hxxps://cdn[.]discordapp[.]com/attachments/1258664963208118294/1258682098513088583/Perm_Unban[.]rar?ex=67a1154d&is=679fc3cd&hm=55f7267b0c20251602438c17dc69cd14a435b8a10e8b25512eefd18e6844f8be&

Resubmissions

02-02-2025 22:33

250202-2ghzjszre1 10

02-02-2025 22:30

250202-2es2qszraw 8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-02-2025 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1258664963208118294/1258682098513088583/Perm_Unban.rar?ex=67a1154d&is=679fc3cd&hm=55f7267b0c20251602438c17dc69cd14a435b8a10e8b25512eefd18e6844f8be&

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
79	2596	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133830090215781769"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4156	3788	chrome.exe	81
PID 3788 wrote to memory of 4156	3788	chrome.exe	81
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 3132	3788	chrome.exe	83
PID 3788 wrote to memory of 2596	3788	chrome.exe	84
PID 3788 wrote to memory of 2596	3788	chrome.exe	84
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85
PID 3788 wrote to memory of 4936	3788	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1258664963208118294/1258682098513088583/Perm_Unban.rar?ex=67a1154d&is=679fc3cd&hm=55f7267b0c20251602438c17dc69cd14a435b8a10e8b25512eefd18e6844f8be&
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffeff78cc40,0x7ffeff78cc4c,0x7ffeff78cc58
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2108,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2328 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5096,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3708,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4472,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5324,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4468,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=500 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5620,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5740,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5888,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5920,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5708,i,2971513082879134064,7349604268288211355,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:1172

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
a718257d4401f910ee110f467f884216

SHA1
60bf70629e1ee7c33fd6edea73de15fb033abad1

SHA256
524224efc3c6b96d94520332979ba97de3d682681381e82551a7a6af06e60d60

SHA512
8dd9f410666ee337eb544b6272942983db27c381cb5ee3d19893fc21d8eda0d0cb963e85ef9b9ac941ff5a04ba19707af731d76292fe11892d78801aef902be3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
947622e7e3413480a80e3dc496d9dc8b

SHA1
a652755b402e8d9c54ed563b706cb412c618602d

SHA256
b9c113a77732c283851cd308962d9de6de87c5afec33444c13336523f5acc68b

SHA512
3f705f39863255622ea9078ca4221f6797c4137a2e3c5f0e6679c65a32f622d1e16f57e35581d68a319a53c59cbbce0434ccbcb7b717b2b3adeb15241729a396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7dab86cf8d4307c7dbb6a0756bac8598

SHA1
4b4e1f15e5831e7dd425601a37d291b6a4ed6f66

SHA256
49c7defec18ce2b6bea869ebd1b420e87905c2e3735bd32552af7a89ca11af41

SHA512
e5bb17d9d33570f456580723c80f73f21ca8ceb74b5c4e18526dff71939b75b90e7ecbf426aaa4066edc62fb6bd007fd8550806c3765c94ad0aa1061d836b427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
af9e9ab912f6f0151658e475471b1d35

SHA1
4325239f597316bf143faafb87916ea9e064dbf7

SHA256
64600a8808c3c1d41049280bd5d38235876247fcfcbecb9d0524ef866f6fb71b

SHA512
774e9b22e1b89c440cc623355a47e2ada5017ed0597b196b7d3a77a4722fa1f71bb30ad859e827bf895f1b19ce69b4277aff323e8732f5c993bc40e8027d32fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
778fe1a9bd9007f2951b13a6bab0c1b7

SHA1
6b9682ced4fa136f3fdf5c6f59e0fa184e1f7927

SHA256
e50a76c4a4a5b470fda8239701fc07af527365fe7ee150f0d12ed7e5d7ff2499

SHA512
e50cafb54382c89e81b78503021ee2907e0b32c5dde5faee00ee754dcd3ec0db685dc3cde5eb87c9ed7b96b6eb114284eddf291fe86ced3e4b2d370efc44c9ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
f748e9acf788299d97b0c2fb80b68855

SHA1
20c9db498c94b27c6f1ef75f356c0724dc98021b

SHA256
1fae3bb7dd4b1974699f9db21a1452ffc197b165e8e8d1156a5f6072e5e67e51

SHA512
8c9d54651788ee423815a15381c29ba4b22cffc38b4a6b47efc0fd0710c4340a5d4dc37be00aa1933ac8a0157bffe00168891efea905f0cf81099ab36448d6d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f062106d34b96f3130e71c3d4519eae7

SHA1
c0b89c8aac37c24894cd98b912240890ae12b2bb

SHA256
2597e06d8c80425854f7bb56400f0741da6da61bffa434b2a3d4fa87eea59b89

SHA512
a1ac60ec6f916a84e5e146c8a47840219bb4be9cf7a0c3283c387a428eae9e67c9bf4da23c5d5052a2e35e43f3641b8c7b5d21c3434789c3ffaea8356b1eb0b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b37c356adf79864d20ed59235b214f0

SHA1
2e91a3ca75a28085c3b9b8887b0457ae4b55056c

SHA256
40bb210e526a584fef5ad6434217950a418a511d97f6494ddf83965c7cb654c8

SHA512
e4ead002167a5bac3e71082faca084388fe8e0b98a054466038ad96a58e591b634df9a4a18a8125ddeaeacfccfef93f2a1a1d74f8b0fa67c1442361f3a7d04b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9ba2468da2c7459d1a4c95ea9b9081cb

SHA1
fea071efcb04413f982257938fdc0dbcc2fa0fe0

SHA256
7b946bfe2a14af86b242799e0700e471349cd4c9a281c705d8577eb62782244a

SHA512
d41f20c174381aebc7001e059a92ac0c4a8d1a4ddd19c5e26e25fbe304db25d3942d16be0063b5f6b0920f37d0679b90b4a5c2a47d6e00e2adbc962f5efd037b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
691404824b472e5890fa7208dfb11aee

SHA1
848ccfc43d6e0bde6c1dbbb7cb5c1ac8e2e6d147

SHA256
64aa230cbdd7400429e7deb02fb206f3387e779603dc3e2760a2e59067021328

SHA512
0f2cee4f24b17993d723b0c5d1f04cffd654c3d098014b8fad1c14c682e7a1df2b78443552ee214b33d1197f6b26930797fae32b01ffc875acd304fa5d1cbdb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
606ab3700afa216c081eb151f4231c51

SHA1
c8e88e3f561b747fcf5a12a6c0a94f41a860f698

SHA256
bddc421ac0653fc08e780f0c48ca7c4738597851d543302691414be584fbe53e

SHA512
6ef6c1545eb0412c28d97da9e35cc806d46761741c51101eb5074b2b2f71e364f3e05f51f2a374012fab560fdc0af3dbeb6a4850565d7c62d3767e3027f2f189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f7687a676059b66d6339b7a028ef8c2

SHA1
6c1ae27603d946d977dd8ae0cf9ceda4850b38e5

SHA256
7315fb8510a08aadd774eae110c4c3768da5f151980bbb236bc42f7ec94ea765

SHA512
91a6d32d916a5cb250ff8b73ecdbc718129050a32784336eaf47326708ea657ee55de96530789ba21ab9538e2f2289b61b33e6b8bc7627d6bdf8fc33d81af095

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
082ddaaeebac653af42760f56ef76c14

SHA1
df8775a595cd74492d78d22cc70360d554f85fe7

SHA256
83869c91cfc2ca6d895ea7dc92424522d4cf77f302be70e6a0b2c284ec769477

SHA512
a0dd1e2dac71a16a367ae4349a046a9d4ac0bb4afc63e3510e9bb0abc7f95b99880dea69b93e1688b03ca0a294122553a75cecf0d45400a685f40906ed141219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56ca28933f04dbe3111ee9d1ac56b2a8

SHA1
91ada56ba1c4736c30aa480139dc6ab87c99e2c1

SHA256
19268ce99b2170c59c74f19c097798d0c9bf95066b27b78d92d0dc10c1afa867

SHA512
37849ae482ee824953f95ba8cb88574910056a3c62d904381da9bd4b52d5a1e9d69bcdcba301c18b42c9e920951e05516b60a0333f526ebd0448dbdbe9d86c2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
69b9c86f80a0e056e6d9511f4d4230c0

SHA1
844a12f1eab896b3ac23fcc888f170a2f6f5edb5

SHA256
fd282f2e739851e2f950af1001d6de29b8309607bc636fa4c235823259e496ee

SHA512
e9681f1397591e1aab5c0420d9ebc19785daced5a38a1f2bfe8f8cd09a4cf28a26e6dd87326f8abb5e47c0b202e2978435684e1b942e96287f9198238b4d59dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
14bd9b36711edf31509b18a64dad4f31

SHA1
cf73759806fef10f81d6658ed29c53d33f5c29e4

SHA256
d140903a62cce886c00e213943e14f655c3e01027dda7d9335cd034d02221ff0

SHA512
d8cf8c269f02b20c5a2e8e7f02063d6a1e9bb2dd9ac879ff59acc169e5adfe0197eb964adbae74c2e8e68304271eeeef56ba73e00c9ae88cc11a7e0a660b6ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0c1ef974c0edbe85984c6c842e6f5cd5

SHA1
750d58e8228957802067f3d6324c6d1643d0465e

SHA256
6c3c35431900ea9ca4e9c481bdbb1ae36b873d64e4a87dabafb4ec55dbd9b6ab

SHA512
41ec408f95fa15a9410d25b782998a4c9faaef936f14cc54643f95c56fd3a1d5206b2a7d93ef64280e11b3b3c09b0a5492f98d9ce24bb37ed90f913d1d8c4c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
e06b066ded39915d6e4d706cef029e1a

SHA1
5e54b7f7700673caa1a0efb1590e8ec380d3ad52

SHA256
e0fbb8a7c2cc18000ec77f926fcd69f14b802b50362ae9d93a3824431fca9061

SHA512
ab1bcd2996f4396cc53bb89d9be6ab4269b199b73ecf9089992d1a844530ac495a42ea6669c1c9b68e05a7b9c3507703fb9cdb61616aec5f0ad8c4107df0bd7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
41e61ce3a8209e056d07fdff2a58c909

SHA1
0a98a1bb75e889703e0de84b30385297669a753b

SHA256
34f65ff2b4e60fc91a58d3da7567822c214f589001be79eeef40ddf42e09726a

SHA512
471abe0ae8bf1163537f38c4c980e239a6a20bb0d1411bfa23fe21f21ae939cb51b71b6a116b1e88af18b7f75055945a4d063512e172432b622b22c18cbe47e7

Download Submit
C:\Users\Admin\Downloads\Perm_Unban.rar.crdownload

Filesize
1.6MB

MD5
9a1093a7c043967fc846483c5679ba95

SHA1
ce7108708cbcaf06f5e5dfb9fb27b6df6626aefe

SHA256
e80cd34b19512bd5dd8ca13bc15ccca22d48508388793327fa98be4a1d04faad

SHA512
c6df0b8d642ab126f14e012c2b3554a3ee3a557334281bad3b50901741afb17f9b90e2a3d83eb5647b0c623e920dd9f37fb6179b8d4fdb05d593863b8baec160

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701am.exe

Filesize
3.8MB

MD5
699668f1b53efa56d405336ba4c2dfd2

SHA1
082c60411c6eab194cad1f7facb95a1af31a1646

SHA256
866dd3a3beb4891d94d18b3e017c385b542bbd5999dcf1d32152cc508cfa9437

SHA512
0b10e94f954fe6f714bd329bafa580d9fa944876e9d70d87aae9972eff77abc2643783ef56eb2ca3de367bcfb557ca256db5ad3c1595c13aac4636dfff52b3c1

Download Submit