discordrat | 780815f7b1197e89dd796f625782af49026bc7691fd686eb25f3f9ab2002579a

Analysis

max time kernel
148s
max time network
182s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-02-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vanta.exe
Size

78KB
MD5

da5a7eb9e117cafa2d9137d1723a33dd
SHA1

e35b1f51e72ef5d2f8290ac7d0ec87cc15235899
SHA256

780815f7b1197e89dd796f625782af49026bc7691fd686eb25f3f9ab2002579a
SHA512

4686f8d49b4ca27c1ca4bccdfaad7c8369e475cdc1b59a9ac5af10dc5382d449c60daa993d9311dd2e70a3ee535449705665699691a3bd8bafd37ebd075fd7af
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC

Score

10^/10

discordrat persistence ransomware rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5NzkyMTQ2MDE3NDQ2NzE1Mg.G10JF-.bNlt2_PKNFUbG2pRSlM23bcrdFtXhvMU_yl7hY
server_id
1052631250457866370

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
4	discord.com
57	discord.com
61	discord.com
62	discord.com
64	discord.com
75	discord.com
1	raw.githubusercontent.com
9	discord.com
65	discord.com
2	discord.com
8	discord.com
56	discord.com
60	raw.githubusercontent.com
74	discord.com
6	discord.com
7	discord.com
58	discord.com
73	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp6A7D.tmp.png"	Vanta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
4880	msedge.exe
4880	msedge.exe
3656	identity_helper.exe
3656	identity_helper.exe
3924	Vanta.exe
3924	Vanta.exe
3924	Vanta.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3924	Vanta.exe
Token: SeDebugPrivilege	1860	firefox.exe
Token: SeDebugPrivilege	1860	firefox.exe
Token: SeShutdownPrivilege	3924	Vanta.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
1860	firefox.exe
1860	firefox.exe
1860	firefox.exe
1860	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
1860	firefox.exe
1860	firefox.exe
1860	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4880	3924	Vanta.exe	78
PID 3924 wrote to memory of 4880	3924	Vanta.exe	78
PID 4880 wrote to memory of 3360	4880	msedge.exe	79
PID 4880 wrote to memory of 3360	4880	msedge.exe	79
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 2344	4880	msedge.exe	80
PID 4880 wrote to memory of 5052	4880	msedge.exe	81
PID 4880 wrote to memory of 5052	4880	msedge.exe	81
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82
PID 4880 wrote to memory of 1872	4880	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Vanta.exe
"C:\Users\Admin\AppData\Local\Temp\Vanta.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5e5a3cb8,0x7ffd5e5a3cc8,0x7ffd5e5a3cd8
    3⤵
    PID:3360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1796 /prefetch:2
    3⤵
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    PID:1872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
    3⤵
    PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
    3⤵
    PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
    3⤵
    PID:684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:4924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4383376372475545053,11949547306794940868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
    3⤵
    PID:2796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2092
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.0.1571139487\1306220827" -parentBuildID 20221007134813 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0054a76-fca7-44d8-991a-f2dd60b201a6} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 1888 189b91dbb58 gpu
    3⤵
    PID:2552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.1.368647441\1111055787" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22de7ee5-dd74-4261-b4c2-31549db682e7} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 2264 189b9105658 socket
    3⤵
    PID:332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.2.1283620218\324233811" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3358746-edc4-43fa-be1e-dffff6dd8c58} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 3040 189be4a9258 tab
    3⤵
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.3.1225592432\1680060077" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cc0f1ac-0284-416e-91b6-8e310e3eeb6c} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 3488 189ad162558 tab
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.4.500461105\400291266" -childID 3 -isForBrowser -prefsHandle 4444 -prefMapHandle 1596 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92e69aaf-73c5-4641-a821-60de0820f6e5} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 4456 189bffdd458 tab
    3⤵
    PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.5.1794787736\1742172506" -childID 4 -isForBrowser -prefsHandle 5072 -prefMapHandle 5056 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a8e0bdc-cc08-437e-b635-3ea51189ae11} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 5028 189bb89c258 tab
    3⤵
    PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.6.1359390629\2138822056" -childID 5 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2a716b4-82ad-45d3-b2db-2bf5dba67c4d} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 5004 189c089c358 tab
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.7.1674076696\1292508457" -childID 6 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ef1e50a-7ad8-4625-9d75-227ad2964a61} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 5320 189c089d258 tab
    3⤵
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
ed8054ec26c8d1ea51ff6dd020ee2383

SHA1
e3ded7ba5ec28e600efe7324281ca076fb5b37be

SHA256
c248fba79b3ec434f4f51ec17c9d986cee5c251963ea0097c2d6ca628c68df13

SHA512
4af352735fde02e6b798f1ff327776367ea33e238b8ac622e27945e7575d3b5882ac0e1edd479f4a08d249db2edc644228394bc6f34342e20b754594833fdb4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
33afa818ef74f02c4cf169d371955629

SHA1
78c290b85f5369db900fde8623a979eb3621e7a3

SHA256
63b6bde1b7cdddec72bd0edda4141c376126d109438433f9890c614bd2507433

SHA512
76488e185d2366eb3baa80ea731a6daadaa2182ca22d2b8c123584f45508668017bce013a204891cd1894cd33f820ee1186dc326cbe7b727023d857d766d5fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dc5192a75a66501c521d0c22f6c80ca7

SHA1
abb37e7af2bff2ac8c628ad39bfd303697fe63f3

SHA256
e0c29a382f5ff238d5e0fb5eb1ab668c3407854aa111f39f1a6e9c1f2dedac6c

SHA512
d5647978788232cfea6a60974abbbe3302c2461943671470ac744e6adcb74c8ab142d949155f4382b524890d6e1be7b04a5775298be5ee295a5bad5281854556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e00150a7d4000c01846c191273aca0e

SHA1
97d4a5f6fc0ebb10e03927661f94bc079362eaf0

SHA256
9f31beea8604c66792f82ae102e8f9f1411108ff9dbdb0aba504c4e9331c88cb

SHA512
a850843ecb50e239b36ca2e6fbb9ee98819d61f75dab4d0c7d3caa87a0c6d2c478667e99834d39e7c73a059c067534c496d0e2ec3e20bca9d7de85f5faf90e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e001b633edce72b5456130b09d62d570

SHA1
666646865d278da8b63b45d93347fec7e963a35c

SHA256
73659a5ab434be8c58dfa6ab511ede588d1c93500e6ef0b40b1400f37e051fed

SHA512
3436aaa0d620a3d4170a76e6e70dc67346ce275c6ea55cc539153572544cfb2dba95e7665e55b0064ad4e1c48cc221cec857f04caae7a3f8bde68e99cbff86df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582304.TMP

Filesize
48B

MD5
eaa991049f5f5f1dc2de41546e7b1c1f

SHA1
90b0374b0984ffd3e6f4f494f3fa6adaeb573b1f

SHA256
5a595005c3807feda8f533b68c16e48946a44bfcac4ff7dd7b7cfb7d38f4cd26

SHA512
2af38a19688e8e0d87a6531c79aefc05635f49a293f6bd19a6bc2b1589c5e6bf5f8e81f2b85910bb358c3cdc6f4224f9d9dc92c381704eb982f0336d75696b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4bc0d2da9bec2c79afb31baf62feab63

SHA1
b367eadc680a836854af2f839ced2f1a873e045d

SHA256
caf45faf7f327ca04396c169b2d607e64f95f9df07f7e12cf38f0b33c57e9361

SHA512
0e54169b81b9980410bd4cae37797f04f6ff4b2b366be75a63e2e6b7c5dc08d7baf068fe3b1d2f56052905bdb953fa94a174e39ec8e94d90c672bc004b72068e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e50986464fadf898fa54afc4c57ef68a

SHA1
3f9578498e5f5cbd9499bcc1e976dc18a843bc27

SHA256
4204be60d639c25143f2eb0a983e6daa505194b854c4fedc900534995c86449f

SHA512
0b3c31df4dfbf6d0d7d69a3a2e3ee1421c889d615595e2254ca960a5ae32d580fe15b3c3e92393b9333cfe6c9413a65a1d2cfd0777dcce51976ebf94de0c2ec3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\07c2e64d-5416-456a-a8e1-a4503ddf5610

Filesize
746B

MD5
86b3f8df8277c63df5fa2c231bfd4664

SHA1
7ed13a473ead42500152ee1d45c99e21db238126

SHA256
2289686d97b81f7c60d51c94422307fc5f2fdc8b5e30d8c7aedcabb4c936a8aa

SHA512
0e2bd5fdee46aef625c669bbefa4f2b3dcd7ef9ba9797e836a15e60e7ef958aed982944ce33423b92c6d53038c3885d7a9d6397f9f2665e6f62b9ff23ac4a9c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\4b6cf46d-fb3d-4a0b-a056-0173c6f45323

Filesize
11KB

MD5
8d56cdd60d3a491d32a5b80c172ca22b

SHA1
2374314e67f84806f18ae731cafac17cb7c4fee6

SHA256
500ea06ead303b3a77bee5fdab7f404011c40faacf0bb036984469ac8758eb23

SHA512
e616ab52d2427a4952ccc2b88aded837d7dceaa5c7efd71d409132d19a56babe57e084e6e192ceb31d6f23aad8108676c025b56e2e9b7476e240d518839999cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js

Filesize
6KB

MD5
567f94d289f1f01342fd6237532fcca6

SHA1
c8e607c6bf0a2e2835a259b36a69e08ca0832a77

SHA256
0a8807a825bb869984a614d1c0eb4bf976acedf217b86236a516d7a107b153a5

SHA512
e7accc39b529cf2fea8f32c58500b94db3f9080db9d250a419cb102329973681540e940c449e8cb60856e5827ccfb6a72c2b8ba2c66be8f64bd882c245b30179

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
0b2800e409213a56848a48d86b3c0190

SHA1
552ca555351af4a764ef8798c1f094b49ed598c0

SHA256
dcf9d97a404003a79d0dc53e0ac771e26ddbfee286a6afa9a2e04d7397eb52a3

SHA512
c599c2bf492808abf3cecbb68af01a211394e25baf977128df6c47213a5528a231dae4e6aeba276ae96c4d635e1c4e2f08d2fe86695a7c436df06a127a3b2e4e

Download Submit
memory/3924-6-0x000001B6454E0000-0x000001B6454F0000-memory.dmp

Filesize
64KB

Download
memory/3924-0-0x000001B62AEB0000-0x000001B62AEC8000-memory.dmp

Filesize
96KB

Download
memory/3924-278-0x000001B647250000-0x000001B6472C6000-memory.dmp

Filesize
472KB

Download
memory/3924-279-0x000001B62B420000-0x000001B62B432000-memory.dmp

Filesize
72KB

Download
memory/3924-280-0x000001B645480000-0x000001B64549E000-memory.dmp

Filesize
120KB

Download
memory/3924-5-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmp

Filesize
10.8MB

Download
memory/3924-4-0x000001B646990000-0x000001B646EB8000-memory.dmp

Filesize
5.2MB

Download
memory/3924-3-0x000001B6454E0000-0x000001B6454F0000-memory.dmp

Filesize
64KB

Download
memory/3924-2-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmp

Filesize
10.8MB

Download
memory/3924-1-0x000001B6455C0000-0x000001B645782000-memory.dmp

Filesize
1.8MB

Download