discordrat | c8f8c3931dfe7aaf4317129997d334a66ce63831ffba734646b2fac665f73aec

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archie Executor/Akaza Executor.exe
Size

78KB
MD5

1122dc03fd80494144a56982d0ed162a
SHA1

891215f3b9aca2b6b4c683e04061e6cd1e54346e
SHA256

94dd471caec018c37563c6ab44d84b831e8d6681096f05920091233562badae6
SHA512

865c6263e62b730b86eabc6fba2b07a6b9fb7a27305baafadda7c07888964dc43fa79327d905295ce2a03d6789348a6b6c3579aaf12c8ff99040388f215c509c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+YPIC:5Zv5PDwbjNrmAE+8IC

Score

10^/10

discordrat discovery persistence ransomware rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDk4MTIyODExMDY3NTk5OA.GtjQhg.JmWSRpTczxrX_1A9KdscxQg9DQjJe5yb8Kg4iU
server_id
1330981226093346919

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 24 IoCs

Web Service

T1102

flow	ioc
8	discord.com
42	discord.com
49	discord.com
82	discord.com
96	discord.com
104	discord.com
138	discord.com
38	discord.com
85	discord.com
88	discord.com
90	raw.githubusercontent.com
91	raw.githubusercontent.com
137	discord.com
9	discord.com
83	discord.com
101	discord.com
136	discord.com
19	discord.com
52	discord.com
81	discord.com
84	discord.com
97	discord.com
105	discord.com
139	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpD2FB.tmp.png"	Akaza Executor.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819532500489350"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3336	SCHTASKS.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2360	WINWORD.EXE
2360	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	Akaza Executor.exe
Token: 33	2844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2844	AUDIODG.EXE
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE
2360	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1712	4948	chrome.exe	111
PID 4948 wrote to memory of 1712	4948	chrome.exe	111
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 1956	4948	chrome.exe	112
PID 4948 wrote to memory of 4632	4948	chrome.exe	113
PID 4948 wrote to memory of 4632	4948	chrome.exe	113
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114
PID 4948 wrote to memory of 3676	4948	chrome.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Archie Executor\Akaza Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Archie Executor\Akaza Executor.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:432
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77Akaza Executor.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Archie Executor\Akaza Executor.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3336

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Rich Text Document.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff9dedcc40,0x7fff9dedcc4c,0x7fff9dedcc58
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2108,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3448,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:400
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff793d34698,0x7ff793d346a4,0x7ff793d346b0
    3⤵
    - Drops file in Program Files directory
    PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5248,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5360,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5152,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:2
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5372,i,12713413259390809311,2851154110203807368,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
36dbb2fdb95a3127f1112cfd41bd273e

SHA1
9601070e5c25d74d69f49c635f90e65728bf5e1d

SHA256
fa4d0493a7c6166c221abe7dba0d13f04be3b31f16aa5706d0aae5b115897c7c

SHA512
e076e41644d7f2faeb73a11ab58db03faa7863be1d7e95bb17656dbd69a103bea9991af4d1429759a3e5c0ef0113ab1711ebed3b0fd78d4e4ba52e23de02cc5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
110bc75e2d4f54e8480d662f8010b481

SHA1
be3349fc133fcabb3d22156af9ad21f643b7c63a

SHA256
5e2a7d7e46d6146b0283b005d824ebe1f631c6c5a0a6672410d7b3f7e0ec118d

SHA512
de3c0757a21f7e46316cf83d84ca8c13d6a8bb98fab654a814a2f3d94d1a9c9ea235557a564b610154721171d0db66231c82ca8c0da9a81be6ca1388382c7cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
381150b640f977a068beaf194058d3f7

SHA1
a58c57456de35f16ad1fa707fc283dbdffb877e3

SHA256
5b3467507e42385b0a95eac43a741800194fd1c43d4e8fd0ab6a2a4d5d765beb

SHA512
3d40ced4c561f9418ac02797228eac37df696e32356bbc82d41df181cd9ef03f7680326b3fc1a0126e3a13dcaf0bac96ff836ed04d6444a2bc4282f750a745d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be506fec47e5a4480ed3972e109d0c84

