discordrat | b62a2bcbfce49c39063720542621a36001bcacfd137ba8366b825020de82120d

Resubmissions

16/04/2025, 17:20

250416-vwgayattht 10

16/04/2025, 17:17

250416-vtt41sttft 10

16/04/2025, 17:15

250416-vss6bsxps6 10

Analysis

max time kernel
148s
max time network
151s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
16/04/2025, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kernel Mode.exe
Size

78KB
MD5

6119c2fd88393d762b0bfa24620b91d4
SHA1

ccd132085d4756f88e7d554c671cd7ba01e38887
SHA256

b62a2bcbfce49c39063720542621a36001bcacfd137ba8366b825020de82120d
SHA512

a6a43cb61c18414a49fca46ed39df7c1595632753ce36a54fe9b1f9311c641a2b5af096c5add40d6ae79070760b7f9314ff8796bf1475246c7db6dfb94ddcc77
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+iPIC:5Zv5PDwbjNrmAE+OIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM1NDkyNDE2MjYxOTAxNTI2MA.GE89pU.6SDUNoquBQfG7ltjuIHlLjl_DRADwSdfVSug-c
server_id
1351601990072795178

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5272 created 624	5272	Client-built.exe	5

Downloads MZ/PE file 2 IoCs

flow	pid	Process
85	5272	Client-built.exe
45	5384	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
5864	Client-built.exe
5272	Client-built.exe

Loads dropped DLL 2 IoCs

pid	Process
3820	taskmgr.exe
3820	taskmgr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
35	api.gofile.io
60	discord.com
81	discord.com
83	discord.com
84	raw.githubusercontent.com
86	discord.com
88	discord.com
33	api.gofile.io
59	discord.com
63	discord.com
79	discord.com
82	discord.com
85	raw.githubusercontent.com
89	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5272 set thread context of 3132	5272	Client-built.exe	108

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e4a83910_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e4a83910_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_8086&dev_0022&subsys_80860022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\Downloads\\Client-built.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133892974528423266"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3820	taskmgr.exe
3580	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	Kernel Mode.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeDebugPrivilege	3820	taskmgr.exe
Token: SeSystemProfilePrivilege	3820	taskmgr.exe
Token: SeCreateGlobalPrivilege	3820	taskmgr.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeDebugPrivilege	5864	Client-built.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
4048	chrome.exe
3820	taskmgr.exe
4048	chrome.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 5232	4048	chrome.exe	83
PID 4048 wrote to memory of 5232	4048	chrome.exe	83
PID 4048 wrote to memory of 5384	4048	chrome.exe	84
PID 4048 wrote to memory of 5384	4048	chrome.exe	84
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 5420	4048	chrome.exe	85
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86
PID 4048 wrote to memory of 4496	4048	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1088
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f1e564c5-6038-429b-84ff-86cf539c557f}
  2⤵
  PID:3132

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1308
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1612
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1864
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x4dc 0x2ec
  2⤵
  PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1664

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2720

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2828

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3580
- C:\Users\Admin\AppData\Local\Temp\Kernel Mode.exe
  "C:\Users\Admin\AppData\Local\Temp\Kernel Mode.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff9a41ddcf8,0x7ff9a41ddd04,0x7ff9a41ddd10
    3⤵
    PID:5232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1604,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2060 /prefetch:3
    3⤵
    - Downloads MZ/PE file
    PID:5384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1864,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=1856 /prefetch:2
    3⤵
    PID:5420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2556 /prefetch:8
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2796,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3120 /prefetch:1
    3⤵
    PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2860,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:2796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4284 /prefetch:2
    3⤵
    PID:4792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4656,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4692 /prefetch:1
    3⤵
    PID:1880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5292 /prefetch:8
    3⤵
    PID:2624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5492,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5504 /prefetch:8
    3⤵
    PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5628,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:2588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5796,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5760 /prefetch:1
    3⤵
    PID:5860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3216,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:3764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4752,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4728 /prefetch:8
    3⤵
    PID:4660
- - C:\Users\Admin\Downloads\Client-built.exe
    "C:\Users\Admin\Downloads\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6000,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=500 /prefetch:8
    3⤵
    PID:4724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5916,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4760 /prefetch:8
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4680,i,8137656703416795261,15564648020160470093,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=6092 /prefetch:8
    3⤵
    PID:2176
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3820
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com/
    3⤵
    PID:3356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://pornhub.com/
      4⤵
      Enumerates system info in registry
      PID:2612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x280,0x284,0x288,0x27c,0x2ac,0x7ff9a339f208,0x7ff9a339f214,0x7ff9a339f220
        5⤵
        
