discordrat | 7e690350c542b5ef188e025289e1c45de6af63cf76c9f2a481d1106942cbcc80

General

Target

Client-built.exe
Size

78KB
MD5

65c0da07a900f065d0e646141dbb2c26
SHA1

c226f0d1eb995243973948905557be2d71a968b3
SHA256

7e690350c542b5ef188e025289e1c45de6af63cf76c9f2a481d1106942cbcc80
SHA512

7ce50d126fb3fe3ab29c35ab67342d2f3342a6fa40b748d1f14785f5e78eee83d4791486f9c65e7495793472a8a37595ef649718097ad598c18e27857b37a8f6
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+IPIC:5Zv5PDwbjNrmAE+MIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NDA5NTY1ODUwNDM1OTk3Ng.GQtKqS.OFSoW-g_7DMwUhMpwVakTNjxsEee1_mUG1GGrM
server_id
1244341520782458942

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client-built.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

8 discord.com
9 discord.com
20 discord.com
63 discord.com
64 discord.com
65 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
8	discord.com
9	discord.com
20	discord.com
63	discord.com
64	discord.com
65	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "12"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612259439147300"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1124 chrome.exe
1124 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1124 chrome.exe
1124 chrome.exe
1124 chrome.exe
1124 chrome.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Client-built.exechrome.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	1584	Client-built.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	4700	shutdown.exe
Token: SeRemoteShutdownPrivilege	4700	shutdown.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4084 LogonUI.exe

pid	process
4084	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1124 wrote to memory of 2848	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 2848	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 4968	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3384	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3384	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3092	1124	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4ea1ab58,0x7ffc4ea1ab68,0x7ffc4ea1ab78
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:2
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:8
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2072 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:8
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:1
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:1
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:1
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:8
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:8
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4248 --field-trial-handle=1876,i,11564181143870339485,4938841912863123038,131072 /prefetch:1
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
dab9ae0f42cf2e4c15cae6d7a89fb0ef

SHA1
68f391918439b304be90be1f32576da35af655b9

SHA256
252a376a22d3b8ea61e3794bc2f3c110c7fed334ea5a18238b8525d622e186ab

SHA512
099d1197e50bb095432ce7c1b0914b11ff33584c4c901d6e1c3e83ad47bcb0c581413e58aa29c210aaeea9cce9c8e35e6d89d5aadeeef5c60457f61724fc0285

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
92863f3f2d342a51db712800b8161adb

SHA1
d2c93a90c0d57d21408155cf01f0ac6739147949

SHA256
4739e002fe681ab9f72214c4a35565e336ac56fb448d05e5c215d8a46524c102

SHA512
801a97debb32ae99c433135ba0a965bd41af871521b7dc8d181428c56a780843e0e6dd43b8c7530bd9fab64149cf3dc3eea7f45a4a55f33afceebae12d1385a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6f7ef98aac5d58e9f36787b1c5616600

SHA1
92c53cf4089fe2a3e02ccf7184de5926d5c7821e

SHA256
7e0b3e3b17024c05b1d11823c316e3745b9c09885e0e7e4335ffe1c60c9f6155

SHA512
9be49e8ef11d2782146f5323a6af8f5351d228fd26a67001ebae732881bbac3ec1fcad349c5aa11d315b76f72dfc1d96221b65a4b734b5f188dcb28a6cd37bd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
177f8bbe80fedcfae99c1daa4de19b61

SHA1
cef9d5b85936fe01f3058075a742cc8e8eb6c7ea

SHA256
b7f906cd9b0f021f42f4b1d01916cfbd0cab020e2f36f61492faa574112eb845

SHA512
af9279800f4d68fd125265f75ea374ccd1a2f55a562916b049fa347e651680e4bd7fd8d41a483e5cbc3963ecae5f5a19cd65ca750ccaecff16b9617063e9962c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
ec6c4f0d4325e41aadd69846fee921b8

SHA1
4f777ff0ba47d376f37603b94b1ff8902f064838

SHA256
d8ff7d076f47465252250b0f1f2d0cee7415abe12bda66b74b32d2c4ca469c9d

SHA512
65b8a06dd96ec8f47ebce0fa6a435aae2a5f3e2040bfb6fec180ba6592e2c20192040e0ca95cdf600541fa3b61d7bbae212c90c3eb565d54dae0fb2089eb40e6

Download Submit
\??\pipe\crashpad_1124_VKPRXCSFDOIBLLFJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1584-4-0x000001ECDA040000-0x000001ECDA568000-memory.dmp

Filesize
5.2MB

Download
memory/1584-3-0x00007FFC549E0000-0x00007FFC554A1000-memory.dmp

Filesize
10.8MB

Download
memory/1584-2-0x000001ECD9940000-0x000001ECD9B02000-memory.dmp

Filesize
1.8MB

Download
memory/1584-1-0x00007FFC549E3000-0x00007FFC549E5000-memory.dmp

Filesize
8KB

Download
memory/1584-0-0x000001ECBF2A0000-0x000001ECBF2B8000-memory.dmp

Filesize
96KB

Download
memory/1584-79-0x00007FFC549E3000-0x00007FFC549E5000-memory.dmp

Filesize
8KB

Download
memory/1584-108-0x00007FFC549E0000-0x00007FFC554A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads