discordrat | d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19

General

Target

RobloxPlayer.exe
Size

78KB
MD5

8f3d0d4044ff8cc1d847687568c91e14
SHA1

fd9049e0e5c074603b78a2aea228b75e4ce6c099
SHA256

1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0
SHA512

afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC

Score

10^/10

discordrat evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY
server_id
1201970766531530822

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Disables Task Manager via registry modification
evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
51	discord.com
62	discord.com
89	discord.com
92	discord.com
93	discord.com
17	discord.com
22	discord.com
90	discord.com
91	discord.com
18	discord.com
61	discord.com
65	discord.com
66	discord.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

5424 SCHTASKS.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings firefox.exe

pid	process
5424	SCHTASKS.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

5532 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

RobloxPlayer.exefirefox.exetaskmgr.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	3224	RobloxPlayer.exe
Token: SeDebugPrivilege	4272	firefox.exe
Token: SeDebugPrivilege	4272	firefox.exe
Token: SeDebugPrivilege	5532	taskmgr.exe
Token: SeSystemProfilePrivilege	5532	taskmgr.exe
Token: SeCreateGlobalPrivilege	5532	taskmgr.exe
Token: 33	5828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5828	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
4272	firefox.exe
4272	firefox.exe
4272	firefox.exe
4272	firefox.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
4272	firefox.exe
4272	firefox.exe
4272	firefox.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe
5532	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4272 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 1140 wrote to memory of 4272	1140	firefox.exe	firefox.exe
PID 4272 wrote to memory of 2816	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 2816	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4412	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4856	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4856	4272	firefox.exe	firefox.exe
PID 4272 wrote to memory of 4856	4272	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3224
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77RobloxPlayer.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4272.0.1759926220\869648121" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ea52112-2d76-4297-a5ab-4be9d8e65334} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" 1964 2694a7f4d58 gpu
    3⤵
    PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4272.1.1320432788\326975400" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {751d847b-bd35-4248-ae9b-bf5c929bc65e} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" 2368 26936c6fe58 socket
    3⤵
    PID:4412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4272.2.266757340\1687532278" -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3172 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d2cd02f-a2fe-4626-88e9-693f039d62e3} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" 3188 2694e905358 tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4272.3.1700179449\1988172251" -childID 2 -isForBrowser -prefsHandle 1128 -prefMapHandle 1032 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f5649ad-60eb-4bee-abea-aa68e461c439} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" 2396 2694cfe2158 tab
    3⤵
    PID:1036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4272.4.1656645104\821059078" -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {532e16b0-f64b-40d2-a24e-03124f1239ba} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" 4136 2694eda3458 tab
    3⤵
    PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4272.5.457895196\1908688127" -childID 4 -isForBrowser -prefsHandle 5088 -prefMapHandle 5084 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e28b4e5-0dac-4a4d-b6a8-fe6b1855af3c} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" 5044 26936c2e458 tab
    3⤵
    PID:116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4272.6.1381695627\1217493809" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbbadc9d-1897-405f-b35d-e7e967e92cd3} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" 5016 269504bff58 tab
    3⤵
    PID:3260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4272.7.1297008036\1020945929" -childID 6 -isForBrowser -prefsHandle 5112 -prefMapHandle 5108 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d162090e-eae0-4a7f-a188-5d235caf41cd} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" 5172 26951154d58 tab
    3⤵
    PID:1096

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1368

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x37c 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
cf8850361245bc9329910c79d5346fd6

SHA1
85a78234bf5e30de3dc20f5635eb101118ed7d5c

SHA256
3dd0aa91345006822b1dba9fb6cebd44716eac9e880f85b18225eada1f29f586

SHA512
1ddafc9011da0c26ca5eef0dcaf3d60d87223f994ba38bacf337ec64efba4389f2c29f3fb3c73e63975e1eb5bd0a6eb8b307716a9615f3bba7da3dc794d0a854

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\8a27e657-70ca-4dc4-b97c-2d935e3fa73f