SHA1
b34329d96c8043edc2ca35f5f40e1ece55a8569b

SHA256
e47b27fc0f914e92255c7e739a189dd952e5f232f965b429bc5f4ad79c9c6a58

SHA512
a925b6d4f11974b072c29faee9f0aebb9d18961683b7bc0ed47cdf8c8f4efb4fa01f4dbdf97064303e65b7d01482cbd6bb78f8aa883950f55f85375b1b3bd832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
151763ed7538c91a053182d0a5d3964a

SHA1
8859e3b02e8ba181c47df6aeacbae758233637d5

SHA256
7df100f874e1f36b6bbe1c047630d22d92c2612860c6403fcc499e9afd7022b5

SHA512
b4a8ab097661ab84b4d82f9538b555099230863c85971218bd661687a1fd6e1537333822d2e7e6e4a3ff5f36d9e25fe40cf40ea966a16e638968db8d11fc1501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f9b2e61749f98238f913337246cd78d

SHA1
2698a246f6eb242c3b81457ac34a84130bf60796

SHA256
def306b173091212a8b4a9f3f28de18eaa8ec4a44b17eff574bc16bc8d825875

SHA512
6504dd15b4b315a39c927b8e8b11eecb90543ef5e3c71d283b61483bfc686711d496097c9589870b16a47b5ae979cdcf08bbaad8b860386a6f160f2688952fa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e6fc5b782f5d1bc7de9d388f90ff1979

SHA1
4354b7c67c5749df2318c650add09b0e8c26ede8

SHA256
7e9031b71096c79fd3850b3c5b3b392761f3bdb90d78c6efd5009d46112a4ffc

SHA512
c91abd56fd5a0e62a541c3a37b46348337c5446bcdccee0983db82d2e00624d2dc5edbb773237babfe258d0681a3307866e30cbc2fa07c4390bb1a09afb2d1e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
498991270c7b2944d9e122c08e6d62b2

SHA1
b37e0077cbd6a766b4664e8721ccdab03aa83726

SHA256
0187adbd94b28f6f0b2c904ff22aa0dd6a324c806279412e6a9ec14b8d7a5aaf

SHA512
a07d061c428cb0cf0749de92d7b2ae15ec547629ce2628b9626ed4d424ca4a5ed3c41ae5c2625f51d971aa0d0b6d44f57fc8771500f9c877c39c6501e93415d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
6d1672698f6b7ec42106b7852dab447e

SHA1
f945b0ffaa0a4d93bd3edd7ebf9a71f3ea1d86e0

SHA256
a886e8c521d6ed13203cef6b7eae916401a4519cc600f8eec218fb093383a5ed

SHA512
e4c85087cbe119a00c57cd24628238541a9fabd2f13deeaf13132e1af691b78d3720bffd7e9d376f1db894d5f3fd2d97443bce5d1cef5883a1a6d36780d7d068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
703a2128dd47f416686bbbdbac8dcdbb

SHA1
1a10e5c2c6496ae0c02e28ca0db9410819065e1d

SHA256
14d1ccebcb0d34d5eaf628c14193f65378a5d07742de3315833b10fdb2a7b826

SHA512
133cb3a1822647552a59cceca3e4afece60d7100437cfb476ec82d525910023ae13f3b8f72c37a112669ee020fc50171cbd46d1b95d9b115e189f3ced106b6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD10BC.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4948_13829068\641ae346-919b-453d-846a-d2815d0550bd.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4948_13829068\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
426B

MD5
953cbbdcabe5762108fc262c37977e86

SHA1
50e1b2ba3d9d78ae26233924eb481856bb6a1f54

SHA256
3c0663fc326296dcdcc2eb0fa590ce111c3ded53801cf63cf09c47a07f8dcfb5

SHA512
580c9b28c834137c5718e54983c5ee9a65de64cf32b01e872f5d844c6bc18d2093e02bd2a8704b5bb3873eba56064e93b7d6492a6e60bff2c5cb5247eb36e446

