discordrat | hxxps://gofile[.]io/d/PqrHs6

Analysis

max time kernel
300s
max time network
275s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-02-2025 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/PqrHs6

Score

10^/10

discordrat discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNjc5MTA0NDA3NDc3MDUwNA.GL9u4W.uLqV3V-rXEb4Yg96m0CEunqS0Oetb1sTOK2j44
server_id
1336783631586164860

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Downloads MZ/PE file 4 IoCs

flow	pid	Process
33	764	chrome.exe
76	4516	Installer.exe
81	4516	Installer.exe
87	5696	Installer.exe

Executes dropped EXE 4 IoCs

pid	Process
4516	Installer.exe
5156	Installer.exe
5472	Installer.exe
5696	Installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
84	discord.com
50	discord.com
75	raw.githubusercontent.com
79	discord.com
86	discord.com
88	discord.com
42	discord.com
51	discord.com
77	discord.com
74	discord.com
76	raw.githubusercontent.com
81	raw.githubusercontent.com
85	discord.com
87	raw.githubusercontent.com
37	discord.com
68	discord.com
70	discord.com
89	discord.com
38	discord.com
72	discord.com
82	discord.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133832611547659424"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
964	chrome.exe
964	chrome.exe
5168	chrome.exe
5168	chrome.exe
5168	chrome.exe
5168	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeDebugPrivilege	4516	Installer.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 1320	964	chrome.exe	82
PID 964 wrote to memory of 1320	964	chrome.exe	82
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 3288	964	chrome.exe	83
PID 964 wrote to memory of 764	964	chrome.exe	84
PID 964 wrote to memory of 764	964	chrome.exe	84
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85
PID 964 wrote to memory of 2496	964	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/PqrHs6
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8fd20cc40,0x7ff8fd20cc4c,0x7ff8fd20cc58
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1628,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3136,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3384,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4372 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3768,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5180,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5348,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5500,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5520,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5660,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:2160
- C:\Users\Admin\Downloads\Installer.exe
  "C:\Users\Admin\Downloads\Installer.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4768,i,1652021102218088669,14187883764204783986,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5168

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1420

C:\Users\Admin\Downloads\Installer.exe
"C:\Users\Admin\Downloads\Installer.exe"
1⤵
- Executes dropped EXE
PID:5156

C:\Users\Admin\Downloads\Installer.exe
"C:\Users\Admin\Downloads\Installer.exe"
1⤵
- Executes dropped EXE
PID:5472

C:\Users\Admin\Downloads\Installer.exe
"C:\Users\Admin\Downloads\Installer.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d1acf3fc4284b32dfdddd323afeae075

SHA1
7e5f13a02e1fc39507270b0f90b8fc481f80381e

SHA256
ea5e5c5d5ce9c0b87eca08419ea57603722aa7f1b25ce409bf7ad318af217a0f

SHA512
cada1792dbee95394e2c34638c60e86429fcb9f73a99e5013494d4335a0396294da44dedbd46da6d5f8b6fb702347a7c234964ed8d1c38a99a1b157be8d8cb82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
c2eede484f9c9029d343b8106fafd337

SHA1
a60ffcd570e2cabfed2dad6ff171883723b7a8d3

SHA256
bd080561439def52969cceb71b6015e79c920b1f8e105c71eca07084df037c69

SHA512
6f3d09f04a988df98dab9e3596f20044eb6594fa7e657c5a12dd25da1e84cb27948a12631c20b350c43edac292529f254f7753cc40ece3d9270e600a4ebc3afe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
75e0b28bc5af1e5890314e839becccd0

SHA1
5b7bb68e74f6c8d347daec664f7a04beeea97307

SHA256
98eb0570ba2b592cff85eda17131871c299022efc98f321460009891729353e3

SHA512
010a8d3eab1361c841b0ad4e44df177d0cf36200101a4e853c217e5f0a1dd8e73ea7c20fdc940288232723886d9fe7730cea47cf463ec00cc1ac1c81303c2c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
3ee21f7adea6961b19bc0307f98151ca

SHA1
5a205919b8389926d369692a1bb0f4a6d8ca0490

SHA256
ee9e04e7280a2d7f19f590092fab97d67a04278283dbe3d5f498609bfaaec9fa

SHA512
788c131d63abe453433b66a359bd79bc49b0bd2b3b8b1e277fad98740088d9d3019f712ebe4b5d1b7e75c94c1754a49ae3f92856424fb1fae04933132eac9e3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c22ba1a6a26d6c03744c55bccddb1886

SHA1
a2e77195b01fb690db6eeec6c4023877afb91f35

SHA256
89f93dc3cb7d2e7e021d31cd2223bfb6dea8eef4060b4dece24a68a094ff3ff3

SHA512
ec2df1d799de0a9e96bcb86d2cdcf91e9ae4e0816e29ed6874b04820030b26a9570be8d4d572941855f4ab4d9ce36091902de388472d3398b321652431b4070c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bd817b86fa20b5c29f2ac968d82946fa

SHA1
a967174a53e15185f00dfa99d7852209bf6d70b7

SHA256
3b8a3fe57f27566ad5a79ffc2407085d03043bacf97bdb63ee827dc78ddf499e

SHA512
a127b05a8101f6004a4da3ed8abacb00348216dd41d5565592c6100effdb4885c74467f30cee18fa3bcd1997cbeba17a5e0327f0ef38d6d1ee95d5aa54ca4e94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95e720ef6b29242fbc6141010b2926ac

SHA1
f8c98a38e37cc06ab2ee122b6975bcb0bb9b6cbe

SHA256
a0eaaa7fd9f870842011416847096629a5404685ddf136c77d1d7dbb0092d4f1

SHA512
a7ea6224437588f5de6b12546caa438b0018d47784462491c014f05eaf701a49892acbf4497ad3a51325fe22be93d9f927aa05ea8f92ed094ad41c9a5b22188e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d344ab30e3f89976bcc4f52738e51143

SHA1
d1707b4a3102314beebbfd46e74361bd6c6f7638

SHA256
f44081074bab9ed8d7491ab259e216bcdf5190f33ff5b2f586599a460f49cf09

SHA512
ae9f51371bc1e365aa3bf24c61d6fc711cfe24e1986ac74a537a2f4eacdbc2b27d6689ce2ddb707e9d942d5bdc8581eb391971a68f0615ac18393e50d10d5a4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53ddee88e664344d4854ed4db0931ef1

SHA1
07bd0fdf6f08765568ef4d903d47262cc76da789

SHA256
334cf01cbfbdeab7e185760cacf53318058234a785bf55175132ee5fd37be327

SHA512
364fda327e13f184ff4334c88bada433249a78991b703eb444db41635c40e9812ade261d96b8ff1d244b59125414feb72c94e6779e88b3faf41b23722b213fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db5629635d2afd9c017f19de57a60501

SHA1
2c4d75147f9a0f91a78f7e0088bfc8a5a53beaf7

SHA256
4daa898827dc6f8e43c263451341b682823719090d5f0bcd844ff3bb4c201795

SHA512
d1eab7c2946384b1270317ffc96ed5398cf019154d0c400f370dfc08b6534525bf94439ca56844bdee9d101b74cbfd6b75aa242359f40a075adb3e1e83066a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f2d3ec8d20a37d47a00cf0860ee43e99

SHA1
36ac3572714468940036e3cab3bd02bbd58dfdd8

SHA256
6aca781757ca15022646fff80a9708eeb5843efcb44fd87409fbcde209325dcf

SHA512
139301f7ba259dbcc68123668b8475df13904812a5d17e0e04f0ac36d2901e5bedf94944b01e7fc70335fecd1f5286f611f9bf097299938746243f97ebb634f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d86d1608c4ddf4cbb6dddf33baad3e4e

SHA1
1daadd4e7e93a45aa6cef620ce7a82626fa3dd63

SHA256
759ddc3942c1ebe0efae941cc499c355c2e4f618ec7c342e89cf0892093e99dc

SHA512
84cd8cb7479044624e85e627987c7ea8cae3e317a9b1193998f2f0b2b46b2c781a896f6b71f73919b7296470047d9c0292b80d232a119ca2489906f9caccf698

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80b0d65386f83dd0ac6d02cc23930e17

SHA1
089ca43398bbaf39a98560e43fb3b56980219999

SHA256
abd343a185d931f0656edf3261aed6c62b66fc4fdad6c0c67c2d0763bf6402f6

SHA512
4867764e7e238cd311e2f35d8d4ba1900c80f60e2fa19cfd6dc5b3adac26cdb0629fd0f1260c5c5de75ea6bf00f76d34ea97f6e4814213e667a1a267b56e569d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b79758f69d4e77f80821e78a149354b0

SHA1
697690c32e04c7f87b093a9c81d5837129f94fa1

SHA256
7391eb5a99443026e2df8004210fedcdecc40a31d2bd92d0e94b7f2ad90279c8

SHA512
f7edc3f10c815d031954f4d1f07ee13d536d37f04dcc9dbdb56aebbaf3ccb10537dd5aaa5a525fafeb18b155dbf880bbdd306b75b21a57ad6e230aa049e03b5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5db35e0e405c0c37e7f6e6a168a9527d

SHA1
660f8ba0ea5ffc49da4d7e048b75d75cca4e8035

SHA256
330a27c95526675b1d6e992d9217713f87eb85d3665a1973b65f15f0a1c25899

SHA512
962b47746cc1282915f45ec602fa602618152a72912817bea7f165ad0683be1c216cd53e1b745ed6a100b7c6805c535a3dd74eb1be69dd9e25181f5b25d3aab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
deb9db9cb77244f0a5698f3d8a00fa8b

SHA1
bc117c085d060a5f313ab27a8806e929e046a8b7

SHA256
11f4e9e081601dcdd8ec81f513b0b758b0f1bc61f2e25ccef651e61f2be8c3b7

SHA512
1fd6fac3b60841651980360743d545ffa5c1da8973e30fc267cb3551f55e78d964a81542ba2382a876d08df69acd1fe984601169313658a22d44903899c113bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05b1a5e191c799c68ca9cf870e9e30d7

SHA1
1af29625987dc310cc1ae8699f27970e97b52645

SHA256
3b61b68a24632530b4268d69dd130f17e95453311cdfd40bc4fe9988280f1e5a

SHA512
5ee9f4ab77dc4749aff6b60b264bb7216b78e61e6022129ff1578f5a414ca4890bc84084846cf2104afe8c9ba64c61b8d2d57dbc2f430c6dc3b8453764b6ae4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c8eb46c270d392c0eda35d06cd908281

SHA1
fddd0b96913aca044e6e820a2a649863f8670bfb

SHA256
c2e77e161aeb24183ffb045356ebaaf512ed5de079194842608d151895d04e10

SHA512
3c60e3bd056862ba7aaf39ebd4f78a4f5d3a1ade24ead7e99ceae1bd0f74528e4a1f24150b43ec4fa2bcffb536d9c7f6283235864d80b201f0b84f64885f854c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd9b2f0db4742acb70ce3e23112f2eaf

SHA1
954b216a33c2da09aa99001762adc9160696c60d

SHA256
8e6fecf1bb5f560ff2e66db4c122fd8deb77732aa2479ff00ade88901db206f6

SHA512
b91e47a24c6f60ab29e2d7cc73db7643abb13ecc3f3028f7bd3814c1e9b4232073b0484d76dc2658b770f3ca64f125f2f525c3fa49a13b2a75a843b317962fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4723f88dfaa28c13d2450499acb64b89

SHA1
2b5ecc8d3fa5298281cb886fc5e696e418bec54a

SHA256
b211c3a8b45d15801abf93db0e5c4e73fa10e4012b5eaf927742d0c165565bac

SHA512
d95c0d6ad114812ccd5501435ba0cac44c61e960677b139e9b6ec9bb308c1931aca2467ee047fe81bb989412f846e83853a5271b79fd062405388d7fae5d9433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
368c17a453631c87802797625ea13f22

SHA1
0a2ffc5daf621b40d4b15b1d1c9fd703f8037a8a

SHA256
188b300060715e8abc7ed482b88e4f3ad72e2087be80d3a8da3e5112c01eaec3

SHA512
6d3eefd8231b1597d9813dc6b50be353d052ae4e72118e947f150b08e5dd1a84123920316b7532a229e9274a8071246e8007edad2bc3ed3304f2f701579aaa76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
0dc7235fe69c8b18a3789a7337283424

SHA1
ccdfdecb723953c3b9922e1fea04446b449bd3e5

SHA256
2be7e870c7e18e60932a9ea419cc2fa1cad316c5f9cf904a4c21be19341e4541

SHA512
324c3ede4d8200c901b525b971bac536a92b2ba9d397f016ed8c23d559e980b00ab728a602679ed2ca93fa7e19ad65faf403a13d365982b587c6bb002a9d0848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Installer.exe.log

Filesize
1KB

MD5
2d65622b966dafa8a26f6bc1b92f6d39

SHA1
9d47911046fda10f301cd2f18f8e1c0c630d50f9

SHA256
aae339d5c50d1e4c75ff2977f144e6fdab5d12b35d07c639071ce15f044bf8ef

SHA512
6c83e6ee282afb49c32e0ddc71a5b5bc5e5c3cf9420b21844bb994b33821325e17ceded3eb2d3b3ff8cba964e7c74fb2279c216c5c8fdd82cf6247e63b4eb4a7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 734211.crdownload

Filesize
90KB

MD5
291d86126a91ca8ea314c0eb95f70576

SHA1
13c2c36150a37f1a7714eb82a369ed696184fdcb

SHA256
451a8290b54da48b299dc11dfd7094efa962f838917259857d6a3f2c28cb92a7

SHA512
1c99340f4c35df4070c81b424b10bb27c99823cb363bdaed63d778aadacc7407f9732593a5b912b1543b4bdf682c2ecdcd30798dbddc4ee4133041d35f2fc7de

Download Submit
memory/4516-94-0x00007FF8EA453000-0x00007FF8EA455000-memory.dmp

Filesize
8KB

Download
memory/4516-92-0x00007FF8EA450000-0x00007FF8EAF12000-memory.dmp

Filesize
10.8MB

Download
memory/4516-95-0x00007FF8EA450000-0x00007FF8EAF12000-memory.dmp

Filesize
10.8MB

Download
memory/4516-93-0x0000028D63040000-0x0000028D63568000-memory.dmp

Filesize
5.2MB

Download
memory/4516-85-0x0000028D48260000-0x0000028D4827C000-memory.dmp

Filesize
112KB

Download
memory/4516-143-0x00007FF8EA450000-0x00007FF8EAF12000-memory.dmp

Filesize
10.8MB

Download
memory/4516-84-0x00007FF8EA453000-0x00007FF8EA455000-memory.dmp

Filesize
8KB

Download
memory/4516-132-0x0000028D62D10000-0x0000028D62FDA000-memory.dmp

Filesize
2.8MB

Download
memory/4516-130-0x0000028D4A200000-0x0000028D4A20E000-memory.dmp

Filesize
56KB

Download
memory/4516-86-0x0000028D62940000-0x0000028D62B02000-memory.dmp

Filesize
1.8MB

Download