Filesize
734B

MD5
81f51d220537b49d5189032d336a8a53

SHA1
a3c108cf18a83a9f84e0e66a579549653798895b

SHA256
19699d16ac887e832d076a5ad08d8926ceeb2ba9619dfd04bd4ab36779425f5d

SHA512
24a5d5ac95898de57adf6111bb6edb30eb999cdd86ba06bcac1ec76f7fcd6e84a55324c8118d180172320a403060957fa452b36a9d538d4aa7400acdfedb9e37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
ec4bd853b07dfcef7afc46339ec780aa

SHA1
3df77c90de6f9b8064cb90fe5c64f850ef0a41ab

SHA256
0ef0d06cfa2cd8249227fc98a5efca1abee1818803d58640cacdfa95752794ad

SHA512
f1fd6b6b2f65aada157dd2bfdba62d265e1b22612ef2c4f1b0b22f20caef5f06f78c75c8a272e5c8105e2b4c169e3ba5c4e59ae40768db0968a6524b38bc8ccc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
1f91034dd8071cfbac2554f678dc1e16

SHA1
aafaa5d913a368df2fad81df2f0a7ae8db12c083

SHA256
06ba34c51c0fd3b83b75d1a95d5d6271bd2657440c36595a18ef286f4d585660

SHA512
3345552a87207d41dbe7665b46fc85deb3164bc4462606ed46eb31d0ad42abd638f2a3c09199d6929134e912ffa0b5553268c55e0e72fb4495c11fe840b395de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
78a1535d92a1e831d6d323d36935df7a

SHA1
25b48f3e0b5783f888bac0b7abe2a1eb83fbddee

SHA256
6601df14391bd4025bcee16f46d8f5273c16be86b31d471b92837776581121b5

SHA512
057228e572efdb5cc99b6a7acc183b37ea17ff7a4fe2ee518f3f71eaafc34a77d4a752d269c996ffaaa207c0d3b3dc1641791d57658f1da59b0a7fe5e1e90a2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
fa0f9433c6b6c03471a99d4810982e76

SHA1
92767f9b3493401592d75391efff36199759bb64

SHA256
042e5f9e87d2ef32115a9c480ece5d61de1fe41264c4e556ce5fdce91d2976bb

SHA512
a4a1deeb90b65f3d18fb2b1e4b849d76019810ae63f9e80ee8d9010663b60d81024eb2ad1eefe976614d02453b91b45b15b36e4454af72405e8c9d4981a71cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e81595754e630fcf4c1b64b1a56268c3

SHA1
3171de1a2c1740c43cc42754cf6e34adeaa57f2f

SHA256
3530b5aefa1027f567d8da7f045ee5f12af02ea629ce1bd9c4fc7818bc6335d3

SHA512
75a30871027fd705a02d111b8909999f2b8d838e9613c41f9b8b06a1c6df45a8cc63453857035197a1501568427daa1a2b834da1b1eb5c3f645447d71a28e899

Download Submit
memory/3224-4-0x000001F2AADA0000-0x000001F2AB2C8000-memory.dmp

Filesize
5.2MB

Download
memory/3224-3-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

Filesize
10.8MB

Download
memory/3224-141-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

Filesize
10.8MB

Download
memory/3224-137-0x000001F2AA9C0000-0x000001F2AAA6A000-memory.dmp

Filesize
680KB

Download
memory/3224-2-0x000001F2A9BB0000-0x000001F2A9D72000-memory.dmp

Filesize
1.8MB

Download
memory/3224-0-0x00007FFFD6D23000-0x00007FFFD6D25000-memory.dmp

Filesize
8KB

Download
memory/3224-1-0x000001F28F3F0000-0x000001F28F408000-memory.dmp

Filesize
96KB

Download
memory/3224-120-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

Filesize
10.8MB

Download
memory/3224-119-0x00007FFFD6D23000-0x00007FFFD6D25000-memory.dmp

Filesize
8KB

Download
memory/5532-106-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-103-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-102-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-104-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-105-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-107-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-108-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-96-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-97-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download
memory/5532-98-0x000002649C570000-0x000002649C571000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads