discordrat | 4f108611be452635e169bfb8849711088e6a3199d779563b9cdbe4fdc4b2cd09

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spicy pics ;).exe
Size

78KB
MD5

10e250b8f44c5ec38a51a856493e16b6
SHA1

513445d4e837225a27b3eaeb9c7965e517f3d9b8
SHA256

4f108611be452635e169bfb8849711088e6a3199d779563b9cdbe4fdc4b2cd09
SHA512

24b13f1080af4d38e6e9b7017fb94eb23fc6254505ada4a83178624c2a848c7cd1fde093c6a2dbe0af5b920003f108db5c3f0bbb5208262b738dd82058050cfd
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+vPIC:5Zv5PDwbjNrmAE+XIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMTU4MjM2NDcyMzM4NDM1MQ.G-FuwN.gpQY1-Zqjvbb29Mt5kTMhmNWTBMnnzHCXU5EXA
server_id
1301657933876039711

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
130	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133796394472075974"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	spicy pics ;).exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4596	440	chrome.exe	97
PID 440 wrote to memory of 4596	440	chrome.exe	97
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 1536	440	chrome.exe	101
PID 440 wrote to memory of 2252	440	chrome.exe	102
PID 440 wrote to memory of 2252	440	chrome.exe	102
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103
PID 440 wrote to memory of 1684	440	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\spicy pics ;).exe
"C:\Users\Admin\AppData\Local\Temp\spicy pics ;).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff94f5acc40,0x7ff94f5acc4c,0x7ff94f5acc58
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3144,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3376,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4532,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5240,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5144,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:2
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4128,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5272,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5456,i,15953302306543450820,17966167255609723856,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2004

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4e284b8752e22b020e9739c589f60743

SHA1
35c5831baee3f40528db5884c9eda389f2bf318a

SHA256
5701035b35de73d23edb5e607bb76ffb1003dd0b10185488eef6445656aa8b64

SHA512
940ea6d3089052f8769bc527405c112e85007c52afd72333fc3da8c6f6ccc2922650271018001b3eff46aa6f2d0047e56a29005ac628037dd15d921dd89cbceb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
96f0d6f55b95c1e563626cdce7fcd0c2

SHA1
3c039e79b5134eaa7ca78532e76102be0ae46ff4

SHA256
a5ca2c4665fe1872747443784dccc0b0b01ce742e98cca5da7f63bd9892255a0

SHA512
c23a155129eb8e16c9dfcd6388630607fcc918b83fa0e1acbdab7cd2a17e9b22d2fbad789d48eafc48a39b234f6164495431f011b534c8ccde4702ee9c2cc29d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
dca056076eafd092a22119d1db1cc5bd

SHA1
bc968db21cc90e47ce9d878f3f9bcdae2ee513ef

SHA256
63941e61db69ce65055ffc40c38099191aef9fa8f6e9c4c021197354ef3a800e

SHA512
d8ab5077cfd1bb8a22579659a5ca14acb6b2177ad2b94bc1a33f6fbf7fc8b3a14b2a52f8d756272f3a686922b7659c5def2dc3842ac9e51414b7c2001be6aba7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
dd3bdbef08164aded53523592c4de48f

SHA1
406d96bc84b5df13db6b3597fa09cf29e758f822

SHA256
2ed1657879c5c0ef1c672c83437a470673a48dd37e1f5160e73f3e5400ca9792

SHA512
b6b8157c33603fd7d3f0520e08faf301f94affff316caffb3a42aa21f109e63289476572e2b9153247022858cf2cd3b77dbb6788823183d6bab38d7d630012f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a0534be7b90d37b917aa7b79df9063f5

SHA1
7732a528b69f7f20d82270d37e74fc9627f12001

SHA256
974eba5d21769ed1ee94cb1255196c803d852c465348d4eaf6ca42a7f45858f8

SHA512
8fdce45d77d00eadbabb31ac831ba7704406936be5c2fa9d80cc361916bf6a17847688fe163dfcad8b7595dabfa7bb04792a8b9f7f86bcc065a259ed24d4f5ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7a3bcfc5d5a0a2f849b091f1d4d934dd

SHA1
fba5ddc703e6886565b14ebb6231e9193d5bb90e

SHA256
022c0c61469864d398f03944f27f7e45cfa06831a41c8966212d48ff8cb34932

SHA512
6e0a8459cba68bfd11cffad8a1ddd2e1bf90b74689718171f1fec5a322129408d7391343f852b41c54c3c194af3dae10002d7c0dcf7e168bd6c458c029144104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a43e78ae91c978ed097e3de479587d06

SHA1
d6800ecd9142084e4b84d9ac5c8ffadb915a3f4a

SHA256
844a5d74730fe52c5e655ec9f7649f8db380868b81b2ea2017ff52ab398f55e1

SHA512
85a2cfb2bf027a0c94717b6e4e22dc5de57da9b70e60cb344254a84c4e0e012b3712ea8a41429011ee677c56428114724784cf5772ca2503bd4d04278bf99bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
1464f5882c65936f8f819d8db7817bb9

SHA1
06df0d4a0fda48cd147c9a760a1b089967e6e81a

SHA256
c161cebd3240eea8ae6ede814d41c38bfd4f95ffb209e78b29efc4ea1de91427

SHA512
6680d1b56a8adfa9ef058cf35f70595eaf87a3359541076bcaaedb8ce0c289eec30816eb6727af761f0b47e3c4281692561004fbeec8b1c5ec090d6f4e799835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7e95eebc67b8e0a1df3064ca4eb5a4f8

SHA1
e22810d8800df1fc182b8725cdb3032001c2fa12

SHA256
ffe2b7e16390af7274802c035df9772309fb18b76f9d95f5a5c68d50c8314bab

SHA512
a709e9b53c5851e38a57fd3a5c43f0b6bdd53d869af72322131835658e4dfb79a6a6f6921d360565aecd848c8d568a03e8e4cb9f5f06e56a860f8e66ac2c2a95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b118fc733ceabfe0b1573da246056b5c

SHA1
092095a3659b5c08985fa959e7964a1eebdb9b85

SHA256
ed218c26d0137e4b6905867b5b8d4ea9000c0e1c02ce90c2d29e3dd947d156aa

SHA512
fe24fd4d154b201861171359eaab7316d754ceb2ce8b119945fe483257ea73205b983ebb01d3818ee4e3989251245b56f0d77b07ea2143fdec3b68bd4f327c74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13c86ddbdf66ef835cf01276989c3bf8

SHA1
91b981a39111b82e3b4de6c54a87f9750ef08877

SHA256
62858e7a9af0be97d423a2b38e3d0b170dbd0bd160c23aa201e60cbf54cf5e58

SHA512
88f3da5e0b53e58c09face3fb1625eda0553c38dee89f4aab8c51b8fc05a80afe4953a936925457fc61f709d41f1e5002dd6c9186a77eb123781c8733bdf3595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ff277d6e1306b3cd4f150587cfabdbef

SHA1
94b3088f0c5a309d4d557cffa1a2ddf22cf4e065

SHA256
cfb8f7b8a38b7b55e125c301d6d65c64d97ce6a9e3d7a99c7d17611f38fc652d

SHA512
d3df68d526db0f4a6a867fe296b591957d4e085b4d2ab3031b289c879da4700e522851d9932fa261195320b27dfe7fc0688d898943ad37f5baeab50357e001bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8a8da17587d0403ddbbce7571f4ad175

SHA1
92194d392e32e83d97942a5aadfcddf62b6a82aa

SHA256
dcc2af9c6b1990e7fb83bd3e7cb2012cdd6b61f2ac945ee1a5ffd2b94e22f88e

SHA512
8a3ed8502728deb8fff9eac126ca3eb7b1357d01ba7f903ad746d687843beb1c32b0dcaa6afb15da26f30c33a181bc1287a94ff5d021d97b038733bbae1c8eae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac706f7a20b82cab740d6af9381d8e32

SHA1
bc2c3394f92a427bf533e506c4d6cf721109c31e

SHA256
c910dced78d9886a79cf8884f0a299459467f43cdbfa23f9db7c29481a046eab

SHA512
c20db479f31a149c90cefe9e0e5119562f8e3a3fd3422a755b1009dd4cd82ec4df7e447c776be1fe4754b1480bb92d71bf7eb0ca354b6c5cdd5b10753e60b7d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b522f8a8c18db1ad094757a04c0e503

