discordrat | 73ffdb5bc29185f6c68ea22d571859218635a17bad466d4c5aee1b4a3421dfb1

Analysis

max time kernel
150s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BfIgOz7.exe
Size

6.8MB
MD5

29daf7a58aacdc2459d9145039474754
SHA1

df7807760855e648920c85c29b12e2e817930729
SHA256

73ffdb5bc29185f6c68ea22d571859218635a17bad466d4c5aee1b4a3421dfb1
SHA512

e1db029d471eede7cfcecf5428b8d7669c4655b5d4a7c854fd952894c9e5d3c0497cd741235a9c312cc08c8fb811f051d1756264b585ec4e0f98a982d65f803e
SSDEEP

98304:o1kTd/1SqRWF/A0E/CoSMWjILQjMhAjUc7DL5s:WkTd7RWF/I/ZWjsjajUc72

Score

10^/10

discordrat defense_evasion discovery execution persistence privilege_escalation rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4NDY3NDQ5OTc5ODc2NTczOA.GRsRSd.UW5uwQ1usFhHH7EewkpyCqw589sAshmfAmxuZg
server_id
1284674413421133905

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
1544	powershell.exe
1644	powershell.exe
3476	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
988	roblox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	discord.com
8	discord.com
9	discord.com
10	discord.com
12	discord.com
23	discord.com
1	discord.com
6	discord.com
11	discord.com
13	discord.com
24	discord.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2084	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133708452546375690"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3476	powershell.exe
3476	powershell.exe
1544	powershell.exe
1544	powershell.exe
1644	powershell.exe
1644	powershell.exe
1108	chrome.exe
1108	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	988	roblox.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeCreatePagefilePrivilege	1108	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5260 wrote to memory of 3476	5260	BfIgOz7.exe	79
PID 5260 wrote to memory of 3476	5260	BfIgOz7.exe	79
PID 5260 wrote to memory of 1544	5260	BfIgOz7.exe	80
PID 5260 wrote to memory of 1544	5260	BfIgOz7.exe	80
PID 1544 wrote to memory of 2084	1544	powershell.exe	81
PID 1544 wrote to memory of 2084	1544	powershell.exe	81
PID 2084 wrote to memory of 1644	2084	cmd.exe	83
PID 2084 wrote to memory of 1644	2084	cmd.exe	83
PID 1644 wrote to memory of 988	1644	powershell.exe	84
PID 1644 wrote to memory of 988	1644	powershell.exe	84
PID 1108 wrote to memory of 5272	1108	chrome.exe	88
PID 1108 wrote to memory of 5272	1108	chrome.exe	88
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 4684	1108	chrome.exe	89
PID 1108 wrote to memory of 5380	1108	chrome.exe	90
PID 1108 wrote to memory of 5380	1108	chrome.exe	90
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91
PID 1108 wrote to memory of 1408	1108	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\BfIgOz7.exe
"C:\Users\Admin\AppData\Local\Temp\BfIgOz7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process cmd -ArgumentList '/c powershell Add-MpPreference -ExclusionPath 'C:\'' -Verb runAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process cmd -ArgumentList '/c powershell Start-Process roblox.exe -Verb runAs' -Verb runAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell Start-Process roblox.exe -Verb runAs
    3⤵
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process roblox.exe -Verb runAs
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Users\Admin\AppData\Local\Temp\roblox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\roblox.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6e06cc40,0x7ffb6e06cc4c,0x7ffb6e06cc58
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1784,i,6832502184223025911,14428659933305044090,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,6832502184223025911,14428659933305044090,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,6832502184223025911,14428659933305044090,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,6832502184223025911,14428659933305044090,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,6832502184223025911,14428659933305044090,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,6832502184223025911,14428659933305044090,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,6832502184223025911,14428659933305044090,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,6832502184223025911,14428659933305044090,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:5332

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f4102a3450387719a5361e73bf233b9f

SHA1
dc842358affe7a3723eac27fe55ad260a18f41d2

SHA256
4d5a70c8b230c8db12b39769eaf7ea10c964344b40286fba8588838c35324d1d

SHA512
1b92ad857ce7e53852eb9575c0e4ec21f68be32a3d5a1d056996971625e3221ba7382c11fe06f4866d9c49d30935fd5e372be548d7bfef983af9848a2967f0d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
84ae5fdf1af1496ea0c58074989ad91f

SHA1
eb8940768163070ba1f2c0bee13621cd5306cd3c

SHA256
f20a4e2a435d3b684bf843ba91cd08329dd3e17e1b04479c09a697239ee2a7c4

SHA512
3888a30a1ca4e68d15faeef34d89fdb860286217baa12abfade35e48a94a4c855834a2fe42b7b88b1a7bd56d754e819649d20a95b6367ee7be2c74add26f7324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7732e19b92ded3603190cfcd993c37bd

SHA1
b5e8ed1663cd20526a9a12b7e1c21482b3e6fa68

SHA256
1790d91d5c6c33c8c0fd4df06fdbf34e63be4e94ca62544516e66c5139b22bb2

SHA512
114987d306908b57a6e6b35972ce9c664f4f62ed41692a17a7efa337ad264fe847c8af9c5059fc1d110930396800ac30847afc695f53ba5fb3c69f49ef04403d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c8e74f6baaa9723f42f8146f515158d

SHA1
7c3cec9b1d954d8471d71e5f1f1504da74885967

SHA256
1c36d6ceebd1e9b746da31e656c2b065c8a2d39f806386a89692bfe370fea362

SHA512
d48ec97b8ea28df4edccea77f45ec5f05f2970821518cbc3f7b93bb09b772a4d516da4c00bce1bb575862eef1d43de1d6410ea826eb417c92a81fdeb45756b8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
64f9d0505d975edc339a91e68b2fc61f

SHA1
734116e6366e6b257c3dbac97344c20d19437444

SHA256
549f776a73557ad6b657eb9df1ced501e157b40e1c404adfd11ee3005f98b979

SHA512
21ea29cbf12cae5610fd8fe6a110642e6bfe09d340311d70961ccd4eb3a0be5cee2e9ec51160496659511fb7594c744a30810523e5b130a70106445673d3bb07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
755faa840d996fdb7b783755d1c5962e

SHA1
62df490267aacce77a8c2a4e8471bbba928310e3

SHA256
051f4029e4bfaf98a0c52f7250e91e3de72f0d60a6b06f1af9a6003ad13cd5d0

SHA512
0db6359d63539be28d3abc7f72acfb511420c0a3a4f8d24b9b87267a6a61b67004b750c4c39acd2667d216322f248223e8ed93ce80d8814130a6629c465464be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
37263f3583b3b49735278e7aaf03f804

SHA1
2e42bfbd1884ac1fb41b44587d715feec4505477

SHA256
d3d37a24d4c9be7f6771ae16f632836eef3149d7e857f55af8ec3cb3d88106af

SHA512
74e4a9e79ec26cf648ad24f0eec994cf81e2c3b7288a0a050799495712ba50d94bdac71d6b0c75d91c2aff2058ad180af4c85516d08a8d154038739ff3116ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ystad0cq.p21.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\roblox.exe

Filesize
90KB

MD5
c7bbc27d3f6c8f80047184a0dd5423c2

SHA1
9f0600f25fc175508dffe189bae5d0bdb6fcce10

SHA256
8456684a9df4033f3199029c67246c264bccdd12a6e5d720521aff7f0ca59364

SHA512
413d2d7be16560b37a2df6aa438dfc3f57544c656a9965ffa3d0ccc2b799e9b14f0d36e106e577bd22157f96b6f450e2640a2ecb5e1a6175532ea431ed8ba80b

Download Submit
memory/988-47-0x0000023E9ED90000-0x0000023E9F2B8000-memory.dmp

Filesize
5.2MB

Download
memory/988-46-0x0000023E9CE90000-0x0000023E9D052000-memory.dmp

Filesize
1.8MB

Download
memory/988-45-0x0000023E82860000-0x0000023E8287A000-memory.dmp

Filesize
104KB

Download
memory/1544-30-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/1544-32-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/1544-28-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/1544-19-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/1544-18-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3476-0-0x00007FFB63323000-0x00007FFB63325000-memory.dmp

Filesize
8KB

Download
memory/3476-15-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3476-12-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3476-11-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3476-10-0x00007FFB63320000-0x00007FFB63DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3476-9-0x00000228FD7E0000-0x00000228FD802000-memory.dmp

Filesize
136KB

Download