06a191350f2df652d86e6f602638635dfdc621b3677419560bcefd980bb288d7

Analysis

max time kernel
138s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ui.exe
Size

12.7MB
MD5

c18fa308afaa206d0cfab60ff0528523
SHA1

8cd625628e7307673ae8d1a2c2a632dce9a2bb29
SHA256

06a191350f2df652d86e6f602638635dfdc621b3677419560bcefd980bb288d7
SHA512

1708c369ef981aec4a8d8c91f950df80e2f6c8de334d37fb4d202c6a3db4346f41c713dc457b7f1da827737d0c0dd5d27fd20e6221bd9980724691999772a7f2
SSDEEP

393216:NAROramsFvFOEjP5dT0hu5WOpJyw9Xlo67vc/G8l:NARqq5r56hCbpF267E/Ga

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

lightningui.exeselfbot.exeselfbot.exeselfbot.exe

pid process

2444 lightningui.exe
2264 selfbot.exe
2192 selfbot.exe
684 selfbot.exe

pid	process
2444	lightningui.exe
2264	selfbot.exe
2192	selfbot.exe
684	selfbot.exe

Loads dropped DLL 18 IoCs

Processes:

ui.exelightningui.exe

pid	process
2184	ui.exe
2184	ui.exe
2184	ui.exe
1136
1136
1136
1136
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe
2444	lightningui.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

90 discord.com
91 discord.com
92 discord.com

flow	ioc
90	discord.com
91	discord.com
92	discord.com

Drops file in Program Files directory 27 IoCs

Processes:

ui.exe

description	ioc	process
File created	C:\Program Files (x86)\LightningBot\screen_retriever_plugin.dll	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\packages\window_manager\images\ic_chrome_maximize.png	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\packages\window_manager\images\ic_chrome_minimize.png	ui.exe
File created	C:\Program Files (x86)\LightningBot\lightningui.exe	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\app.so	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\FontManifest.json	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\Banner.png	ui.exe
File created	C:\Program Files (x86)\LightningBot\window_size_plugin.dll	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\AssetManifest.json	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\packages\cupertino_icons\assets\CupertinoIcons.ttf	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\icudtl.dat	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\fonts\MaterialIcons-Regular.otf	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\Logo.png	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\packages\window_manager\images\ic_chrome_close.png	ui.exe
File created	C:\Program Files (x86)\LightningBot\sentry_flutter_plugin.dll	ui.exe
File created	C:\Program Files (x86)\LightningBot\system_tray_plugin.dll	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\AssetManifest.bin	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\NOTICES.Z	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\shaders\ink_sparkle.frag	ui.exe
File created	C:\Program Files (x86)\LightningBot\flutter_windows.dll	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\defaultConfig.json	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\Logo.ico	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\animations\success.json	ui.exe
File created	C:\Program Files (x86)\LightningBot\data\flutter_assets\packages\window_manager\images\ic_chrome_unmaximize.png	ui.exe
File created	C:\Program Files (x86)\LightningBot\uninstall.exe	ui.exe
File created	C:\Program Files (x86)\LightningBot\flutter_platform_alert_plugin.dll	ui.exe
File created	C:\Program Files (x86)\LightningBot\window_manager_plugin.dll	ui.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1784 chrome.exe
1784 chrome.exe

pid	process
1784	chrome.exe
1784	chrome.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

selfbot.exeselfbot.exeselfbot.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2264	selfbot.exe
Token: SeDebugPrivilege	2192	selfbot.exe
Token: SeDebugPrivilege	684	selfbot.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

chrome.exe

pid process

1784 chrome.exe
1784 chrome.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lightningui.exe

pid process

2444 lightningui.exe

pid	process
1784	chrome.exe
1784	chrome.exe

pid	process
2444	lightningui.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

lightningui.exeselfbot.exechrome.exe

description	pid	process	target process
PID 2444 wrote to memory of 2264	2444	lightningui.exe	selfbot.exe
PID 2444 wrote to memory of 2264	2444	lightningui.exe	selfbot.exe
PID 2444 wrote to memory of 2264	2444	lightningui.exe	selfbot.exe
PID 2444 wrote to memory of 2192	2444	lightningui.exe	selfbot.exe
PID 2444 wrote to memory of 2192	2444	lightningui.exe	selfbot.exe
PID 2444 wrote to memory of 2192	2444	lightningui.exe	selfbot.exe
PID 2444 wrote to memory of 684	2444	lightningui.exe	selfbot.exe
PID 2444 wrote to memory of 684	2444	lightningui.exe	selfbot.exe
PID 2444 wrote to memory of 684	2444	lightningui.exe	selfbot.exe
PID 684 wrote to memory of 1784	684	selfbot.exe	chrome.exe
PID 684 wrote to memory of 1784	684	selfbot.exe	chrome.exe
PID 684 wrote to memory of 1784	684	selfbot.exe	chrome.exe
PID 1784 wrote to memory of 2728	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2728	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2728	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1696	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 948	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 948	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 948	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2992	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2992	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2992	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2992	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2992	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2992	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2992	1784	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\ui.exe
"C:\Users\Admin\AppData\Local\Temp\ui.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:2184

C:\Program Files (x86)\LightningBot\lightningui.exe
"C:\Program Files (x86)\LightningBot\lightningui.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Roaming\LightningBot\Executables\windows\amd64\selfbot.exe
C:\Users\Admin\AppData\Roaming\LightningBot\Executables\windows\amd64\selfbot.exe -v
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Users\Admin\AppData\Roaming\LightningBot\Executables\windows\amd64\selfbot.exe
C:\Users\Admin\AppData\Roaming\LightningBot\Executables\windows\amd64\selfbot.exe -l -savedtokens
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Users\Admin\AppData\Roaming\LightningBot\Executables\windows\amd64\selfbot.exe
C:\Users\Admin\AppData\Roaming\LightningBot\Executables\windows\amd64\selfbot.exe -l -weblogin
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-dev-shm-usage --disable-popup-blocking --metrics-recording-only --disable-background-timer-throttling --disable-features=site-per-process,Translate,BlinkGenPropertyTrees --safebrowsing-disable-auto-update --use-mock-keychain --disable-default-apps --disable-gpu --hide-scrollbars --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-background-networking "--user-agent=Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --no-first-run --disable-hang-monitor --enable-features=NetworkService,NetworkServiceInProcess --disable-extensions --window-size=900,700 --disable-ipc-flooding-protection --password-store=basic --force-color-profile=srgb --no-default-browser-check --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --user-data-dir=C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034 --remote-debugging-port=0 about:blank
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6c79758,0x7fef6c79768,0x7fef6c79778
4⤵
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1216 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:2
4⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --mojo-platform-channel-handle=1432 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:8
4⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mute-audio --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --mojo-platform-channel-handle=1520 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:8
4⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --display-capture-permissions-policy-allowed --first-renderer-process --disable-background-timer-throttling --disable-breakpad --force-color-profile=srgb --remote-debugging-port=0 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2112 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:1
4⤵
PID:284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --display-capture-permissions-policy-allowed --disable-background-timer-throttling --disable-breakpad --force-color-profile=srgb --remote-debugging-port=0 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2120 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:1
4⤵
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --extension-process --display-capture-permissions-policy-allowed --disable-background-timer-throttling --disable-breakpad --force-color-profile=srgb --remote-debugging-port=0 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2524 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:1
4⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --extension-process --display-capture-permissions-policy-allowed --disable-background-timer-throttling --disable-breakpad --force-color-profile=srgb --remote-debugging-port=0 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2560 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:1
4⤵
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --display-capture-permissions-policy-allowed --disable-background-timer-throttling --disable-breakpad --force-color-profile=srgb --remote-debugging-port=0 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3740 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:1
4⤵
PID:984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mute-audio --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/1.0.9024 Chrome/108.0.5359.215 Electron/22.3.26 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034" --mojo-platform-channel-handle=2492 --field-trial-handle=1244,i,14457195008906151327,10584843062118603956,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=BlinkGenPropertyTrees,Translate,site-per-process /prefetch:8
4⤵
PID:1644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LightningBot\data\app.so
Filesize
8.0MB

MD5
8c7b10725e5138e3754409e66a5f3c4d

SHA1
67fd584587a00cb89c31737070b32e46142705ae

SHA256
41b9cb55847a82626c3f16670053cb8e8897f16dfa199485749e77768d45c3dc

SHA512
a3e66d59364cc5eb9374c5616a2f4f90240a55d112c26d09af80e2bb28ab352516393ddaa6ce726b378e2344e5aaf5d8c65651bb8847f554d09cd6ef68cc8526

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\AssetManifest.bin
Filesize
878B

MD5
1e1ff85c90c45e8a30105e442db175a9

SHA1
ec7ce4ff53cf57fd1c2ed3dfc6efe17798c9cdab

SHA256
31109090a7363239ef97370e1328f136f58ab0aca9bce27799c67c8c88e03d4e

SHA512
3151dc0d7188fb529b6e75683b98dba7c3bd8b363be242fdd9528bd94f0362c53c127ff2c9accd8043a4ab4ef02b789d504549a085090e3804232d8918472711

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\AssetManifest.json
Filesize
807B

MD5
08a8cb061f1ee7b2f890433b058a6c05

SHA1
315a7d58fd6b7a6c6691fde9a81bac5a5ef07af5

SHA256
60d741d8280042fdccc4f3bf311106f9d2df7ff3a730660e9049795ebe82e9d6

SHA512
11d822976fa9280f305fd3e108fcaa725483e26e6fe86e395df9f6212f16eb6b08ebd849ab168e3d1f6c731723c2a41678fa6da764a24c6a6e46a02b39bc2190

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\FontManifest.json
Filesize
208B

MD5
dc3d03800ccca4601324923c0b1d6d57

SHA1
bca264548730f8b1871672891b0ad0c02444bfaf

SHA256
cd7e03645bc44b2dd47b7cb626f51c4ecbf55a197ab77241628b47ac165fbe21

SHA512
eda04affa31ef1d3fe4b081762380a6a5a9364a48e7b6998e870c84495f51a9658724e3f496d90a574f7d5e13740dcf47ccc1c7914b77b6ef0826fe87379cdf8

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\NOTICES.Z
Filesize
87KB

MD5
e3ba96a2074bbe1c6a102973bf61c50b

SHA1
6c14e1dc962f05d722030d62d179f5ccda6319f9

SHA256
67f809127a82380c80c3666b43168843635d654ff4a9f79751fcaff6b01f9388

SHA512
9ae7201dad4798e9c3c808b66da7c0305c33fd62ffa6dfbaeccc765d9d222912742437ee5ab0c487baef3bc84c1b4d2a04296cc63687c6f6d6088aa1efd7d945

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\Banner.png
Filesize
148KB

MD5
a7262f4198b9971d85dc64dc69e5c21c

SHA1
f7c9237b7ab53399d3f94a62c37f27e1e60d06ad

SHA256
7c656bebd4ccc20a854c95c4082a3aee2955c8b02b4719e776cd645eda9382cc

SHA512
3f131a8573ee39c9a96cdbd61da0084126e350b297d7239592c912e7ab328c2ac41c1599a80b67fced3f2ac249ad3eb0ccf7e5d73d863756060c8e01cbadea48

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\Logo.ico
Filesize
146KB

MD5
dafe4dfb00de5157a1ad8b8412bf294b

SHA1
42ebc1500e23a8c708246ff0aadb2d8f82f0af0d

SHA256
77df9eb84b8f1a9cecc96a4e07d85e8efd8c8446a949c044f2a1c00adc91e67f

SHA512
47ac4877be1596a1620b959c6608873bd04c41808e82be61c2549c2ff2043928ed6d493acc7af0ce8ebcf283464c1f09b08ff263feb4e435ced6ca6d83262571

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\Logo.png
Filesize
369KB

MD5
66b2e231bb458ba990db4264fc33a8a2

SHA1
176089b7928351b306e4f3ffd3f380daebdd77e3

SHA256
f79f963e3252c8955eae8c78d8a2dd082bbb3e4654d464af1124ef40fa5741a6

SHA512
5a9306e0ed1fab63b0a37f62f7baf9ccbd0acb63b97f58d2d9c04c64233acdb020c3364a025ec476c8e06182fcc11d43b89a0127990586c8c53111d5d5c6a07e

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\assets\defaultConfig.json
Filesize
3KB

MD5
9d4f94e11ff2843e59a2b2e4aafcffc7

SHA1
e48a5c3a82fbef78913a8bf536b0903a98d65c0b

SHA256
e73f55889a262c66ab13688b71f8ccd6289849b12c29df1176fcebd6100b1b40

SHA512
9f83c1bf6c2f1217f8b5414b8f207e90382166d000edef8e75f282f271d0023dfdf9a9155efeea8a83d42446638a9fde8980094ba3dfa73756239293e1d25b82

Download Submit
C:\Program Files (x86)\LightningBot\data\flutter_assets\fonts\MaterialIcons-Regular.otf
Filesize
1.6MB

MD5
e7069dfd19b331be16bed984668fe080

SHA1
fc25284ee3d0aaa75ec5fc8e4fd96926157ed8c4

SHA256
d9865b671a09d683d13a863089d8825e0f61a37696ce5d7d448bc8023aa62453

SHA512
27d9662a22c3e9fe66c261c45bf309e81be7a738ae5dc5b07ad90d207d9901785f3f11dc227c75ca683186b4553b0aa5a621f541c039475b0f032b7688aaa484

Download Submit
C:\Program Files (x86)\LightningBot\data\icudtl.dat
Filesize
798KB

MD5
da48e432fe61f451154f0715b2a7b174

SHA1
51b6add0bbc4e0b5200b01deca5d009f1daf9f39

SHA256
65ea729083128dfce1c00726ba932b91aaaf5e48736b5644dd37478e5f2875ac

SHA512
5af9c1e43b52536272a575ca400a9eee830a8fcecb83bb1a490515851bef48957d8de669b9f77b8614eb586838af23385e1afce622edb82a90ec7549f882d381

Download Submit
C:\Program Files (x86)\LightningBot\flutter_windows.dll
Filesize
17.1MB

MD5
5e6142b3844e94b800f68997d3da472c

SHA1
139111661241fe6459e72fe801cec113476d97a6

SHA256
af2dd884c6f8acbcc8f06c109949f3a8c938037446f5937744a9bce90af9e03f

SHA512
0023e839153dffabe2370126b74e16ef48671955e070703dc521343fd65c2c6a7aa4fb4f01a70143606898fb5b04d4ecf9875616949b60a8b9dc9278899e45a6

Download Submit
C:\Program Files (x86)\LightningBot\screen_retriever_plugin.dll
Filesize
95KB

MD5
526443fa30fc1988edfa802cc64082e2

SHA1
6a36a087956e7b8a48a6975084bf9015d14cc070

SHA256
219ea1b714a5a20c71bfbd6b127a4b71c220d530df23849e6af027427f715026

SHA512
e3f7119eeb433dc6911768607533fb52eaa9c60595b8a90c8adbf70b5b67f59a4e6c6e1b378cfedb56aa8a0c2e3a5c204e6e88827bfb2dd8f6cb8490201021cc

Download Submit
C:\Program Files (x86)\LightningBot\sentry_flutter_plugin.dll
Filesize
67KB

MD5
b11fedce455a354ba6292cf253e8baca

SHA1
f01f19c8297e186c7af2454a39c92f144de20c83

SHA256
90565d24ee8d5b4fc0ec3e4c5258f7a70937e8a9fbebb299733a88e51186b54f

SHA512
8e387f7100b16edcede45725ea3f0873e702f8d8ce42f1df83abd9dcba02ad3226b3e0e3c39116fe91057248ab5ea94137b1b82c90291bc215a0e3f0b17493d7

Download Submit
C:\Program Files (x86)\LightningBot\system_tray_plugin.dll
Filesize
122KB

MD5
68180a6700d5a25fd4b72239843bc2f9

SHA1
7f42ddc6cebf47d70c17ae9aea224f7bf5fb2d9a

SHA256
27da5adec04eeef6de59f61266d855f74edf7685ed29ee298dbc23099b30d2c1

SHA512
339647f64de1c68204a2336fb1dff7c63bb4e16fd07bd33eede67a0f1589faeca5305aa995f51ec32a2cdf1e3fd2666096523eee08948e31d1cc134b332cba87

Download Submit
C:\Program Files (x86)\LightningBot\window_manager_plugin.dll
Filesize
133KB

MD5
9cfd91f8da8b5a6809651acfc26ad385

SHA1
694127b61a19d83d2ad059a971fe6befb4ae8cc1

SHA256
d6d7bb0133025a723c87301cb9c349ce75806d8924f812caee54512073d6c1e0

SHA512
60f0a24f0da812059028203f84e27861b0766e8052f082847c58c3a21d7a158457401d7ace7bc7071b157e9e480d91173f1504e859caf7d1fd6fa644849ae021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A43.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034\Default\Cache\Cache_Data\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034\Default\Cache\Cache_Data\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034\Default\Cache\Cache_Data\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034\Default\Extension Scripts\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034\Default\Site Characteristics Database\000002.dbtmp
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedp-runner2559733034\Default\Sync Data\LevelDB\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\LightningBot\Config\config.json
Filesize
3KB

MD5
730b27b20e0560fa23223ddd38ea68ad

SHA1
e155d97ab20a36c729d44644cb7611d790caeb1d

SHA256
0cd79fde65cc889ea102e2625982e625607c6b3a51a9e4b0bdb82c1c87cf9b11

SHA512
6b7a671cf350016ea56d7e926638712c2a6900df0b86a401da92dcab6c2d0d0884c5e5cab6175895ba19aa6e62ff07a44019df9a44bba7cd1168479cae8e262a

Download Submit
\??\pipe\crashpad_1784_MWWPPHIMTMCUVPMO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\LightningBot\flutter_platform_alert_plugin.dll
Filesize
86KB

MD5
20ac8ad2a77e20f5a5dfd3774b13be95

SHA1
236bb11cea54bd5c73264ed6d793bdb4d8b45bd1

SHA256
10d4209502c5a5e298867ae9ac6a99ca61fe6ad98c2aeed713d853ee873742dc

SHA512
b14280de9696af182be0e057b545fee499e006d499a6de979b1a25192213700b9e31f26c7ef16c6884a793c7ff7ade9bd745c739d93c4b13a89491c86a45454e

Download Submit
\Program Files (x86)\LightningBot\lightningui.exe
Filesize
238KB

MD5
d636449929a9b337617f6ba90c47c2df

SHA1
5e09846eee687e8e723ffbfefd364a56ab6ad2d4

SHA256
af93bad9edd50de663a46a38990306d79db554af69ec1f8d8847a5ee715b6c75

SHA512
2edfcdf4df3abbc7f4fe45cc03ad85da56775f3b2361667991b5c4d3f30692db7c85fbb869e6c9f1bb73e44c2aee9416594aa05d8e01a2c03b589c353e5bfa28

Download Submit
\Program Files (x86)\LightningBot\uninstall.exe
Filesize
185KB

MD5
5cb88278892696933b0418817b08aa15

SHA1
9a91c6947410a99775ca1a66266ee0450f276431

SHA256
6f20cc119a695461985063e70d8f6c24170ac38b96014e6e1b8bd8fde72026d7

SHA512
432e8a04fb00a9355de28b2b24c4850802e78625ab6e953a83071905821ef31e81d3e344e1ce286c3aa1a3f7d30de225aa8928307802f6b67fe4858955ab273a

Download Submit
\Program Files (x86)\LightningBot\window_size_plugin.dll
Filesize
89KB

MD5
510baf38e9edd8d3e406592e8ce9f359

SHA1
aa0aab4688a33d86d0582e087ed7667c6ed9ca14

SHA256
a6f65b97f5f602fa21c23680cdd2085fec94511d62118113585904d2ef7c0ca3

SHA512
18c6037eec0bad2d3afd528a1bed54bee6ae1cbd19d1bd870040d2d52d1b3983a7286f4fb807256ac91726c6c03b3599630e9867555c645d6a2444e5d4d0b818

Download Submit
\Users\Admin\AppData\Roaming\LightningBot\Executables\windows\amd64\selfbot.exe
Filesize
37.3MB

MD5
31c9dcf7a4fc99c3011e1e322bfd234a

SHA1
9fc2af16f51aabb990007b599743dc2a4e556ea9

SHA256
930f87fcd354dc8279c11de2fe4dda55fe195d94ad8f751fa3f39563611bfb5c

SHA512
a97602ea720446c71a6acfd599c62d92876c43851e8561d3911a22d5eabf50c4b8e83dc300feeb7666cb7dfafd4f5657cafebbe2f5f1f47a62b63588faafe0c3

Download Submit
memory/2444-62-0x00000000031E0000-0x00000000039E9000-memory.dmp

Filesize
8.0MB

Download
memory/2444-63-0x00000000031E0000-0x00000000039E9000-memory.dmp

Filesize
8.0MB

Download
memory/2444-64-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2444-61-0x00000000031E0000-0x00000000039E9000-memory.dmp

Filesize
8.0MB

Download
memory/2444-60-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download