discordrat | 5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977

General

Target

Discord rat.exe
Size

79KB
MD5

4a825505953f3f758e1da9bab73df39e
SHA1

ee7226735ea2d358d8628e037f35d38fc799ef50
SHA256

5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977
SHA512

43120fc749ee67d7b8371aa921ee9a7b3769cbc63db06c0dd5cadfa7a83aeeb51e3a54ac4e8c0738cc58b22bcef0d8c5198b753626955371823d11a54d0d12a9
SSDEEP

1536:UeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqik:rycDpiiSoH8ovTpFl+ktd2+6CHpHKcGw

Score

10^/10

discordrat evasion execution persistence privilege_escalation rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Njk1OTk3MzkyMjA1MDA0OA.GGLfYW.bDrMZAIyeTVgyJMSqQFO2gDeB0CtQKGKri6ACU
server_id
1256666099580403734

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 4292 created 628	4292	Discord rat.exe	winlogon.exe
PID 4292 created 628	4292	Discord rat.exe	winlogon.exe
PID 4292 created 628	4292	Discord rat.exe	winlogon.exe
PID 4292 created 628	4292	Discord rat.exe	winlogon.exe
PID 4292 created 628	4292	Discord rat.exe	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

5240 powershell.exe
892 powershell.exe
4124 powershell.exe
4792 powershell.exe
2164 powershell.exe
3248 powershell.exe
2888 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 7 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exe

pid process

5276 NetSh.exe
1380 NetSh.exe
2772 NetSh.exe
4540 NetSh.exe
1988 NetSh.exe
3512 NetSh.exe
1880 NetSh.exe

pid	process
5240	powershell.exe
892	powershell.exe
4124	powershell.exe
4792	powershell.exe
2164	powershell.exe
3248	powershell.exe
2888	powershell.exe

pid	process
5276	NetSh.exe
1380	NetSh.exe
2772	NetSh.exe
4540	NetSh.exe
1988	NetSh.exe
3512	NetSh.exe
1880	NetSh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Discord rat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Discord rat.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord rat.exe"	Discord rat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

14 raw.githubusercontent.com
16 raw.githubusercontent.com
22 discord.com
24 discord.com
30 discord.com

flow	ioc
14	raw.githubusercontent.com
16	raw.githubusercontent.com
22	discord.com
24	discord.com
30	discord.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 4292 set thread context of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 set thread context of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 set thread context of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 set thread context of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 set thread context of 1728	4292	Discord rat.exe	dllhost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

Discord rat.exedllhost.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exe

pid	process
4292	Discord rat.exe
3992	dllhost.exe
3992	dllhost.exe
892	powershell.exe
892	powershell.exe
4292	Discord rat.exe
4292	Discord rat.exe
684	dllhost.exe
684	dllhost.exe
4292	Discord rat.exe
3084	dllhost.exe
3084	dllhost.exe
4792	powershell.exe
4792	powershell.exe
4124	powershell.exe
4124	powershell.exe
892	powershell.exe
892	powershell.exe
4792	powershell.exe
4124	powershell.exe
4292	Discord rat.exe
4292	Discord rat.exe
1772	dllhost.exe
1772	dllhost.exe
4292	Discord rat.exe
1728	dllhost.exe
1728	dllhost.exe
2164	powershell.exe
2164	powershell.exe
3248	powershell.exe
3248	powershell.exe
2164	powershell.exe
3248	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

Discord rat.exedllhost.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	3992	dllhost.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	684	dllhost.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	3084	dllhost.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	1772	dllhost.exe
Token: SeDebugPrivilege	4292	Discord rat.exe
Token: SeDebugPrivilege	1728	dllhost.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3992	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 892	4292	Discord rat.exe	powershell.exe
PID 4292 wrote to memory of 892	4292	Discord rat.exe	powershell.exe
PID 4292 wrote to memory of 3540	4292	Discord rat.exe	cmd.exe
PID 4292 wrote to memory of 3540	4292	Discord rat.exe	cmd.exe
PID 4292 wrote to memory of 1380	4292	Discord rat.exe	NetSh.exe
PID 4292 wrote to memory of 1380	4292	Discord rat.exe	NetSh.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 684	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 4792	4292	Discord rat.exe	powershell.exe
PID 4292 wrote to memory of 4792	4292	Discord rat.exe	powershell.exe
PID 4292 wrote to memory of 2004	4292	Discord rat.exe	cmd.exe
PID 4292 wrote to memory of 2004	4292	Discord rat.exe	cmd.exe
PID 4292 wrote to memory of 2772	4292	Discord rat.exe	NetSh.exe
PID 4292 wrote to memory of 2772	4292	Discord rat.exe	NetSh.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 3084	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 4124	4292	Discord rat.exe	powershell.exe
PID 4292 wrote to memory of 4124	4292	Discord rat.exe	powershell.exe
PID 4292 wrote to memory of 1984	4292	Discord rat.exe	cmd.exe
PID 4292 wrote to memory of 1984	4292	Discord rat.exe	cmd.exe
PID 4292 wrote to memory of 4540	4292	Discord rat.exe	NetSh.exe
PID 4292 wrote to memory of 4540	4292	Discord rat.exe	NetSh.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 1772	4292	Discord rat.exe	dllhost.exe
PID 4292 wrote to memory of 2164	4292	Discord rat.exe	powershell.exe
PID 4292 wrote to memory of 2164	4292	Discord rat.exe	powershell.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b928e319-5de8-4cb7-8c93-2c943ca8ace4}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3e7feb24-977c-4e5b-9a1e-8404e6582fe6}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d385a899-e9da-4de0-b40b-3f688d2658dd}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{08e03df9-d2ac-4150-9d7b-34c57a68a3ab}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bad0e896-df5e-4b59-aea0-274d103aea89}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{75aea8e5-9ddc-4b67-a8af-70fb97673027}
2⤵
PID:4284

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{425ce8f2-2cda-4aaa-87e1-ecbb1261b277}
2⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3540

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:2004

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1984

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4940

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:216

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2888

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1524

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5240

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5260

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96e3b86880fedd5afc001d108732a3e5

SHA1
8fc17b39d744a9590a6d5897012da5e6757439a3

SHA256
c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

SHA512
909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4h5z5eah.3zm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/392-111-0x00000204A6870000-0x00000204A689A000-memory.dmp

Filesize
168KB

Download
memory/392-112-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/628-107-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/628-101-0x000001D6BA350000-0x000001D6BA373000-memory.dmp

Filesize
140KB

Download
memory/628-106-0x000001D6BA380000-0x000001D6BA3AA000-memory.dmp

Filesize
168KB

Download
memory/684-20-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/684-22-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/684-21-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/684-25-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/684-23-0x00007FFD07880000-0x00007FFD0793E000-memory.dmp

Filesize
760KB

Download
memory/688-104-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/688-103-0x0000021917D50000-0x0000021917D7A000-memory.dmp

Filesize
168KB

Download
memory/696-123-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/696-122-0x000001E2ADF40000-0x000001E2ADF6A000-memory.dmp

Filesize
168KB

Download
memory/752-120-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/752-119-0x00000224D0990000-0x00000224D09BA000-memory.dmp

Filesize
168KB

Download
memory/892-17-0x000001B51D8F0000-0x000001B51D912000-memory.dmp

Filesize
136KB

Download
memory/892-18-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/892-16-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

Filesize
8KB

Download
memory/892-24-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/892-82-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/964-114-0x000001956FFD0000-0x000001956FFFA000-memory.dmp

Filesize
168KB

Download
memory/964-115-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/1048-127-0x0000026C07C90000-0x0000026C07CBA000-memory.dmp

Filesize
168KB

Download
memory/1048-128-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/1084-130-0x00000260A0170000-0x00000260A019A000-memory.dmp

Filesize
168KB

Download
memory/1728-69-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/1728-99-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1728-68-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1728-70-0x00007FFD07880000-0x00007FFD0793E000-memory.dmp

Filesize
760KB

Download
memory/1772-66-0x00007FFD07880000-0x00007FFD0793E000-memory.dmp

Filesize
760KB

Download
memory/1772-62-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1772-65-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/3084-38-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3084-40-0x00007FFD07880000-0x00007FFD0793E000-memory.dmp

Filesize
760KB

Download
memory/3084-39-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/3992-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3992-8-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3992-9-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3992-12-0x00007FFD07880000-0x00007FFD0793E000-memory.dmp

Filesize
760KB

Download
memory/3992-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3992-11-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/4292-7-0x00007FFD07880000-0x00007FFD0793E000-memory.dmp

Filesize
760KB

Download
memory/4292-5-0x000001EC6BA70000-0x000001EC6BAAE000-memory.dmp

Filesize
248KB

Download
memory/4292-15-0x00007FFD07880000-0x00007FFD0793E000-memory.dmp

Filesize
760KB

Download
memory/4292-31-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/4292-0-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

Filesize
8KB

Download
memory/4292-59-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/4292-63-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/4292-6-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/4292-14-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/4292-4-0x000001EC6CBD0000-0x000001EC6D0F8000-memory.dmp

Filesize
5.2MB

Download
memory/4292-3-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/4292-2-0x000001EC6C390000-0x000001EC6C552000-memory.dmp

Filesize
1.8MB

Download
memory/4292-1-0x000001EC69D00000-0x000001EC69D18000-memory.dmp

Filesize
96KB

Download
memory/4292-784-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

Filesize
8KB

Download
memory/4292-785-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads