB

Download
memory/4952-223-0x000002B8C3630000-0x000002B8C3B58000-memory.dmp

Filesize
5.2MB

Download
memory/4952-222-0x000002B8C2D30000-0x000002B8C2EF2000-memory.dmp

Filesize
1.8MB

Download
memory/4952-221-0x000002B8A8740000-0x000002B8A8758000-memory.dmp

Filesize
96KB

Download