hxxps://github[.]com/Dash123123/Discord-Nuker/blob/main/Hazard[.]exe

Analysis

max time kernel
303s
max time network
295s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
18-02-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dash123123/Discord-Nuker/blob/main/Hazard.exe

Score

8^/10

pyinstaller spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
4908	Hazard.exe
4560	Hazard.exe
5104	Hazard.exe
4704	Hazard.exe
3544	Hazard.exe
3568	Hazard.exe
4912	Hazard.exe
1512	Hazard.exe

Loads dropped DLL 56 IoCs

pid	Process
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	raw.githubusercontent.com
29	raw.githubusercontent.com
37	discord.com
41	discord.com
43	discord.com
47	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
1	ipinfo.io

Detects Pyinstaller 5 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000200000002a662-141.dat	pyinstaller
behavioral1/files/0x000200000002a662-177.dat	pyinstaller
behavioral1/files/0x000200000002a662-201.dat	pyinstaller
behavioral1/files/0x000200000002a662-276.dat	pyinstaller
behavioral1/files/0x000200000002a662-300.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133527155059775319"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Hazard.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
32	chrome.exe
32	chrome.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4560	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
4704	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
3568	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
1512	Hazard.exe
4480	chrome.exe
4480	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
32	chrome.exe
32	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeDebugPrivilege	4560	Hazard.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe
Token: SeCreatePagefilePrivilege	32	chrome.exe
Token: SeShutdownPrivilege	32	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 644	32	chrome.exe	19
PID 32 wrote to memory of 644	32	chrome.exe	19
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 2296	32	chrome.exe	84
PID 32 wrote to memory of 688	32	chrome.exe	83
PID 32 wrote to memory of 688	32	chrome.exe	83
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85
PID 32 wrote to memory of 4780	32	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Dash123123/Discord-Nuker/blob/main/Hazard.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0x100,0xdc,0x7ffa0f5f9758,0x7ffa0f5f9768,0x7ffa0f5f9778
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:2
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5168 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5476 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Users\Admin\Downloads\Hazard.exe
  "C:\Users\Admin\Downloads\Hazard.exe"
  2⤵
  - Executes dropped EXE
  PID:4908
- - C:\Users\Admin\Downloads\Hazard.exe
    "C:\Users\Admin\Downloads\Hazard.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4396 --field-trial-handle=1928,i,9988010242763278983,8340308566652848995,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3012

C:\Users\Admin\Downloads\Hazard.exe
"C:\Users\Admin\Downloads\Hazard.exe"
1⤵
- Executes dropped EXE
PID:5104
- C:\Users\Admin\Downloads\Hazard.exe
  "C:\Users\Admin\Downloads\Hazard.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1768

C:\Users\Admin\Downloads\Hazard.exe
"C:\Users\Admin\Downloads\Hazard.exe"
1⤵
- Executes dropped EXE
PID:3544
- C:\Users\Admin\Downloads\Hazard.exe
  "C:\Users\Admin\Downloads\Hazard.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1516

C:\Users\Admin\Downloads\Hazard.exe
"C:\Users\Admin\Downloads\Hazard.exe"
1⤵
- Executes dropped EXE
PID:4912
- C:\Users\Admin\Downloads\Hazard.exe
  "C:\Users\Admin\Downloads\Hazard.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
259f7508a3b9c70edfc2f84e5b75853c

SHA1
59fb7d134f6f427c822de2cc3ea563c4813a1d9f

SHA256
b3b9b9d7d655a6cd30ad87840c371841ccdf433c86f5ed08f22275575624aa8c

SHA512
11f759a92ffa9b8e5ea502180648a1421a1ad335344e92a2786e103fe2b9dd82fadbefe14d22ce9cd0351af433b6de69c05fdcde6e5b3727a3a3664b381e9a31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
ea5d8dddc61df79cce0f0bf79ca47022

SHA1
1de8c9cd0c5042aa3d6c3f09b0d69d95904ed67b

SHA256
457347f80adb329828e8215a3847ed45c65fa6eabe16e8c4d64a4d3ed03dcc3b

SHA512
c5806bb6f8908d794249abb36d8613de605cfe7239ffb1bd9df35f6949e4eec2d9fabf4f72369db7474a5417a297d8c19852d2e2c7827b53c8677f4746222a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f690a0ca4054548d1b98508fc6225ad4

SHA1
a08c7cbdd0817fcb956a4340a1ad794e26aaaed6

SHA256
b7081d0ab3f1eae6baf770c298d88fc4856e61f286972e30774663c4eae7f2cd

SHA512
5ef558137089645bcc44b986c9e35090f0c0ee3d4c58cc9bfb843d4b4548011cf92c8fb12931cfe6190bbe1c86c305872d1be0a502b07dfe9824f51b05211573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c183e999fa4fddda9fa3ff7c283a9531

SHA1
9feb3e80c4c9716f064272c538590929fcd90ad4

SHA256
553599dd76107311779f1a048cc0fdd369d982e5680dfa53867c30509d31e17d

SHA512
70d74a4cdb9e87f29d571ccb14d46455b57cece7174f59d72ce6e7886a02df050d119b378e67eb28e35625e8b3bcf9280167f176c2af179492bc0eed4aff45d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
07408baad58bce0dd66d32884734b0b7

SHA1
9392a8f2e4889924f578ab7c2184af84a4094dac

SHA256
5bfdbbd2affe93ecbf71348b726bbb013ccb3ed667ad71bd9dc493d026a33c63

SHA512
881fba0839b8c7425f038c4a5193bce1ea2cedd44ba800365584f1624c4593a549e9efdaff78ca9998ad5ebb36c5264a0d4458b572eedef352d5eec1ca01e4a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6d6bceb8c040a55f57b0a97df9bd8003

SHA1
e29d8c3d3f78c16fe6dc845262abefef42268dd7

SHA256
70bb540bc04ebb8010202721cb092468f992a11b7a625f17e7647d660faacc19

SHA512
0b886c238df26c4a55aed21306bedaf8475b6d0503a84faef70ff5645e42bc858c7cda8a1fb2f1cffc9ac9e0c5a8e32d064f2806e5eda4f1978256c5dde28db0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ef008a13b56ad833cbb44636632517e2

SHA1
843dca82217df8406f4da96fca5fa3d4c16c049a

SHA256
f991833e968702a1fbb03f29bdfd4569f53cb0b67912fc25f99a3df64cd762d2

SHA512
7bc04a8c1253aa8d2f8f04dcf02cfd03b2d2a5041776f5fdd0692edb7ee116ff42009ac3d437918ec32bffe2d1733236f442e5785843ad2c9b5e88b95e45d6e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c34e8c6f5226ce54e2a555454a73c2ac

SHA1
9d8b4e818463eae0dc0aa038db26e4cfde90c1ef

SHA256
50c4227253fa263e0a9b44cdab9497e01d7605d3f7eed6a49844dd8622daa397

SHA512
22dc3aee4a13bc775fda3a502b54d0d985a49795e840eef3985fd73d7b49ad18f467f04e34a7b4032429d6f419b4a4c361974a3e46c83ca075e078aecb147ad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e0b6bfa5299e783fdbf0b8a648d2f6ff

SHA1
f28a05d188b98fe47cd3cfc746270cd3ad050a6a

SHA256
73882f2e9a766c20db6df35324f50914529692cd621f86e7214d78179f22b79d

SHA512
3c21fefc806511287a1c2faa35b7690796496f882c11a5732364c386504bec6498233a8323f737532dca8f644ffd998e6e2ae38b9f333b2c865df29a6529c4f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
870a10f0e24ac3d9bf3eca49ed85d43c

SHA1
37c0c1d27684e4a99c234cb8f6b5e5c9ab040076

SHA256
56299e2af2b8f178ab91760a459e2fdbd355adc20fc1793c5f61348e2f5fed48

SHA512
391235920fa563df7c1278335ee22d1df2c5d915014c3b922e40e79efb1bb5e614aaf82132cb1785fffe3648ea8bf868b9d55c192dd2c3e98c584a85210c62ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
7a7d1bf8d88210b1bf9de8cd952b15d6

SHA1
ba93471f18f73581e59921ab0c9de9dbea62aa08

SHA256
3703eb566dc20f32d7dbe31ffb1241d237afd24025ca8c80aa9cf21b3f30401e

SHA512
2553c77f22a4668ce266dc65a64f8d162e8c62cf091970095b12c08d62f863418875e8f1b38fe4406f99a61b35cf99b3c844414ca028074a6ec52382111cee84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_bz2.pyd

Filesize
84KB

MD5
124678d21d4b747ec6f1e77357393dd6

SHA1
dbfb53c40d68eba436934b01ebe4f8ee925e1f8e

SHA256
9483c4853ca1da3c5b2310dbdd3b835a44df6066620278aa96b2e665c4b4e86b

SHA512
2882779b88ed48af1e27c2bc212ddc7e4187d26a28a90655cef98dd44bc07cc93da5bce2442af26d7825639590b1e2b78bf619d50736d67164726a342be348fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_ctypes.pyd

Filesize
123KB

MD5
7ab242d7c026dad5e5837b4579bd4eda

SHA1
b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

SHA256
1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

SHA512
1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_hashlib.pyd

Filesize
64KB

MD5
ae32a39887d7516223c1e7ffdc3b6911

SHA1
94b9055c584df9afb291b3917ff3d972b3cd2492

SHA256
7936413bc24307f01b90cac2d2cc19f38264d396c1ab8eda180abba2f77162eb

SHA512
1f17af61c917fe373f0a40f06ce2b42041447f9e314b2f003b9bd62df87c121467d14ce3f8e778d3447c4869bf381c58600c1e11656ebda6139e6196262ae17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_lzma.pyd

Filesize
159KB

MD5
a77c9a75ed7d9f455e896b8fb09b494c

SHA1
c85d30bf602d8671f6f446cdaba98de99793e481

SHA256
4797aaf192eb56b32ca4febd1fad5be9e01a24e42bf6af2d04fcdf74c8d36fa5

SHA512
4d6d93aa0347c49d3f683ee7bc91a3c570c60126c534060654891fad0391321e09b292c9386fb99f6ea2c2eca032889841fce3cab8957bb489760daac6f79e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_socket.pyd

Filesize
78KB

MD5
4b2f1faab9e55a65afa05f407c92cab4

SHA1
1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

SHA256
241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

SHA512
68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_ssl.pyd

Filesize
151KB

MD5
6f52439450ad38bf940eef2b662e4234

SHA1
3dea643fac7e10cae16c6976982a626dd59ff64a

SHA256
31c95af04a76d3badbdd3970d9b4c6b9a72278e69d0d850a4710f1d9a01618d7

SHA512
fdd97e04f4a7b1814c2f904029dfb5cdfcd8a125fce884dcd6fdb09fb8a691963192192f22cf4e9d79dd2598cf097a8764aeec7a79e70a9795250c8ef0024474

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\base_library.zip

Filesize
764KB

MD5
935ecbb6c183daa81c0ac65c013afd67

SHA1
0d870c56a1a9be4ce0f2d07d5d4335e9239562d1

SHA256
7ae17d6eb5d9609dc8fc67088ab915097b4de375e286998166f931da5394d466

SHA512
a9aac82ab72c06cfff1f1e34bf0f13cbf0d7f0dc53027a9e984b551c602d58d785c374b02238e927e7b7d69c987b1e8ab34bfc734c773ef23d35b0bdb25e99cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\psutil\_psutil_windows.cp39-win_amd64.pyd

Filesize
74KB

MD5
789827bcbae298d8d3223f33228b26af

SHA1
29de4ad19963292504414196dd3e353084a0e864

SHA256
f79f6732ea5a3675312ef4b9506bed8e15aa2d9c722d30d0c96274675aa9dc68

SHA512
e4d53c2a31b046862accc33ca1fb3327df10fa92e79556d16ca5dccc132bb0812df9454196554c848644c312c58faa07558382a58b53cf8889e61684cfe14885

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\python39.dll

Filesize
4.1MB

MD5
815c7d5343ee63a9bbfe09c50e552b37

SHA1
73797541a1bfc39e176ce6f39511fc9a72dde69d

SHA256
a743b70153b35f83be13359e57bc8d030566974af67eea708db61b19c3aed339

SHA512
642e6db6083c3b12177744054d6080403a5fc557afb6cd8331528dcb48802bd09e8b348a5c52a53501f1a9e6b1f2ffd0c3f6428c066b4e5bce9b8a38f08fdd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\python39.dll

Filesize
3.9MB

MD5
e6fcfa02c16672ce8e18be475d218e90

SHA1
8e56bdca2ca132fd271b648eb3a9b03e810438e9

SHA256
52bb49ea0a70407f7883f307e7a9d1f4b5baed2c248ecb299753efd99e7cb491

SHA512
bf98a880409da7b313a538356ca89cc8d5ee4f880c0e604489a0954f39c12dad72e45a218ecf2cb01e5b9068c1de875b14dad70fa4b5f1eab836e98312058749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\select.pyd

Filesize
28KB

MD5
f8f5a047b98309d425fd06b3b41b16e4

SHA1
2a44819409199b47f11d5d022e6bb1d5d1e77aea

SHA256
5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

SHA512
f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\unicodedata.pyd

Filesize
1.1MB

MD5
87f3e3cf017614f58c89c087f63a9c95

SHA1
0edc1309e514f8a147d62f7e9561172f3b195cd7

SHA256
ba6606dcdf1db16a1f0ef94c87adf580bb816105d60cf08bc570b17312a849da

SHA512
73f00f44239b2744c37664dbf2b7df9c178a11aa320b9437055901746036003367067f417414382977bf8379df8738c862b69d8d36c6e6aa0b0650833052c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51042\base_library.zip

Filesize
512KB

MD5
b5fa9f29a2c0e42c02ec54be2766a44a

SHA1
e792e1bf9b35218def42107ce7ef7ecf86d6988b

SHA256
31a159e6b9687ea7f78293837c5994c41a1e4d537c4c7ce1c586e3225cf1ecca

SHA512
b9d4eb441a4404b0795b5555b8e8325e52fd363c7db476d97ef2ca623a2aff13e72034d916f4a7969689463ccd4ca8c7b964e709c3a4508521a040dac3e9dc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51042\python39.dll

Filesize
692KB

MD5
30696c735ffe62839ddf8d302c4e15a3

SHA1
79679800ca130ffd156114c17a334b54330b4a10

SHA256
65e1c4aff6714001d46704c3ad179b65e81d35022937f9dc3343dd828a3cd60e

SHA512
1339a582bac9a25a1bd7bc0ca32348dcc8b4de7c8ae9e94053d67b3609b06579fc2a78c178f7fb4d96f61ff07b67ac5a69c5bdd845182bc282b2782a8e267242

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51042\python39.dll

Filesize
1.1MB

MD5
acbd0cc31258af5830cbf0e19b0ae0d8

SHA1
248ec8d1d67fc054cdf09fa9c42055681a18372f

SHA256
4531c71019f894c68de8d25fcf34bac1a9a636be63f89b4cba01982f2a768894

SHA512
f3a5d6fc10cbf9b42e76875bc7c73458af1a8c480927c5894cd700b91886607e33042fd34b18785ede8dde8f9458f4c90a2b73b87ff6353d04c188b8ac1c8fc8

Download Submit
C:\Users\Admin\Downloads\Hazard.exe

Filesize
5.7MB

MD5
5a84cd2b49703b92e47cc969d4a0f6d4

SHA1
e42d45186a181e50dcafa63e9ed250120bc19635

SHA256
9948213a6b4067cb58d37b156dc604b452c5a86579d83a24a052757193493d4b

SHA512
721e8fcbd4b8e47bdcfd546e4f8f1399d620ed2e008c6539ecfc265b8d28570dccbe956a3c370f894e89175431c1f71bb70fd2275bd982367f8abcf363307680

Download Submit
C:\Users\Admin\Downloads\Hazard.exe

Filesize
4.6MB

MD5
af9319f74b4c99b7652f5cc094761dbd

SHA1
1e0a53f1cd2291acdb735a178f55d11c25224ad0

SHA256
682e68f9ee366e816511b7de491e8c2f62be54484b72246d1543453c9490e1b1

SHA512
76d046442eb3afce0a4c4899ae775f345edde077428696076c0e7d7bafeff48d811afb86ed069f54098b78b12216380131a0e69e399b5658fb6b85b9d828c9a7

Download Submit
C:\Users\Admin\Downloads\Hazard.exe

Filesize
3.4MB

MD5
c54f566d6c55dd4a733000732d1bf237

SHA1
960469ec7d3d96eb23aee5d78019c6be1efe55b4

SHA256
423fa1579a859a72847a944ea9275b0cdcc8cb4e3b0f3ccd022a959a0348f83f

SHA512
c3d3715d5dd5591f553332a8138b206ec7ac0342a563f2f297c1bffad685ab189e8e5ec0a51fd0d925cca2e7c3b71f1654cd6c49c49d50c11611e2560cb1a65d

Download Submit
C:\Users\Admin\Downloads\Hazard.exe

Filesize
832KB

MD5
e4c6720cb9c376c8841051466e70da14

SHA1
bfa23ff5d66c8d39316928d17af0540f0dc5bae9

SHA256
04b35e08886d89925658ccc5f2988c10bfca4f109c8340b7bab39422b9d16ca0

SHA512
34cd46bc1f08b43bb01db172ac2d57b11f1932e9a92f07a2ed3ef7a4e350f1460df205da55cd59814972d9ceb8b93402bc08dce2c942e11764417b26a5f86150

Download Submit
C:\Users\Admin\Downloads\Hazard.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 376789.crdownload

Filesize
6.8MB

MD5
8b051cb93bdd5a17adcc2af9725d796c

SHA1
5c9dfb6f1dbc106294f349f717ca9443aa143b04

SHA256
ef48f6dde45f3f242046f07057b9a7d854a29f41eb3e537dac6bbb9bc11d7c95

SHA512
cd34d863088dd85a0b37388c1cd65f76a005185a1b94361b850e407fc7c33c56467d46160ede8af4602e5e8781d9c98bd176244a8b3a18ac79682ee9c7fcad15

Download Submit