discordrat | a4dd4197be7f40d3abaaed97c0ea6ae3f0b532982038e24ce1a53ebe481967dc

Analysis

max time kernel
1049s
max time network
1009s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

c907de67dc2e803be97478576db2a190
SHA1

9d6c48e1e4ec6ca53c5dea48f6c1131f7a926689
SHA256

a4dd4197be7f40d3abaaed97c0ea6ae3f0b532982038e24ce1a53ebe481967dc
SHA512

229f3054f1d5ee5bc4c6250291c47d3426617c48a5415e3c527a4cd069b9887a9010ed4dc6a7da858e0e7264555d8465515ab4c17c81cf64a858575760750b4d
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+BPIC:5Zv5PDwbjNrmAE+RIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM1MzgwODUxMjM2NjQxMTc5Ng.G9rKeW.pTwvhYCM6HQkgqve7Nz63_p5459NDiNG4PKoAM
server_id
1354578979142631616

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
113	discord.com
119	discord.com
120	discord.com
194	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875153936453521"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805952410-2104024357-1716932545-1000\{726D5D96-8546-4210-A230-98AB2737470C}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
6020	chrome.exe
6020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	Client-built.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 5036	4484	chrome.exe	97
PID 4484 wrote to memory of 5036	4484	chrome.exe	97
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 2056	4484	chrome.exe	98
PID 4484 wrote to memory of 1828	4484	chrome.exe	99
PID 4484 wrote to memory of 1828	4484	chrome.exe	99
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100
PID 4484 wrote to memory of 4196	4484	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa53c3dcf8,0x7ffa53c3dd04,0x7ffa53c3dd10
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1640,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4268,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4292 /prefetch:2
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3096,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5296,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5428,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5288,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5644,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5368,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5696,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3388,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3332 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3396,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3364,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3248 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3852,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4296,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5968,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  - Modifies registry class
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6100,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6016 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4696,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4760,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3108,i,13669840827958935323,18302792726806981009,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:4604

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154 0x49c
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\38d790dc-e6ff-452e-8e6f-d188da9f260a.tmp

Filesize
11KB

MD5
5c5aac8e70d51f9c929654dbeffd76dd

SHA1
340b6ec9190269e5d604d76cb9f4d380386f7c68

SHA256
378ca1e399026b607246288bc9da1e478d4e7c17f4c119456954a792493eb621

SHA512
0c870cdcce128ae2267352110d949264f545288e9c47b7b33ef942b799b863262674f613bbce1ff6589846e17b56a74feecd682b61e471ff748d7f456f02c8bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e5b13d794531b451cd1c2ba5fbb2e5e2

SHA1
4441f50738c41324b5cb06458b22f3c1f9eed1b2

SHA256
d6337bfbf60a4ebc1aedb44545578644168083c4ab39c86d20dafd274550c818

SHA512
19d24dd4dab72f43c92a273ce9665d9979ea38e782e2b129762ab4c0336f2010f32f24bfc9e67ca94dd241ef27f81abb8a697a6cc44d529fb4b56867826d36c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
876dcd9b7504adf7b91ffc73181da5ad

SHA1
eeb6327653310c6879803c34e7ac58d88022d681

SHA256
f43dee859c0c62b6aa241b1f7348bd5c4a13d361f4589dd754c0b831ec2499c0

SHA512
911cdff6b434482f39e91f98b86380fdb4a3019ccd1cb769d0ccec483264f67fb0777fd0e9de434509e952173002ae7a3b1e82cfbf8b01ea1e113c7974846e75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
ab88e42e38cd44a1b88ed98ef73831be

SHA1
2e2a60a708cae1bb85c469d62c7c14bb0bfa40d1

SHA256
27a4d31825375c571cc9a6f00deb8a4116266e5673eb52136fa6d563e94e4359

SHA512
7edd7b27d408cdfabf34d4adebf0c2d46a0086e1ac8d3fb507c42565506f856b2643d7a5ce44a06896c6077c06a940a36c81d0f36675fdbf7e54dbff493719de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
35dd5add74779e876d3a0d2e39bdc337

SHA1
cc95e25f2457f485a38951b5158a3fe3b69a17fe

SHA256
b6c90e1b7727039f00fcb52f63ca47a27fa8e333683372cc58356718bb458324

SHA512
fb0262f2a85888579847f43bc5e7ab42631464d6b69de7cb114d348f1c04af9d0b1335c40bfda40ac30e55859225348620e73166db45d3285cb197f8ab3a4c91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5caee985ac3b8ea467bddb83494155b4

SHA1
0ef11f1f4de642cd83fca80a7f8ea7676b9aa636

SHA256
8de1d81cdd9c9fde9ef563dfb5d3dfdc71010153d521d352c046b5f80c0befa3

SHA512
da0be60394461bb2e19cb03cb26ee9ebb5b6d790671aa31ea12cce709e4da699245473b3cc207e750b7e82f80ddf202f82f0f2c4232b9dac6da7a10ee8ce5c57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
43111cf7c64394fb7893ce9c035ace58

SHA1
a8e31a55060bff4732bf66a3007ff84a9658a771

SHA256
479754d3de0f3b0d30aa787fc390c99d059901617a3097f915e3a43503ae6dfc

SHA512
15cda595bbeea7f1da36b5768ca8d0c22386bff2e5c8299e0c7863d505920c6617728f7ad22bfad58c377a852fd2b05a96475fe800612005d30a81de8caff899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cee6bfebe0ce1ebe454a33f5fc02e27b

SHA1
f355a484176c496cdf7f35bbd7d9cf1d1a2ac951

SHA256
7b8742aac84c9e19745d8f6469455e9d7378305f9db66c7ef0b1ad5a541afbbc

SHA512
66050e6e2131f5c2f59a2f9bafc3d304e4dc5e37a1e6346dfbf51c3546224ab689be0072a6367cadbb29ac85fa6d242235395a735470cbd14bf8a2c61ebab8da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
26dba7bdf426bdf7b0d974dc01f1f6f9

SHA1
7c87609c241a846c1b762bb7534e2e79bf818438

SHA256
1c3f4a15487d70eae64ba71016ef72c86b80a6f5ba980f6423926fda7cdfbc36

SHA512
2992d8eb75efea05c4f33a8bd6f3d17d01e48cb635bfc03bd1a12ff4198181f94e63b3951d03c2f3f94bc81d5ab0ee857c6293484f73ef76a0ad9ec308a7d15d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
63162ed2bf076a54c6d54dee90e2614b

SHA1
172d3e9c0738bb965d98d8d71685ff550f653afd

SHA256
af62e0a0f3ab3f4813d685d3f5adfaa33268a14137dec295eb67becde9600b19

SHA512
31e7848422be7246a46adc3537f2ca940a337d2235c72bbc3c59871032f1997facc3efb8db702a4d275341ad5c7e16385b62de4bbf1206706078c53136726073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
da23090b3156adee02d78d5e5186886b

SHA1
cd84b63600b988decbd885e72072a3cb344fbcbe

SHA256
afd468c839fb15407aafb4580d5cf8b12370f59e51760fd455d627df9cb7469b

SHA512
daf607192fe66fa27c273a390e030b5dcbd70a79cff122223c9da543e49a56009517a34196028d409bbe14bf049bbdee836788622723e11cf3a1b13778fc2512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
76848e85efc311096bc0a2e2f65f3717

SHA1
98e43444e41f08e5d3009e93311d2388811a5ca3

SHA256
2a6d6026f1bed4cfd0cd6efecb1271a37481b59fdbf63e0a7e6f498677c976bf

SHA512
8e1330187d3489a962612fa977b2551c1a92f4825adae3bfc9cecf5b1954b269d9af0eb38ae1dbb497b95d2b5fcebb30a12b738f0d0116babac596eaa92c639f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
19b36e75d8df2dec34d7995e036aa19f

SHA1
ef446caa102cbdf31b28a5ba62be26db3d3f915b

SHA256
91580aaeb67d1e9f13c01f1b1042b9293b6987f2bcb53eb36dc9aa07579a77a0

SHA512
247e15ebf08f3fd7caf209bd1d52a335fb234290b4806b0b05987d4e67f5a22638c0b0c7bbd212f054eeb8273866243dc055105451fd624d0cb89ef5fd533b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5c65e5e51ff9fba8606d0055ac4c5891

SHA1
70846d0c842827ab26ac5483743cc60f7e4eb0b1

SHA256
01fc694d074efaed34dadfe0bdaafaf24a6037315cd214a4ce93738f7392904a

SHA512
489776555c73e453834630a1f355786d4af3cf1870a427878f0549434870035eb44f27db35103502fef999e27d934dd66674b48a2a964eed3cabc61e043dc499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5bb717.TMP

Filesize
48B

MD5
1bd380dc6a224425cf089273d41cb26e

SHA1
8c46fa29c00487f3111ca4fa4dfd191ff0294fe9

SHA256
18b3f5e8bd26675c75406f14435a32bf7871df1c99d7f99749c90b91a78e954a

SHA512
852ed05976ae43f033441c60ece6e3e5d4365868ccbf1f95f96108f718e4e0907679ece3b3c767403e64c830f2d17800e84e9287d6d106880488b792fa825780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
ffa3fd8c6c092b4cd6ed2011416364ab

SHA1
90ea884347c4583daf5ab4f8f9d4ed0b3517aaf2

SHA256
4ab02934768f2dd6dc6dbe75f099a3f2ff86f23a476a7e86bf3e24a8f9ca8fe5

SHA512
2be467aaa9c6e4bd00af283ce0082fd705232628e72530b9f93022f6a8ad04ad23c4f68ebd5ca09cd2992dd0352ff9819468f882a055d9c5da7947041822ee5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
a372bb2a08f3fd8962a59088c72ca8b7

SHA1
8cfdc4ce39cb5e407a0645d58e9a5f8ebfaf1f16

SHA256
ed5b6930dd60de325c14b6e69153a3faf813e8f4d0337e23a260ea492fb936a1

SHA512
48cfb6917aeffab7b2d2751edf0949720080a363bbf621e4cf831bf46f61472c90239984c2327e33c322009999f5cf29d258b951b8bcbe70e89057ce8c356503

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
72b9e99cefb62cac55605ecb3badae37

SHA1
a86279cfe74c153c2fe58a326f9b2582399f712f

SHA256
58052deff43c65f462e5bc8747164c6cb0b9325c8017a90de57fb49d3b1959b2

SHA512
9530e85868d78e98a1adfd078baaa0a891015ff102d12c1e0fcfce19e9f961095a32ccbd62870491cd05b886e20b4877966b4b6552e7f718feb07e02a73d9712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
712b1690430b9c5884ce4c4e5149b4b5

SHA1
cd63a25abf838a5ca937de799c45a06f4592e326

SHA256
bbabe5c929bf3afa912c6ce5bf3221c445e1326ddb2b21129a927d64dd655742

SHA512
cd1373de3d5e8d269f478368bf8a4310f430e0d454d34eb68123b47958491cea0dbeaed8c24af9ffaa3370ed9bff40ead59dab00943bda9309848dc94216c8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4484_818650293\a1b3fc6b-8d7c-4007-ae43-14154e02ac4e.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/1936-15-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/1936-5-0x00007FFA59893000-0x00007FFA59895000-memory.dmp

Filesize
8KB

Download
memory/1936-4-0x000001FF7DD00000-0x000001FF7E228000-memory.dmp

Filesize
5.2MB

Download
memory/1936-3-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/1936-2-0x000001FF7D500000-0x000001FF7D6C2000-memory.dmp

Filesize
1.8MB

Download
memory/1936-0-0x00007FFA59893000-0x00007FFA59895000-memory.dmp

Filesize
8KB

Download
memory/1936-1-0x000001FF62F90000-0x000001FF62FA8000-memory.dmp

Filesize
96KB

Download