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_0979732B11E9479FA7CD9F61BE2F8FF1.dat

Filesize
940B

MD5
a85bbb447df73991e483a18ecd62ecd4

SHA1
00a15b88aef96524bb588506540b07d6a2740b6d

SHA256
730305648bb1e1e4a68eaefe201e0170621404def6cd8c71bac48267613eef20

SHA512
8acbd7b2e36dfda76ee52ab38ea229163b2b109b61efc11ebc47b0b08d96089095a2440ca3436951315e0d69bf686aa178936b3970fe030b94d5def87d410bd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
63f6eff2a5dbe828dd520a4d0362bcf8

SHA1
f8e82bdb45a861fd3e8beaa2a0f74987deb990c3

SHA256
e2e94ee17af0031893e869186a1bf9b481b47f6d732634cd3c9ecc34dbf21b9e

SHA512
cba54a0246b6f665b59bf23f77695693579b166d561de45755b932c0ba84227b697d069b4ecb0d2b5a5dad61581f20d4d35d74f4d71d9a403bd21bc524de08ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
077c9acfeaecfe66bae54a297fee7967

SHA1
448f3795f2f176fa29c16ec5856e951f104e688c

SHA256
2efe2b9aa8bf66d431b402ca36ac006c583bdb16f8ef78398062c463d5de320f

SHA512
778571771e01de48cc1e5b64d99ac43a9e6fa76145eb4b3394c42280b443f74a3c5e18c860882d91c041b6a9748db19ef99bbd032ec497d1d27b8bc864e8430b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of New Rich Text Document.asd

Filesize
22KB

MD5
67a8930353dca959046195ddb1031393

SHA1
efdec2b1c73b2a16423199b06f171ceb1cc322a6

SHA256
9086f51eb1e3a46da4a3c73b7099530999c164a85245341c5db46610cca858cb

SHA512
da42a71bd06a95f2850561bb5085c10a1cbda22fcb28e1c82aa53f066c95ab21a00a3c4145db2e1bb83ca59d92502f5ccd623cdd42563f47b256a6bad7020715

Download Submit
memory/432-2-0x0000028552F10000-0x00000285530D2000-memory.dmp

Filesize
1.8MB

Download
memory/432-1-0x00000285387D0000-0x00000285387E8000-memory.dmp

Filesize
96KB

Download
memory/432-3-0x00007FFFA2FF0000-0x00007FFFA3AB1000-memory.dmp

Filesize
10.8MB

Download
memory/432-0-0x00007FFFA2FF3000-0x00007FFFA2FF5000-memory.dmp

Filesize
8KB

Download
memory/432-192-0x00000285532B0000-0x000002855357A000-memory.dmp

Filesize
2.8MB

Download
memory/432-4-0x0000028553710000-0x0000028553C38000-memory.dmp

Filesize
5.2MB

Download
memory/432-184-0x0000028553640000-0x00000285536EA000-memory.dmp

Filesize
680KB

Download
memory/432-5-0x00007FFFA2FF3000-0x00007FFFA2FF5000-memory.dmp

Filesize
8KB

Download
memory/432-6-0x00007FFFA2FF0000-0x00007FFFA3AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2360-15-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-48-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-47-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-46-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-45-0x00007FFFC10AD000-0x00007FFFC10AE000-memory.dmp

Filesize
4KB

Download
memory/2360-236-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download
memory/2360-237-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download
memory/2360-239-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download
memory/2360-238-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download
memory/2360-240-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-14-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download
memory/2360-22-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-24-0x00007FFF7EEA0000-0x00007FFF7EEB0000-memory.dmp

Filesize
64KB

Download
memory/2360-23-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-16-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-19-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-21-0x00007FFF7EEA0000-0x00007FFF7EEB0000-memory.dmp

Filesize
64KB

Download
memory/2360-20-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-17-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-18-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-13-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-12-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-10-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download
memory/2360-11-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download
memory/2360-9-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download
memory/2360-7-0x00007FFFC10AD000-0x00007FFFC10AE000-memory.dmp

Filesize
4KB

Download
memory/2360-8-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

Filesize
64KB

Download