SHA1
1eee70c205891b3b3adf0363077bf7c76e9addc1

SHA256
8b8ff4f9f445ff7e214420c0327cc053cdc51815acd6247dc87dd47225672c74

SHA512
c641fc2d231978487bb9924857772bfe053b64f48f50abe3d261b597b54bec375eab4c43407f4e774d4ea699011c729b78bca00b6175a76d89c209a34e0c675c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e348c6cbb120e95d887816476bccb1e7

SHA1
ecf9633f93ad3ec7ae90d26f4a19df7d224ffa78

SHA256
d937b57b17df623d2ab423c9aa485ecd3b4d11f661b59049bf64452b45164da8

SHA512
1636db57b2bbbb8df8ede371a6bd244e5a00f422b6c0bf87aba7e22079847317f4816c1cf3b147dc5e5ec399d8239824ba37560ea0cc8fce0399cef49b342a06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7ef5efa51b423b2da55c4d470ee6d676

SHA1
2f6d64e6e38cea69175e97cb3a748776910da959

SHA256
9fb316e4a67ea30eed6d365ef69541d4088e81042b39415ba556dff5407ed8a5

SHA512
b31e391c2de2abdde22c6a9d26d64be6d232076d87218a0b6d3967a2a76455a8783546693e1b812523473c476082807a4e242706a243054c997a81f98039801c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3907d127743355b1feefac3cdde90d3f

SHA1
9feda16aaf3c386d6a8a75940c4b46be99186505

SHA256
4806d0cb43d43e39ff1475a16a74d7b45eaade6115099727db8137cf9db81152

SHA512
9d11afe5a41fef0589a6fc3be0f12106dbd90b91553805f568b0468d05d7ba4938e7248b2a1a0394c67bbaa0f841d36ce53b55b405a9df1ecce411a6a288fe75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b1c6900329145e0323d56efdbf9a7761

SHA1
def5717aaf2aafc9e05a3727bbd1e0dc72631bbc

SHA256
491317b5be0762be09a40fa0c843e1c831536691847e1377770ed5c650349e18

SHA512
884e98fdffec22d1004919981650a3fc5e02a0f1f1a7d3bbf684da63b6bc84c5f772bff4472ea3946cd73ebef9a9e1bb8e4c865dc56a04423784459d5625b693

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
71d62fd4041378e8c828c77cb255d056

SHA1
37d1ee12201b438f54b40e971c956bf6f3cd73c2

SHA256
899f76729743d78c190c4046b1cf01374af0ac40e6ab96d1816e5745e0d61be8

SHA512
8b7ca729f254bc2e69bf30c78e005d62bfe83c3bdd6978d82bf15be74a00b2c3d088e92f3435b5e155cfe0eeaa4283e1d52e473d2fda87422de286f3622acd5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
a898ecf346d9eabee257a071b3dff366

SHA1
d3fd815b3c3d76c07b8c98d7e81c5179d5c49d17

SHA256
80ad344b02d837fe13ce1223dc81ef21b1005196569c06245a47ec7130625c0e

SHA512
65e9d45bd31e5ffa9f6928e28a239a1b0cce804a735ccf35eb97e5ff64a1b77dd9707d04609fb7502ab777c0cccf83b162398749ee00abe3dededfd68389a62e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
1d854e99fc985e1b1171a91b9faa108b

SHA1
182b32aac19c00276cb725fb00748fdbd1201a4c

SHA256
e731a15d542007deb65649f4bd4df0d802a02c277cd75881af280b8502eac1a8

SHA512
8b03f54d10aa74f452a641ec73cecff2c22af1afe9bd9543e48863d300b991079da093a3ea54f23755487e697cff00861cf65b526c553c0fafb1ed5256efecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d895ce8b-ea67-4731-abae-443a90c78eca.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir440_435087161\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
memory/3876-829-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/3876-827-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/3876-828-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/3876-830-0x0000000004D90000-0x0000000004D9A000-memory.dmp

Filesize
40KB

Download
memory/4800-5-0x00007FF955030000-0x00007FF955AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-4-0x0000019275D80000-0x00000192762A8000-memory.dmp

Filesize
5.2MB

Download
memory/4800-3-0x00007FF955030000-0x00007FF955AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-1-0x000001925AE70000-0x000001925AE88000-memory.dmp

Filesize
96KB

Download
memory/4800-2-0x0000019275580000-0x0000019275742000-memory.dmp

Filesize
1.8MB

Download
memory/4800-0-0x00007FF955033000-0x00007FF955035000-memory.dmp

Filesize
8KB

Download