discordrat | c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

Analysis

max time kernel
1049s
max time network
1033s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-09-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

builder.exe
Size

10KB
MD5

4f04f0e1ff050abf6f1696be1e8bb039
SHA1

bebf3088fff4595bfb53aea6af11741946bbd9ce
SHA256

ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa
SHA512

94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12
SSDEEP

96:IJXYAuB2glBLgyOk3LxdjP2rm549JSTuwUYXzP+B1izXTa/HFpff3LG+tzNt:IJXDk7LI4uwtDPC1ijCHffSs

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
ql_FNu_oY3FoCI65HtdZeyc1zQsDnXMh
server_id
1274815772249555035

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 4 IoCs

pid	Process
3488	Client-built.exe
1504	Client-built.exe
4152	Client-built.exe
3948	Client-built.exe

Loads dropped DLL 4 IoCs

pid	Process
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4652	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	3488	Client-built.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	1504	Client-built.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	4652	taskmgr.exe
Token: SeSystemProfilePrivilege	4652	taskmgr.exe
Token: SeCreateGlobalPrivilege	4652	taskmgr.exe
Token: SeDebugPrivilege	4152	Client-built.exe
Token: SeDebugPrivilege	2740	firefox.exe
Token: SeDebugPrivilege	3948	Client-built.exe
Token: SeDebugPrivilege	2740	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2740	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 4612 wrote to memory of 2740	4612	firefox.exe	75
PID 2740 wrote to memory of 1748	2740	firefox.exe	76
PID 2740 wrote to memory of 1748	2740	firefox.exe	76
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 1044	2740	firefox.exe	77
PID 2740 wrote to memory of 4540	2740	firefox.exe	78
PID 2740 wrote to memory of 4540	2740	firefox.exe	78
PID 2740 wrote to memory of 4540	2740	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.0.207007564\968619773" -parentBuildID 20221007134813 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c87cfaa-57b1-472d-bcaf-a4bff26c216f} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1696 239195d2158 gpu
    3⤵
    PID:1748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.1.363549066\1489169053" -parentBuildID 20221007134813 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65588e09-2caa-452e-bdbf-76c811927e38} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2160 239190e7058 socket
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.2.1795260531\890238579" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2968 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1028 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc41346-809d-4c05-ae25-0526dcff4369} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2988 2391955dd58 tab
    3⤵
    PID:4540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.3.89500110\391301035" -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1028 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {333cf0cd-92fd-4e76-8b60-18754c03f2cc} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3604 2391e1b9158 tab
    3⤵
    PID:2644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.4.216637692\1475685512" -childID 3 -isForBrowser -prefsHandle 4452 -prefMapHandle 4448 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1028 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fb89a8e-e672-4d04-bdc4-ab10a9fb64ab} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 4464 2391f0dfc58 tab
    3⤵
    PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.5.68074109\25586234" -childID 4 -isForBrowser -prefsHandle 4844 -prefMapHandle 4788 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1028 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91ff7b13-ff19-46ed-b922-1ef2af487380} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 4816 2391f0df058 tab
    3⤵
    PID:1180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.6.1938560759\1361315105" -childID 5 -isForBrowser -prefsHandle 5080 -prefMapHandle 5084 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1028 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {646b8f57-b389-4de8-956f-fe9bf2fc565e} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 5068 2391f61a558 tab
    3⤵
    PID:3236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.7.1973952865\318634436" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1028 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58dac354-f8a6-416f-9dc3-bc2a4c18e287} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 5340 2391fa3f258 tab
    3⤵
    PID:4892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4652

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
4a88480009247948764498f72415443b

SHA1
0f541c5d53b157af8071417a9eea9ec4f95951ac

SHA256
f9b1059771e9a5a77cf705b1234e9a38a180883c366407a882b44be501bf3041

SHA512
c2bf4af438d8100049b6001b2732a32f053066dda968dadee8ba5189d1725314f66771bf8b5b1aff3e5adae75ca467f13b12f8bddc5be68a7304bf92e69673fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
6f5f5e19ad0a4edcc27d9c1e62eb277d

SHA1
1ec7862fbe280a795f16b646be95ab51b62c61a8

SHA256
5167c4f7656f9b89402f12a80d6dbbb2a202c0dcce5b9233c39b75392d66a864

SHA512
1a0fbf96a9fbcbbd017b46841c6e7cb857ddce5cb230d4100e3e5a42be3a79e21c63d5fbd7de812cada1991695049b92feded6dcf551b41b9f9ce96ab858f007

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
2c5322996bc9a338e5dc43054ae30f56

SHA1
05bb43e254c41278c02a626a328839be408a7673

SHA256
5b9173d02cf919121e75c8d512509125915b300c6f44f459c45d44479394253f

SHA512
2476446083b82716e603a4487e03f6641aeb3f2d86ba16eb19909782204cf38ab3ea8a1446cf5361a3082624a2cc352c67b2d555366ac67e6d53433b405ecf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
b1891a1f567af07b802356944ab50a00

SHA1
50738e56904eaef601935208e736d78c7e038749

SHA256
6f14986c2d5154ced1a2e11acdc8c199602a8b77741bbfdf58f7b5c64cd19092

SHA512
1020cb57aa66b40225dc1e31e793f2f7afe8ca42c30861566107125057ba88820f1323e07620e70033e74f2e3eea1a979f89835501485e04c0c269b86215f8dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\SiteSecurityServiceState.txt

Filesize
324B

MD5
cd04c43b4ea02f440f16dba29ddb20d3

SHA1
e9c778b52a7e96a2c1db8ea4a298538207825e80

SHA256
4eb17a2d7d73df58f6051b3736df3a55155877c5c3d22c25c24c89bfc0b19477

SHA512
21d45e6880db68fffd6d8e5c52410fedd2f6f5ce5f9f4baf2199bf4b84c007cf533b7ed42b7a2283175edf9b25f36a5c6df478fb7d85d4a095cb169f3d164dff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
405584b73df4adf0d82c07e660e3d770

SHA1
6e23d4bf99c47da1a67a53cb6a19602943cac7a3

SHA256
1dfa8c141ccc6a321b7dff20b9fade4ba43dcf5bdf2026fe70b763dc4160f47c

SHA512
c6e4497429220b0bc67f9558f3986c5c3db3f542866723fc780390d417a713d85eb920faba508301dc3139e72e818cbaae2d6b65d371c2710edd03650ebfecc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\04601f6f-0a35-4605-95b7-0cb627c49444

Filesize
746B

MD5
ec53fc27039818a9bc9a3013087b7d24

SHA1
deae697084db806b141e4de4037cd4d225903954

SHA256
1a74e903edd9a4d18533e1e3e74f7c0baa10eb108680b7f9baf92f8d7511075a

SHA512
b496f26876b8ba70aa2753e7453dfeb1fbc08ad98f37346b16dd49c28e3cc87ce7b87bac05199b605d590029529880ab066b6d77a161031a7527f77b82c0ca08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\44deede7-38fe-4502-9453-4a5e59627163

Filesize
10KB

MD5
1634bdcaf817f04bce1c5810752c0e72

SHA1
aea88da2600a9fae31e75593d213a685d74d4695

SHA256
0d5c1aec01d580916b4d271abd3b46b61413aa6554648f78d1c82c69ee286bec

SHA512
f034889238bc6ef0514f3d592a4f8915ab095d8fe5daf9cf6c6f440e9970e0e756821b8ac252018e85e3eb9cfd239b977d4c79f79b06d217a748de3838c0b649

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\5b000388-3f2b-4488-8f5b-1f0a8d0c1f2f

Filesize
595B

MD5
5e6eaee3376f9bab4b1382e5efecac62

SHA1
246de85dcb901c6b4ef0226ee2dbb79bf9eee1cb

SHA256
b938183ecf15c8d519c443ddd867541638f3e989b5cf852bc9a065ed47b936a0

SHA512
70dfb01e5ea81b6fee6597edb97f27d602e4611818f565ed60da30f4378d3b2c9d895b5e5f10c507260d21a5c1f15d5f1dceea668518b49b88deda9d3184e39e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7dbb8de9-21f3-4b51-95e3-cb63266e3aa2

Filesize
733B

MD5
852fa103888b26a5f36957012e5e834d

SHA1
181a48f95c87c45e764c8bc4cc00e8e51d0b5276

SHA256
91be78ae2676dc4f94f59c5a2bd07c9e2fb5c3fd6b66afc59ade2a0f043f4bb7

SHA512
40bad23f51594410be7900dd8bd8d8cbbc8b08df9fc7e9352ca23f89a0b550800e1ae2305437985a12c76b1b1f6c4bf8198f40380b668506ff0e30ad0864a7c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
58a656db65d99a973273997ebed50433

SHA1
c6ca1b9d4f09b4a64e21d7aeafd5e09e3fcb14cc

SHA256
d3ef13a119bd5bf37c109d0b61a8a977913c8e60801384339c625af6fbb04a9a

SHA512
45d81319cad83f9daa0f90ace0ebe3beeeba97f66c143d557744dd1ee7405d9e1a7a52b31f341f9857fc07dc8db1d267e2bc5a3894b42ce7e66940bdd4309bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
ef29a265c20e9fd035292a106cdac714

SHA1
436ed1fd268e0a01029b6d64c1ab3b8841d539e8

SHA256
887437e96ab2f35b7c1a1403ef09ec272d6b10d8dd0820a4f8a10154428d4f61

SHA512
2f6001957d9772aa585297f4b4e2143d0a049e9f8a4d9816d2228fe0124241a7f44c483b2e11d63e1b5bb044b734ca9160f0d46afaf8a946e8dba826132a956c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
da2b14c738cad9078c4b378a7b86a62d

SHA1
dbc0cab3bc16cdd9ac80547b806851badb38a8b5

SHA256
8a619affc70dd57a7cc0521b9b81a43ba91f3740274beb50b498bfb3f9998f45

SHA512
f41528ebc8db8b132fc95fc40d53ed70d2e157cda6fed834e01ada6ce04fe2da608cddd69d1efb091c9eee4278ceee6b950a1f7915788927625803e95a993867

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f5d9025878b6f11014cb18c4cd08cfb2

SHA1
48b71fbd0490c9f4dac0c29f4714bcc6cd5e2550

SHA256
3c039770c22525ffd79dee0a4c719755037f963df4ac33cfa54b4fb6817ab417

SHA512
672eb073a65a733513b9d8fa3d5344ded2e653b3acad610cff4604f7d690a152e1d765fb850bce5c60cf372e7d333e7247ffce3100a0d410fda45e5c76ae66fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
e7d901ad03d22078f4c42ecc83c3bd45

SHA1
13ffe2ced2026e6b99c39a96d006c7832a72ba17

SHA256
fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17

SHA512
8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.9MB

MD5
627c699be174c94df58ef6e4d3fc4092

SHA1
e8fe9c88573789c865fdaa0fecf3e3ea6db8d534

SHA256
2ae8ee232b2a98f3848bc7d0487161dc630f5398382079549b598173d276fdb6

SHA512
6140f6a7da9668f2e59d05f3c9b10e9d1847f62c0f09e712c9cdc7cbe7fa082a9d8a88454bc97a541d533777c2f0e26d99cdece7e9071126757275aeb5399b4b

Download Submit
memory/3488-187-0x000002128E040000-0x000002128E058000-memory.dmp

Filesize
96KB

Download
memory/3488-189-0x00007FFA8C260000-0x00007FFA8CC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3488-191-0x00007FFA8C263000-0x00007FFA8C264000-memory.dmp

Filesize
4KB

Download
memory/3488-2509-0x00007FFA8C260000-0x00007FFA8CC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3488-192-0x00007FFA8C260000-0x00007FFA8CC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3488-186-0x00007FFA8C263000-0x00007FFA8C264000-memory.dmp

Filesize
4KB

Download
memory/3488-188-0x00000212A86F0000-0x00000212A88B2000-memory.dmp

Filesize
1.8MB

Download
memory/3488-190-0x00000212A8EF0000-0x00000212A9416000-memory.dmp

Filesize
5.1MB

Download
memory/4152-2530-0x000002C832710000-0x000002C832728000-memory.dmp

Filesize
96KB

Download
memory/4448-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/4448-3-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/4448-4-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/4448-7-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/4448-157-0x0000000008640000-0x0000000008762000-memory.dmp

Filesize
1.1MB

Download
memory/4448-5-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/4448-2-0x0000000005800000-0x0000000005CFE000-memory.dmp

Filesize
5.0MB

Download
memory/4448-6-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/4448-1-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download