        PID:2756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1888,i,15177060237664966059,5843568686348404529,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        
        PID:4168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2188,i,15177060237664966059,5843568686348404529,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:2
        5⤵
        
        PID:4636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2440,i,15177060237664966059,5843568686348404529,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:8
        5⤵
        
        PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,15177060237664966059,5843568686348404529,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
        5⤵
        
        PID:3560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,15177060237664966059,5843568686348404529,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        5⤵
        
        PID:3956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4196

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2840

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3800

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3352

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:864

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:5548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2964

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
c3577c641fd86887bb0f329c8c69a3eb

SHA1
8c4f4a33a551e184bf0f3b5637f601d174e8224d

SHA256
daa6ffa225e1e2a5ab9e8e4d8c0e7bbb66deee3cedced71a0734c35d11db697c

SHA512
09e5a3777fe49af69fe81d40f788a18c9ffc42dd84741609afd8f5e119111c64c7d8fdc56a0c52d8b41c0794656d8ea40eeab5f67b6ecf9a77fa1dc4c95ab4bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
92555a1a6f3f691ddedf3f1e2f6f734c

SHA1
0c7e357bf24ff41d085a54d47cccbd98dbc03715

SHA256
bbc7ec893e19b931f941c39e766c4731443ef9cd35d93730ef6412f70e89b9c2

SHA512
9d709da59808057887927d692cd4da51a816a32eef03f6435bb539247fefa56e7a169ae58693bab4a54b8e83d3341d050638bd52e064ae4400eeb44908759faa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
a75f402d8856a7253765b48a3e817764

SHA1
aaddb7d82d70b24e6f1de6b3499c382679ede835

SHA256
a2fab9edec712b1d3add3c7ad483aa7b23f8c05b7f7f387ac2cc0b964d67caa5

SHA512
c1b35395848cdd00489dc18e32aa87c6defd931a49cdf4197ccd35376d2ced6983135256e6b69be37a01954340cbad32278fe346cb8f3458b28046e7f3a688d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8cb35af50fc68bb576da1973a7a580eb

SHA1
c00c0ed391031dd71e1fd241ad6320d83946bb54

SHA256
c8a68f1f63c959df1e134af3f67286936a6976444d1083dbce745a2e1064017c

SHA512
9240a4ec72ebe3f0d318e968e410ac4947266bcca7e5e1689f94851a74b32006e20c7b3d8921ada6f7a4d623cc2e07f102168ceff7df8d121edadf2ec3a90490

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
264697ec4f781e34d72098bfd2be2e02

SHA1
069d3e982a76ed3aa14e3bc577c80fdc64ba5d92

SHA256
9d353d479bde6124005bd5bd9b2cf79ab81390de353d0098a45ac3acb2065717

SHA512
61a06269797041b20f3dec75f849a21a634abd0337e281042803014ab0253329bb780ab5c5583ad76ed2ee1031c0b78d07bf27adfc637897927a3618f59a58a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
22c7f9cf012c0218be92d16856425737

SHA1
d8a72a047dc307bb69bd0b2f68aac4d0d451b9e5

SHA256
eebba43dbc845dd0f06924f8c06db82eea09b160d85e64e2838c0fed5121eca3

SHA512
bf935a08b5c6a61b8d41efbc05a40e4fd85654e63d4c9937025515d51f3cefba686fd8071d0f768946be9e3963e422fa2e2542adedb131da10e58a5cd6fa7b98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
caf066e044677c2c2408d4ff07cf8d4a

SHA1
8f7c42529dc38b52e2c0323450f94496998c5d0e

SHA256
e0e41e59bc667e6442a20f4e7f6eab9603d0469ccff4155566129aa2a643635e

SHA512
5b799abef09e97e511fbd05c52e6fe71d5e8bc53f47320028c112a6871b989ffbaf54b3aab14cf92142fd103eb937a958eb6c9b8b9dd0f5f1b041f6428b5a6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c0f84c60fc03cd70168aa18811fd6e3c

SHA1
816dae2965221b07f69ce93e45ce87ff0de11d98

SHA256
cac23ec2b3cdf0196661ca891f5b8dc913a5fff7820ff415a4957bd703b2ae63

SHA512
fd8996bbd1d0afaa24f190365d517d0c48fd5be2c760d92e3093a418f7a6c49d5abe31d91962a7b7c050348c18dfffb05f1971171b3c08fd5e711c713062b187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
09b3566c99450873ae0ae370d4f6b045

SHA1
4762d9551cb8b377546fcefd9d8a31882c1682eb

SHA256
5d309068406c375dd36cd11bff09d92b8d197e94ac3bef3924df1009c6453cad

SHA512
30871c5d28f5d4b82b8538f59ac1753094c24cdc0eef8e49a8dc1ed39c28f70183ded7fd20e12d33553334e665da1f39ae82eabde1adcecb6b8e06b3ab5b765c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f52f140edbfb29f65547b9cbefd84089

SHA1
3c93fc4921f3bb3ac4a09050fc5312cc5ec69071

SHA256
1a18074bcc5a6618102a2c80dd645ba3dbca148c09fd7e9bcf68b676c19c0c6c

SHA512
5d6fffea6c79a2b46eae7fa7dd03bb3d2db8d324f4e13cf0cd1698335544cee34006bd4e4437ce2cf54b33f2c938f332ee08c5692534ca4a037752396cfc2356

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57949f.TMP

Filesize
48B

MD5
8ea25e4a9875e4d607af659a7df53339

SHA1
5707c4c96b05d08bd1332756ccae8345242b319f

SHA256
4a1669f7c4a8a7295d92b6a6d558f8b98e05f5633a03fdc8e93eaee787f0aa8d

SHA512
0e3ad362291269f75855639b1c7643682d6d16c04ed9b4d89e9a59759240ce6e22f28cc6aa7e5d405cd1314cff5aa8159a0fe5a3f2b935fe03e6cba5121fa975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
37fe34550213b8d94c44d0613389c2ee

SHA1
a7b6a8f1471e53101a0e744b84f4419ee733b56b

SHA256
aa925d3e181b8c69fbd6d636cce765cb6fb6be7245b30465436744776b777407

SHA512
8f0eaa6e1ddaa79a289dbd6760614c96b9f50077dca35b62916c249b50e553b58dca515851a5b299994bf46f9d7c905d53ef70bf7a667aeda70f108d7ce2cda9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
5956280832feeeeb620b8f2d681ba136

SHA1
28b02f908b22be7365b7cbc9f15cda9fc16d0f7c

SHA256
3dfd5f06d85d4de4fd7c448f68a0ae80b3761d7a073e82ac30c6a9be24df1d09

SHA512
7ebf08598eefc8a452b14b0843029a28ea53bb0d708547b4a96608a0db24751b7a7b5cab017f035f60de33b84e532f9ac98b111a353fad4560be00a95a32a59a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
1bb0e3ef2fd7523ae0a24a06d9e7fd97

SHA1
325683df6ace0a0027a04e1eebc16ca9ebaf5abb

SHA256
21dff95d50a457f3eb6e0676f9a44c2fc2981024c8c75cd69170536a23b63670

SHA512
2b2f7e303b0bb07b12aa77ed54674733f8e1562fe3494a99a56545bbb3ad49acd7c0af22833364610f0d56b1bd487ee71a8030172312856e42aaa8f0b412bd74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
c19573355cb7b2dfb4dcedb6a501f62b

SHA1
7442dd2eaf537172e73f2c29efa756c204b840b7

SHA256
3f1627d34bf76668636e63235b9881245f5a7ebf400623674cbb50f8a35b7eb3

SHA512
a373cf7d485b6d92be979d867d37e7cab0c8a0a3cdc738891546d69f096288f29cb7bfbd94993bd3ae0cb24961f83990b51c250cba0bde79fa4acc2dfe590031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e1c20ce2-fe56-48af-ba36-75876eebdae9.tmp

Filesize
40KB

MD5
b87956e7335bf0e811dac6fe74bcc255

SHA1
bef789c1fd8a59959502a90d410019415b5cd8f5

SHA256
82a697b540bc83738cbf9dde50752ed7ae84cfe665cfa42fc0906bbb724b64a9

SHA512
458da6367d768dd2103c9cfa19db291abe2b359708925be5e7e2a878cb0e182569f78ac37b75c692e716cfc3c7e05fff9b303a276cdf52fd04d305e052b59228

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 306397.crdownload

Filesize
78KB

MD5
83a9fc73ce6c86ce660bafb0dce8ff31

SHA1
ef1f21ab34d90d7d96dfccaea0f8d9148351f662

SHA256
2e4f582e55c0294a16bbb9edb383a4fb62776bdba6f929d7a44229759650cfa6

SHA512
b03981ada644526b7fafd3c2a0ba9f50ec141e6191c886a1f8449b76c4b8339ab22a96a4d65ff1065a02bff8057995cea4628339dcce87da3e4c0c1d4281b3dc

Download Submit
memory/408-308-0x0000022CD33B0000-0x0000022CD33DA000-memory.dmp

Filesize
168KB

Download
memory/408-309-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/416-322-0x000002922C370000-0x000002922C39A000-memory.dmp

Filesize
168KB

Download
memory/416-323-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/624-300-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/624-298-0x0000021F03960000-0x0000021F03983000-memory.dmp

Filesize
140KB

Download
memory/624-299-0x0000021F03990000-0x0000021F039BA000-memory.dmp

Filesize
168KB

Download
memory/740-326-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/740-325-0x0000021F402A0000-0x0000021F402CA000-memory.dmp

Filesize
168KB

Download
memory/984-304-0x0000024DE8930000-0x0000024DE895A000-memory.dmp

Filesize
168KB

Download
memory/984-305-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/1040-329-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/1040-328-0x00000179EC2A0000-0x00000179EC2CA000-memory.dmp

Filesize
168KB

Download
memory/1088-316-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/1088-315-0x000002A139C90000-0x000002A139CBA000-memory.dmp

Filesize
168KB

Download
memory/1120-331-0x00000224FE5D0000-0x00000224FE5FA000-memory.dmp

Filesize
168KB

Download
memory/1120-332-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/1176-334-0x0000022ED23B0000-0x0000022ED23DA000-memory.dmp

Filesize
168KB

Download
memory/1176-335-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/1252-338-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/1252-337-0x000001F677BB0000-0x000001F677BDA000-memory.dmp

Filesize
168KB

Download
memory/1308-341-0x00007FF987410000-0x00007FF987420000-memory.dmp

Filesize
64KB

Download
memory/1308-340-0x000001FECC290000-0x000001FECC2BA000-memory.dmp

Filesize
168KB

Download
memory/3132-296-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3132-295-0x00007FF9C7230000-0x00007FF9C72ED000-memory.dmp

Filesize
756KB

Download
memory/3132-292-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3132-293-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3132-294-0x00007FF9C7390000-0x00007FF9C7588000-memory.dmp

Filesize
2.0MB

Download
memory/3820-116-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-115-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-121-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-123-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-114-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-124-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-122-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-125-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-126-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/3820-120-0x000001C643CE0000-0x000001C643CE1000-memory.dmp

Filesize
4KB

Download
memory/4912-1-0x000001F4660A0000-0x000001F4660B8000-memory.dmp

Filesize
96KB

Download
memory/4912-43-0x00007FF9A8D00000-0x00007FF9A97C2000-memory.dmp

Filesize
10.8MB

Download
memory/4912-42-0x00007FF9A8D03000-0x00007FF9A8D05000-memory.dmp

Filesize
8KB

Download
memory/4912-4-0x000001F400F10000-0x000001F401438000-memory.dmp

Filesize
5.2MB

Download
memory/4912-3-0x00007FF9A8D00000-0x00007FF9A97C2000-memory.dmp

Filesize
10.8MB

Download
memory/4912-2-0x000001F4800E0000-0x000001F4802A2000-memory.dmp

Filesize
1.8MB

Download
memory/4912-0-0x00007FF9A8D03000-0x00007FF9A8D05000-memory.dmp

Filesize
8KB

Download
memory/5272-289-0x000002863B980000-0x000002863B9BE000-memory.dmp

Filesize
248KB

Download
memory/5272-291-0x00007FF9C7230000-0x00007FF9C72ED000-memory.dmp

Filesize
756KB

Download
memory/5272-290-0x00007FF9C7390000-0x00007FF9C7588000-memory.dmp

Filesize
2.0MB

Download
memory/5272-566-0x0000028654920000-0x00000286549CA000-memory.dmp

Filesize
680KB

Download
memory/5864-154-0x0000022AA2400000-0x0000022AA2418000-memory.dmp

Filesize
96KB

Download