discordrat | hxxps://fex[.]net/s/f8nk0ft

Analysis

max time kernel
116s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fex.net/s/f8nk0ft

Score

10^/10

discordrat discovery execution persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzMjM5MTgxMDY4OTUzMTkxNA.GtVFv4.Jh9IjBLUANTyxm8BQJryZbJPBRwbPMQ2zAePNU
server_id
1232357971313295402

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
149	discord.com
154	discord.com
155	discord.com
157	discord.com
159	discord.com
136	discord.com
137	discord.com
141	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3356	powershell.exe
5300	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3316	msedge.exe
3316	msedge.exe
2892	msedge.exe
2892	msedge.exe
4348	identity_helper.exe
4348	identity_helper.exe
3980	msedge.exe
3980	msedge.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
5300	powershell.exe
5300	powershell.exe
5300	powershell.exe
5300	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	kdmapper.exe
Token: SeDebugPrivilege	4988	kdmapper.exe
Token: SeDebugPrivilege	4656	kdmapper.exe
Token: SeDebugPrivilege	1076	kdmapper.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	3360	kdmapper.exe
Token: SeDebugPrivilege	1624	kdmapper.exe
Token: SeDebugPrivilege	3356	kdmapper.exe
Token: SeDebugPrivilege	5300	powershell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3020	2892	msedge.exe	84
PID 2892 wrote to memory of 3020	2892	msedge.exe	84
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 4992	2892	msedge.exe	85
PID 2892 wrote to memory of 3316	2892	msedge.exe	86
PID 2892 wrote to memory of 3316	2892	msedge.exe	86
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87
PID 2892 wrote to memory of 464	2892	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fex.net/s/f8nk0ft
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc201b46f8,0x7ffc201b4708,0x7ffc201b4718
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,7835025713659139872,17763483864160681489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2936

C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe
"C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe" C:\Users\Admin\Downloads\Woofer\Woofer\spoofer.sys
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe
"C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe
"C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe" C:\Users\Admin\Downloads\Woofer\Woofer\spoofer.sys
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe
"C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe" C:\Users\Admin\Downloads\Woofer\Woofer\Remover_Logs_1.bat
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Woofer\Woofer\Remover_Logs_1.bat" C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe"
1⤵
PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -File script.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3356

C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe
"C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe" C:\Users\Admin\Downloads\Woofer\Woofer\spoofer.sys
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe
"C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe" C:\Users\Admin\Downloads\Woofer\Woofer\spoofer.sys
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe
"C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe" C:\Users\Admin\Downloads\Woofer\Woofer\Remover_Logs_1.bat
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Woofer\Woofer\Remover_Logs_1.bat" C:\Users\Admin\Downloads\Woofer\Woofer\kdmapper.exe"
1⤵
PID:5212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -File script.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
0af12004db5fe4272f4edb32014df51e

SHA1
d58f39958fb93f8b305ca7294bebb4978766dae6

SHA256
6e59b3f130a284b93d20a9ed46b3fa945f464dcc68f2f521df8eddbf5c8425bc

SHA512
a0ab53cd3cd7703584bc9d3ef2ede4ac60f536154434468cd861a1ed8d702cf6daea284641634a346b27b8a54411c7fedb762784ad596a7da296fb288553036c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
36KB

MD5
7f7f1e6741330711c18bf089160e3157

SHA1
261c433797cdc8ec94a362e1e4d5857a0b93ce4a

SHA256
95ddf303cf24b934ab5e1e85759131cb85d8d8f9b03a4cec4bbb0c3ccd2fef39

SHA512
fefc845d30257b8d4b85642e9fcf2e724d40dd1a07ea9f7fc17ccf13de49956da40d8d70a77fb872b002f0c67575af80c4740e853ea321e664213dd9688fec9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
82bc2753f1603871cb401c2a75adfe01

SHA1
d1f716727aa4504c2e532739a4470f29b0c2d090

SHA256
5f391d80b64dd54812a4563ca450f90a42834f2db9796f86f996b525169a5149

SHA512
3e9ca704ca9d459dc314222a1f24d3183ebdd18437ba1eef71d90babfc738850355bec7893059a3bb80f93823919b0aa117450f3464f1ab87d0866e41d72f1f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
2c67405c78ec3c02e13d4895532b44c3

SHA1
a26bb31235485ffd1fc9a352b54353a3e76000cd

SHA256
9bd2d745241bd136e2511d49d256d1d0e01ac0291f2eaa704c2e89ecc44c0e90

SHA512
ea5d1ac5b016bbce7583eceefc813753411a15e1be775ec6eb178f95d10bcdd770df6d649782bcd8cd116d7ed27314b91c353bdabd7956e081ef7161a8e2007e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5afc00aa3485e6c31e0d5acd2e796933

SHA1
e3cf22ece14ccd6344bb93baf18fd4701930ed58

SHA256
deac732c5e6dd8fe4c376b84fa00a36c5db01b0cb06ae00182f7be4b9711398c

SHA512
ad7bfc3796970ee3d49ff365b442fb607c7534b64d8961102d6c5e02abbc1dae0fc0cc007cb4e551bf52bad4794552792e62f058771daa3b258481cc7025a931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8cd28feab4274697e59630ab05be2b3d

SHA1
42ba3759616a47c44295f199d88e2fbfa8bca6a1

SHA256
7e07532d7d17d02ec5326494d421334df2550fc23cc37dc1f1c20ff7b78e1e84

SHA512
63ef52b3cc04dd41d0d72d0a3ff824586be49527be658044c08c731eae18db3ab26c956dd93d35f3f55a785dc72f13b98969b87bd7ba00cb64551282a8790ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fbcd74353e35590fc424324d6dd12357

SHA1
ce03d71ee3d5131dd984c5518ad45f37e9a8d67a

SHA256
b6fac9529a476680ec9cb434507538e948a1b655b6803ed95fdf487ad6a1da2a

SHA512
ce46cb4ffdeeb4e333af3aac1c14b5a0d229155edb9a3d61ce167b48d2c3308ba662a9f724da234eff6f7f6990daf89c3ae781a29e98ad2671da002a19ef5d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2dce78eb87a7204fa6f8fa090c919c4b

SHA1
dc1a38fd7a2e256d3e496275f0fad785b25c3829

SHA256
3237483c6cec68570b8591d4fb9b2ecbf49b3d96a15fa20c14cea1dafc55efc5

SHA512
df6ac0c9ed814de73d59999c459fd0c0f9c3e511483e01ec4d20bea050997d08fc76c37c611cde511c7f341514eb07abdf01db277da95308c56809db08fd0cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e714.TMP

Filesize
1KB

MD5
a1c6489c477486020476a990c6e18321

SHA1
b67159a1dc39c0017b866d6d90b4e3647b3f56a1

SHA256
2d62df4e38ec405ec1866a02b84e6dfd7b96d3dffd59251823ecf19b45a29aeb

SHA512
983de707a38b46b8da0835189efbfe4bbc2401cdfd3dc2347eee2dc5dec500821e239f801a0717909d885d22d222cb157326c1a6d2d40eec18bbf3934a55d4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
36fefa4d774a102287337fe02d6ff980

SHA1
699df7dbf92b135570de0f786ff6587ffcb613c8

SHA256
86b6080a54359d0491cff7c4343e0bf8f922c80282666800cce55eda4897758d

SHA512
b71047211d60b3768afd805ab4669e7eae1a216cfc8457479cabf7da481f561a3c9e1b84df4a6381c575a58152278119e1e0560e8f691ac37c6e06263ecc9d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
22dc7d495727d36d08ad74a5562890fa

SHA1
215c5f264bba7c2d82c46849e15c8cd7d8fcdefd

SHA256
d7ddc49f9897ea97507e1190087ac136140121c88f692d62f49567208d2734c5

SHA512
d1286ab1346c5f0844e5cec6aab8c22d1967f6d0d19ebf4d9b97a1e5bebca09bf430b18b98e2ba8e71ba472266eac40b8c49a406c0872a6be96db12be501593c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc69ad18307da276862035add80aa04a

SHA1
0da9f5d68e191703b7877119c20f1f427619b74b

SHA256
2452ba5fb319a9c25e2183132045b8cc909190467ba38ae40b4d274ee00f3943

SHA512
f8cc2d145b625cbdf434e534629671eaa1c878d14ca771db7118dfaca3bbfa445733bab7b63c3e189e828690006d925679493788ac216a358dcfe8f42debfe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ympfiow0.qyj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\546473a5-f2a7-4433-aba4-a50c1f51e36d.tmp

Filesize
34KB

MD5
dee694cc9a047aea4ca8f1cc15fce2a5

SHA1
d84696b105cedff4a0fa57c83d99bae311afe1a9

SHA256
fc7c45a00bbfce62096d618d42bbd3564f33d7bbb99f690551c9a9003e85c071

SHA512
50a8fe002e3c3938ecb72f0b9c080b5884ced82d4f540508035aff39a77c462391f2b3b9df5af1f19fa733bfa327b840a8fa9673686543c4b7bf9f066191fa39

Download Submit
C:\Users\Admin\Downloads\Woofer\Woofer\script.ps1

Filesize
409B

MD5
af5aefbf4681c1058c1e33b8bf09d316

SHA1
d6a797fcdbac3f9ababc4afe28f8dc1b6647db5e

SHA256
49a4c5b8c350d5b93d848c2cf9f3d108642ee15cf334897ee12d88008fe60692

SHA512
d29e5e760ef3fc586dbf34573784dae6169a74d9aeefe9455798bba477ed37ba084156931da6d3aca4e72bbb202c918bcdfa0d0dfc1488729fdecafd2bf76b34

Download Submit
memory/3256-256-0x00000214762F0000-0x0000021476818000-memory.dmp

Filesize
5.2MB

Download
memory/3256-255-0x0000021475AF0000-0x0000021475CB2000-memory.dmp

Filesize
1.8MB

Download
memory/3256-254-0x0000021473540000-0x0000021473558000-memory.dmp

Filesize
96KB

Download
memory/3356-303-0x000001DCBB910000-0x000001DCBB932000-memory.dmp

Filesize
136KB

Download