discordrat | 1476253151800a7f9e7c39b61a25a2c107769212ed847083f8ac0d5ed49d8631

Analysis

max time kernel
405s
max time network
415s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 17:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

a614ffb04f1b40d34e17ebe6958e43cd
SHA1

be32312b8b3d426cf3be1267aacc19dc7b332826
SHA256

1476253151800a7f9e7c39b61a25a2c107769212ed847083f8ac0d5ed49d8631
SHA512

59646dbd941e419943b82ce79c3c7444fbfe52d046f8adfaf25c8448a88b1b8c487252234db25cd3bb092e8721eb93f8bb8b8c9a8e8545e3fbc0081569d42f33
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+CPIC:5Zv5PDwbjNrmAE+uIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MzM5NTg3ODUxMzg2ODg1Mg.GrWkny.T42N-XPbZi5vXQ9yat9Y4l_0_1T1AkqFScCsFs
server_id
1250120108064378900

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs

Web Service

T1102

flow	ioc
12	discord.com
93	discord.com
46	discord.com
90	discord.com
198	discord.com
47	discord.com
88	discord.com
201	discord.com
202	discord.com
205	discord.com
11	discord.com
89	discord.com
99	discord.com
102	discord.com
204	discord.com
92	discord.com
91	discord.com
101	discord.com
203	discord.com
94	discord.com
96	raw.githubusercontent.com
103	discord.com
196	discord.com
100	discord.com
197	discord.com
27	discord.com
45	discord.com
48	discord.com
95	raw.githubusercontent.com
97	discord.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638983861011010"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
3236	NOTEPAD.EXE
1052	NOTEPAD.EXE
4420	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2052	chrome.exe
2052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	Client-built.exe
Token: SeDebugPrivilege	3756	Client-built.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeDebugPrivilege	3352	firefox.exe
Token: SeDebugPrivilege	3352	firefox.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4420	NOTEPAD.EXE
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe
3352	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 3220	3756	Client-built.exe	119
PID 3756 wrote to memory of 3220	3756	Client-built.exe	119
PID 2052 wrote to memory of 4740	2052	chrome.exe	125
PID 2052 wrote to memory of 4740	2052	chrome.exe	125
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3184	2052	chrome.exe	126
PID 2052 wrote to memory of 3432	2052	chrome.exe	127
PID 2052 wrote to memory of 3432	2052	chrome.exe	127
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128
PID 2052 wrote to memory of 4408	2052	chrome.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
  2⤵
  PID:3220

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LIGMABALLS.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3236

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LIGMABALLS.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4780

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LIGMABALLS.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8186aab58,0x7ff8186aab68,0x7ff8186aab78
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:2
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1904,i,16044230970601099709,17498993286800012465,131072 /prefetch:8
  2⤵
  PID:776

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1148
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.0.611667990\579490538" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37609cdc-1a4f-44d0-bf6d-f309ce02e02c} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 1884 22bd690f058 gpu
    3⤵
    PID:396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.1.1003982375\1639704569" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18e7a28d-4097-4aed-8e2c-dbcba91c0414} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 2452 22bc9c89358 socket
    3⤵
    PID:60
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.2.570681275\1651211013" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03a3776b-8e3f-49aa-bd4e-8c10b0d49e29} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 2968 22bd92f6258 tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.3.1552091715\1323917467" -childID 2 -isForBrowser -prefsHandle 4192 -prefMapHandle 4188 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d251f63e-95a7-4c0d-9c50-12f4ec46f9f2} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 4204 22bdb8f7658 tab
    3⤵
    PID:1492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.4.1619521568\549020078" -childID 3 -isForBrowser -prefsHandle 4376 -prefMapHandle 4920 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {203f0859-99b5-4fec-9ea5-539668eb9798} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5040 22bddf7d958 tab
    3⤵
    PID:2440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.5.677896156\1159899600" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {468e93e9-69ef-4ab0-8d10-81e2550454cc} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5172 22bddf7e858 tab
    3⤵
    PID:1812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.6.14603270\440330718" -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b47e4742-1c1f-4f9a-a86a-55009e760c0c} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5364 22bddf7c158 tab
    3⤵
    PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b2f3c3251386788d4c620701ef9cb5de

SHA1
b377d386cfe691c99474d22d248319d0e7119dd0

SHA256
88aaaed48d3acda95d8f21572148d4f1f2e667125e5c976b2e1fbf5ef1b1d428

SHA512
1a32f3a4bda56f150e4a1206c06f1044469aa2682772c392007efd5b9091e7b84fbc39dae7729f85a2c567233b59bdf188d9d295c6826b74db2b34509d1be57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b48bafd21d9af9bb2ac8e64f75fc0f5a

SHA1
168b7b5cd85ff33e6ff9b13c3db97dc0d5ab8cb3

SHA256
c9108affbde664f61fcafb6789257a011b21bef584b17de2c120582274ca6fd1

SHA512
f8c14bd4351d5db31d27343e560d5ef9e9a9d387eeb108468534d8af507951fb7b5e73766397a52d8acf23e26cb5b58b5c3b2ee28e18b865b723a885fb7b7301

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8679d77b24cd676641f735b7e398cc32

SHA1
6e896ce4e4e23427416838ab1d9e106efc2ef0f4

SHA256
d158eb7a70e51d26e8a0e903f83f8c65b41ad5e8263adbff6308dfcfc3128b48

SHA512
8a9cac85d7dacb5be4863fc1d9696209fe61d8f6fac303d1b4bed70d215f20311b6be29f35ebbbba2972500f85f727090a528f315585f28d72c986a966c80055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
6080d402d60d7d69125bbe6d6812b8af

SHA1
e3925c0475a87b57c2e74930fa17c36f928393ea

SHA256
e66e261a78876753866a0d15e4c0d7a5c5273dc98017eed322c2b1b0a0051c26

SHA512
d2271d4b580d28911c62f4916bb514dbd65664ded5141970e9bc357e75e7caa554e1a964138d50116f750b08af5a9a91fd553a325f6b6db0d60f249b1d67bb50

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
84cc81e3df53191e2ca3159d319316b0

SHA1
aaca3d7bf7dab95ecfeb5110aee954b467e43ba6

SHA256
798e0ad54b78cd4c8880a09755c7d238c9885bc53b49c6225bf2d62a6a589359

SHA512
1aa1648b5f1046ce21b22e2b86f596ce86e4f5f769d16c4f6e3b1b53d8611ebcde938e2c4fb4ba5bf97bc8de57a9b91d28d23f70a1a92e50bec58ad3f9df5779

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
64769595e1f9c7c6e540e49195cf529a

SHA1
6e05dc3900c2ebeb89ad2fb8afe2e74856bc84e0

SHA256
3360f9e2bc8ac82c5340cad2adc1ad97309c4ea046b93b30833e0ee074e4a0fc

SHA512
d0b9aa487fd505b55c2ba32ee1e672ea40ba03b5684f8e70e4b2a42cf70524969a1725bfbdc25789e2ac8cc14a903a9257b9dc058426abec381c1ab78f374745

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js

Filesize
7KB

MD5
6b22e8e28642f1bbe46752e6b0cdb44c

SHA1
04f691d809f33b3afb2bcd0860581582bdfd9e5f

SHA256
ab529c520263a3812ce462ab816d5b960e25dc5c8d97957d10044b22b9fe2560

SHA512
04c346bef96f3a68a884fdff5ed28018b5782b1a53b6392ce34f3ef83c487158a089964b4d5a877e3e89a507a1ef4a0e2eb005fd8667b613a325356a1b6f6362

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js

Filesize
6KB

MD5
66c56c5dd373cafa995e70739594daec

SHA1
5887e3e2f8c62a6459219054c3583262e9edc9be

SHA256
14414404b219da385fa02cdb9432bfd56dbeedb0d3456bb35fcc88b2c99316d4

SHA512
a4f3bea99defb975cd71771cc557a5dddc008d764879f05a06792294ff9de6c0c498c19b05946266587afd56c7e60c22f2cf4fcf6c10d6875a3226c686d0749f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js

Filesize
7KB

MD5
4f4401dd1404a7bf7fb7b77609bb9b88

SHA1
ba3fbab6c8f37561e1335b019de6c4db2f9ddddc

SHA256
0e64ecc20614902872dd9422be889b8e172694966a3436eeff5327bf646a72d6

SHA512
b4e3843068c410ed0aeacc59a7bfe87ef6ba3b931ef2fda3ce9f42bf19136a0d166e7a2a6590c21b677305fbba47908f5b5dccb3890ee60f172250b3d5be17af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
c91180c81fc3f4371c5eb932745e2b53

SHA1
8195f1ecf05023b96780dded614a6bc30fd599e5

SHA256
14d57bf7cc116791966b9f43da20602b7bc426f09706ca82d993ae5cfae9324d

SHA512
b0777dd68fbe9df92acbf84798e2d970887b7e9e6585f215e5439f0a60bbc0fda5650daa37f67d4e0b15a89255b6fb7406fe5d486e8b4ba8fb0faf5a42c067b6

Download Submit
C:\Users\Admin\Desktop\LIGMABALLS.txt

Filesize
110B

MD5
b4e56ed682f6206d78054f7b4f7926aa

SHA1
8267e291ac727dab0c640ce2efc700423f26dabb

SHA256
2ab2e2cb03d57fd7226959aaa978d308f5c5fcb2614bc482f827c83b15deadcf

SHA512
5beee9c1f44414113b88b53129fc31f3f4e5092f7981cc12fa30ce67a7ab92d1be13efc8066a79878b7ad2048e9cd9946c401f3987e323e129d250abfae7999c

Download Submit
memory/3756-0-0x000002BB93F70000-0x000002BB93F88000-memory.dmp

Filesize
96KB

Download
memory/3756-9-0x000002BB95CF0000-0x000002BB95CFE000-memory.dmp

Filesize
56KB

Download
memory/3756-6-0x00007FF81BD60000-0x00007FF81C821000-memory.dmp

Filesize
10.8MB

Download
memory/3756-5-0x00007FF81BD63000-0x00007FF81BD65000-memory.dmp

Filesize
8KB

Download
memory/3756-4-0x000002BBAEDF0000-0x000002BBAF318000-memory.dmp

Filesize
5.2MB

Download
memory/3756-3-0x00007FF81BD60000-0x00007FF81C821000-memory.dmp

Filesize
10.8MB

Download
memory/3756-2-0x000002BBAE5F0000-0x000002BBAE7B2000-memory.dmp

Filesize
1.8MB

Download
memory/3756-1-0x00007FF81BD63000-0x00007FF81BD65000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads