discordrat | 73ffdb5bc29185f6c68ea22d571859218635a17bad466d4c5aee1b4a3421dfb1

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BfIgOz7.exe
Size

6.8MB
MD5

29daf7a58aacdc2459d9145039474754
SHA1

df7807760855e648920c85c29b12e2e817930729
SHA256

73ffdb5bc29185f6c68ea22d571859218635a17bad466d4c5aee1b4a3421dfb1
SHA512

e1db029d471eede7cfcecf5428b8d7669c4655b5d4a7c854fd952894c9e5d3c0497cd741235a9c312cc08c8fb811f051d1756264b585ec4e0f98a982d65f803e
SSDEEP

98304:o1kTd/1SqRWF/A0E/CoSMWjILQjMhAjUc7DL5s:WkTd7RWF/I/ZWjsjajUc72

Score

10^/10

discordrat defense_evasion discovery execution persistence privilege_escalation rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4NDY3NDQ5OTc5ODc2NTczOA.GRsRSd.UW5uwQ1usFhHH7EewkpyCqw589sAshmfAmxuZg
server_id
1284674413421133905

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1892	powershell.exe
2964	powershell.exe
4080	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4340	roblox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com
28	discord.com
54	discord.com
55	discord.com
141	discord.com
142	discord.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4504	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133708455151147070"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1892	powershell.exe
1892	powershell.exe
4080	powershell.exe
4080	powershell.exe
2964	powershell.exe
2964	powershell.exe
2528	chrome.exe
2528	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	4340	roblox.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1892	1608	BfIgOz7.exe	84
PID 1608 wrote to memory of 1892	1608	BfIgOz7.exe	84
PID 1608 wrote to memory of 4080	1608	BfIgOz7.exe	88
PID 1608 wrote to memory of 4080	1608	BfIgOz7.exe	88
PID 4080 wrote to memory of 4504	4080	powershell.exe	89
PID 4080 wrote to memory of 4504	4080	powershell.exe	89
PID 4504 wrote to memory of 2964	4504	cmd.exe	91
PID 4504 wrote to memory of 2964	4504	cmd.exe	91
PID 2964 wrote to memory of 4340	2964	powershell.exe	95
PID 2964 wrote to memory of 4340	2964	powershell.exe	95
PID 2528 wrote to memory of 3000	2528	chrome.exe	105
PID 2528 wrote to memory of 3000	2528	chrome.exe	105
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 4588	2528	chrome.exe	106
PID 2528 wrote to memory of 1780	2528	chrome.exe	107
PID 2528 wrote to memory of 1780	2528	chrome.exe	107
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108
PID 2528 wrote to memory of 1164	2528	chrome.exe	108

C:\Users\Admin\AppData\Local\Temp\BfIgOz7.exe
"C:\Users\Admin\AppData\Local\Temp\BfIgOz7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process cmd -ArgumentList '/c powershell Add-MpPreference -ExclusionPath 'C:\'' -Verb runAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process cmd -ArgumentList '/c powershell Start-Process roblox.exe -Verb runAs' -Verb runAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell Start-Process roblox.exe -Verb runAs
    3⤵
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process roblox.exe -Verb runAs
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Users\Admin\AppData\Local\Temp\roblox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\roblox.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff83eafcc40,0x7ff83eafcc4c,0x7ff83eafcc58
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3808,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3820 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4596
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff6c1bf4698,0x7ff6c1bf46a4,0x7ff6c1bf46b0
    3⤵
    - Drops file in Program Files directory
    PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4560,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4080,i,9011241690712291237,3281184581533271868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3532

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
edac6e09df0fef701f3782ffb44e5967

SHA1
156f25026f8126d1787424c593be8b2461f21130

SHA256
16474beaadce0176efa4862b4c8f665395c4ede7b88790b77d367dfd3b5c002d

SHA512
311e919eb0deac77e2f244d564f98e08d4ca27458a55ccbdc94a327c8353b6d84fad4fdcf8aacf5b88a3f6f5ecdfc19afbe7a1d4623a74777ed68edcdd532585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
79e68acc09ad575f6bdb75f215a96804

SHA1
9092e7f469d1df31ca5f789b24c58d0ef46c1101

SHA256
f3998aadb49cb7ef73b7c90240c26fbd7523a6ea62047d8aa01cec50b48ffb2a

SHA512
8efe32ce8eba00f1eec5471611245c09ea723cb41226129f4d3f30a00ad334b2f956f8b302393267134f0b0af7b62cbb401412ae2aefd234c74747b950bab840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
e1b882333d48ec37987fb11df96b6a47

SHA1
9b0044c0a2e135f81315eeaf109318d591be4666

SHA256
eeec1966a23bd8a84c9603cc9c21ccfbdc0c56c148b77d731d4149e21c8669a2

SHA512
b8437f0c9f423d6cd3aaabe6cdf44740f7b06250e3330fa96cdc233abdea3199c23118ac4a13fd24b382b6939be66b03a865815e5d510db07a4a79d13a5c3313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
d510c79a197fa510037a9ccf79ac318c

SHA1
5a16166813ce31f7e7ebdc91ccc71f8298a46eda

SHA256
c158fa27cbf58e2f0a5d3a6e1cef6c656a5c45c8f66175d447f26ff9984e462e

SHA512
5423223b9db99941b5b9d644f61c4692d67d99758ee05165e14fad4faa36b15d7e96a0b94402eff10b164cfe2070dc13a05df97eb1bb85013ecd8a5ee75763bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11e1c6be719655d92c9e761d63facbbb

SHA1
566698cc7c5e12be2612ded3f0dabfedec07afac

SHA256
4f1995fb8f016c837d6ce26c4ddfa5e01cc826713f3efed25c4257d9972cc02b

SHA512
c87597c9b465a10b56790ba507bb868396ef9624cfaa7934ab2e9a3c56bb8c7d9d14e3cd43ff7b18278d2e9525b4277272aea50a9eaceb6100af1f529b09b311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee10b688fb230ef8c1c5d5cb51867db1

SHA1
1f434cfc385d99a9a5a59c44666bfd13b710f639

SHA256
b943441b4e8e3768091da96086e284c672be902016b7af04cafa63f7a3b18936

SHA512
451f919d6cf4cefac91f9e67bec870b6445a1686e0b048085623383460b8ee922f3a3442aa091c4ea37e70a9fd48d0baf7f7d913f8366f34214c48c0bb104bea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d798b77d025b1a0e9229c1af2a3a8f6d

SHA1
e5228d003d71de7ec1e07a53bf8d8502f344638b

SHA256
14fb3494b7ed02418378bc47f8426a7a06bdd767661680355c63adcf4e139b65

SHA512
6a5c1c3a538abb4368a5bfb794defffd7b9d3f043dcbaa158b6d52d4e8e94ebf6b7dfbd436feb7aae964748da4dee48c4fd6cbcaa11fc2e05224b5f75f687cb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
8606e8e865aae52cdeae0c83c7006245

SHA1
a75e6ce73af8107de8c272e2518ba5baa9233c24

SHA256
24f5ebe0e6823bc092890391f22ef1d9c86e4f7f8c7364cd76f0a11698ee69b1

SHA512
123ea503433a7e27c88b8d022dd376dd3393ae6b46c97cf91ea86af309261b8703b96efb7d7f0c6989a6b2bd41278d0b5070e9b19466e33f8750926d6742b8a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
bc3bcf68178e8ceb579b7220f0664f22

SHA1
5a20728da688182fcdab83fa4a31a0f9cd82c6cf

SHA256
840ffb1fba8330e82a62852b4146bac137c9e33ca8596a9084741380b4cfb881

SHA512
6fa9b14758f5364000a49f1dac21ed6a1374d1b0179374abb5f1328d68e3362da103ecadefb07dd912705e8d922e5476ac961be4b8eaeb4684f696eb98a2a2d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
41b2638dfd171e706483d4e90a9b73b3

SHA1
6f1a7a77850c16a10d45df26d95c06d0ffac0968

SHA256
f60250f71c53e303fd44640bcc0a69380657bd94dd67863bf0b1f153945842ac

SHA512
1138dfc34ac657ff230cd6f98b1e0c6d99bd7183c340ec9d4a695a2e1326a8307772b38942874d1292fe4892f485acb6d298c49c3a0eb4cff1077aa912445775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c2d9b18f895944b97bf32d90a424a824

SHA1
6e3c7f45a472671b6ba81006fd608211ec5ed443

SHA256
17b4eca224bf709abd015036e2b8b44623dbf659617c8995440f46bf36d40641

SHA512
232bb9904be40b167e28a23e086a268a100dc3bd5cf45e901250e8f9bc57f23fe93ca896d038d3a199527371c07bb3d675ca248473e85d776795ef638dd55359

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngsu1ubn.kka.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\roblox.exe

Filesize
90KB

MD5
c7bbc27d3f6c8f80047184a0dd5423c2

SHA1
9f0600f25fc175508dffe189bae5d0bdb6fcce10

SHA256
8456684a9df4033f3199029c67246c264bccdd12a6e5d720521aff7f0ca59364

SHA512
413d2d7be16560b37a2df6aa438dfc3f57544c656a9965ffa3d0ccc2b799e9b14f0d36e106e577bd22157f96b6f450e2640a2ecb5e1a6175532ea431ed8ba80b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1892-16-0x00007FF83DCD0000-0x00007FF83E791000-memory.dmp

Filesize
10.8MB

Download
memory/1892-6-0x00000230D36A0000-0x00000230D36C2000-memory.dmp

Filesize
136KB

Download
memory/1892-11-0x00007FF83DCD0000-0x00007FF83E791000-memory.dmp

Filesize
10.8MB

Download
memory/1892-12-0x00007FF83DCD0000-0x00007FF83E791000-memory.dmp

Filesize
10.8MB

Download
memory/1892-13-0x00007FF83DCD0000-0x00007FF83E791000-memory.dmp

Filesize
10.8MB

Download
memory/1892-0-0x00007FF83DCD3000-0x00007FF83DCD5000-memory.dmp

Filesize
8KB

Download
memory/4080-30-0x00007FF83D7E0000-0x00007FF83E2A1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-19-0x00007FF83D7E0000-0x00007FF83E2A1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-33-0x00007FF83D7E0000-0x00007FF83E2A1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-31-0x00007FF83D7E0000-0x00007FF83E2A1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-49-0x0000019B78AE0000-0x0000019B79008000-memory.dmp

Filesize
5.2MB

Download
memory/4340-47-0x0000019B5DBD0000-0x0000019B5DBEA000-memory.dmp

Filesize
104KB

Download
memory/4340-48-0x0000019B781E0000-0x0000019B783A2000-memory.dmp

Filesize
1.8MB

Download