discordrat | hxxps://mega[.]nz/folder/DPpwDRaa#AWfh14h5EVLyriwm2eTMNw

Analysis

max time kernel
185s
max time network
186s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/DPpwDRaa#AWfh14h5EVLyriwm2eTMNw

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5OTY5OTgxNjA4MzY0MDQ3MA.Gq_Ki5.PzGxhdDG3Y6eXM_A-f81bt9oMUSnRun3oq4RwM
server_id
1175732353415516180

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs

Web Service

T1102

flow	ioc
2	discord.com
71	discord.com
79	discord.com
90	discord.com
96	discord.com
70	discord.com
76	discord.com
81	discord.com
88	discord.com
68	discord.com
84	raw.githubusercontent.com
97	discord.com
62	discord.com
64	discord.com
95	discord.com
89	raw.githubusercontent.com
12	discord.com
77	raw.githubusercontent.com
85	discord.com
75	discord.com
83	discord.com
91	discord.com
3	raw.githubusercontent.com
80	discord.com
93	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640700754384740"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\1njectedspoofer.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1156	NOTEPAD.EXE
3980	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4868	SCHTASKS.exe
4448	SCHTASKS.exe
2324	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2112	2008	chrome.exe	80
PID 2008 wrote to memory of 2112	2008	chrome.exe	80
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 128	2008	chrome.exe	82
PID 2008 wrote to memory of 4920	2008	chrome.exe	83
PID 2008 wrote to memory of 4920	2008	chrome.exe	83
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84
PID 2008 wrote to memory of 3776	2008	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/folder/DPpwDRaa#AWfh14h5EVLyriwm2eTMNw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda483ab58,0x7ffda483ab68,0x7ffda483ab78
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:2
  2⤵
  PID:128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:1
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4468 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5380 --field-trial-handle=1840,i,5476689410962110934,17640055420133259593,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E8
1⤵
PID:3952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2404

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_1njectedspoofer.zip\1njectedspoofer\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1156

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\1njectedspoofer\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3980

C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe
"C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe"
1⤵
PID:4648
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$771njectedspoofer.exe" /tr "'C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4868

C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe
"C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe"
1⤵
PID:3576
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$771njectedspoofer.exe" /tr "'C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4448

C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe
"C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe"
1⤵
PID:3572

C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe
"C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe"
1⤵
PID:3468
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$771njectedspoofer.exe" /tr "'C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
dbdd1fc7809ac0635eaf352db5c052e2

SHA1
3899e735968f58faae0c302395cb594519e2a95b

SHA256
39c3ac32ea10854686cd5f65f70ec3c623994c0bb8e23738f700a0ca0f6c1ebc

SHA512
5dfd0e269ff8a4e338976dfa65e1b276e97eb66305032fb7f0183d6509f9ed0ce82e956413cd6b3c043dbcd0b8d000e35dfbdd59650b77b916596a49517b8320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ec651580561e0e6960c19a147e8e2c40

SHA1
4506c0ac98bb4d460f7fe3b7df4703cd117a61f5

SHA256
a120978dfbfe8ce664a99d04f189e5bfc9dc8437fd7ad76765f9ec213f1f627c

SHA512
6b00902f64588d9d27ee3f795b5bae5f260364e2aca09958372498ca1fa6d5e44a8a198357da092ed03db8819d94c04419aee09e05b43ec6543d9711700adc49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e19b9cb326e2e3d39d35f1733a8dfffd

SHA1
75b538158d88763716f9ee134ca07ac10fb7a007

SHA256
b84e2a55be06309164c652a8ef577555fbf6dc1e8da22923f98a1b60c8e02324

SHA512
a483b4a54d50f79c9298450d3bffa87fae5b93f9fd3059f968978aa345c840167bfabf87289840e7548459847060c7822d24a897585e467a0871937365195667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
24e8e8ee2f9088148cfe01ea8e549f0b

SHA1
f5b1a03099459cf9d0a5a7259f2584819bb145c3

SHA256
b04aca0f787a517a94601c377c7a4e793d998b293a22e24aed349a805e0eaa2e

SHA512
81338012aa83df14d299d9758d147e0e3ce598c86fb06ca30a653df47fca35fdc3e28df432dc240544920e92c758b4e09255429659db984e0e189926d911f734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
394108540ff1f7fccebd9d96d2670bee

SHA1
b7520792a3d95cfce77e2d0a905feacce895b9d2

SHA256
1f152ca39a10499672b75980958ad4076a00a9731220c64814b36333c851236c

SHA512
b5d330115c77c88a5c705b8bec7aadf45bd949413cc71e979125df3b6d46a8f5096098d26da29bff4f008a55d403601dd4918613dc1112963360ba5eb4abcded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
10a95f7a695e0b8374048b4de255b118

SHA1
7eec9233d8fb20bac94b306bfa3543b7f0444569

SHA256
86aa921eb4184f112470a85ae493c6d073c2f2c564933814668d2bcef3b05a62

SHA512
a5c068bc78037bd113d91c6c6e85b4520eed11eeab00fddcd2702c1c64e4b712b5d27a673af30626828f907a567359106bd28eccef7d5cd98f7bb1ee862b7a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
341a98ca1dac8b95105885756c5dffb3

SHA1
786a23cd7317d7dbc5f9a2ed5c8de361d6b39d1c

SHA256
7c227693c49d06d19be9a417397d3820f82289bd9d20881c0c1f77ab67b5eb14

SHA512
c23217c1c149e044594c4cd0f563d0eb96764b63fb3f78e2aad03c80651d3f7860b9b2e6506d6e95d9c1af83d52d71e7e2c85ce25fbb5c8f02aed8e5bd5d54e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
889a6e354de45761fd2b9e65e6be8bc3

SHA1
0489e4011c1aba67e99f0b44675695e5d54ef55a

SHA256
7aa27c1ffb73e905c29b6f852442cac6d53347e6cdfc14f43d43d1f1364f1975

SHA512
46d8ddd52dd2400ff08445fd67d3cb8a21b44f4d26956cad77c682749db9c2e7c4ea84d5689136f29a7df5ccd86a6be09aac446ea97d5ad8bb51353524ce1a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
6b30cfba33dbdb72127a6d06fa3d6d18

SHA1
83871c990e5ddb65606129a88a182e43fafbcf24

SHA256
50fa846deb671a8c203300dfef28110fefaf1e7776fb73f75a0c68bdc5f7cb0b

SHA512
a6548752f32cb06a4f9be8dbd5574995854e3a9745154d41b6aac6b88603cc05ab158a4caec4df6a416a4ac6ebb00b6f5b5b462c5a0851f5bccf4d063d8ec7c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
7bd5aedadaf13f983207ccd006f34410

SHA1
cedf05ef5ab3070a0fc13d459db60c6d090b2810

SHA256
aaf6135bf98bdcc3f2cc1e63f08dbc2f7a7d25390b8f459a9d8a7d24e7297a5c

SHA512
6a16869007e81ecb9a063729d2788ceebe2b14e764b1c0c59132d8082ef549d11fe1dac9ac2e097b0a5ec3314ffe01f3aada30d6e6a052ec17a9cdd602bd6910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
161KB

MD5
69081bd0302ec6208d28272072ce89f5

SHA1
555d525132ebe6f26909050f38e39a91da655471

SHA256
684b2cc7573ab772b584ff099276c7723f8420efdc323d092533d3fb0bf38ade

SHA512
39d0a8597fcbb658cbf3c4ac75bbb2293254c6dfd419d42648ac8589275c1c3510883b8392cc4ccfa5909acd4b21e3debbdd2dbe5154140367ef4b8c3e2e7b66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
83KB

MD5
52750d5b1a4f503ae801579a7fd5549a

SHA1
a840722156bd4d0a90f6dc839f191066dabca7ba

SHA256
5c4742d8f6008fdf35ddad0cb60f58018844e9185635f22fe74205fbc9087e90

SHA512
92610de9bbc712810d88b66b033d1494ebc5025a8f7182acb36c5515434064b8bdcd277e6158259f14500adf21321c1e6241a71731a97a00178a004ddabd70a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
9b6f363311aad9f5723b2968ee0cdc5d

SHA1
b445602880b95b83bf8b053162105b55eda899c4

SHA256
d7d7c77c868b2028777eba71a215a1307000e6bc5b4e39050165b2dc5c9ac464

SHA512
d51b8221f3f0034f6b2c594d1f3cc30f93449ca6943bb14389b4897828921921973079107ec619c0d9060bfc53bb5a5d1c0884857db718d4188fa9925cbb3a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
96KB

MD5
02778cd32773f77e99ca6ac3444431c3

SHA1
2ee2b2225c20984dbbeb7bdd0a4986aac17673b1

SHA256
bd6633de6347e580a6ddfd2eeb2c08830f38337b262aebe877dde885752c5352

SHA512
3dd3fae9bbf1ba049b365fafbd58b2aa64967a4386e5eb67714a8e952ee64a5c5d267b01a132908b335a742357261259596342916b48c196c552d499c1661fd3

Download Submit
C:\Users\Admin\Desktop\1njectedspoofer\1njectedspoofer - Shortcut.lnk

Filesize
831B

MD5
76da35d95ee7b934d4b56ef5ef2249a7

SHA1
ed54f631dccbbbce523881f615525e52c7112624

SHA256
bb865f264749316de96216ed5f735db44312153ebcdba0c3365f28f7cef510ca

SHA512
a5dfef04fed1eebd99d518fcbe59fe81b51798db76b9957b774225ff5640120e7415ad140611153bd1ada5beb1814aec43a825f5297a708100280dd81fd7a13c

Download Submit
C:\Users\Admin\Downloads\1njectedspoofer.zip.crdownload

Filesize
1.2MB

MD5
31427832621ab93c775186daa9f6a568

SHA1
d7d22e37cea9d364ed999cdc667f85ce4b32b522

SHA256
ee428cc5b7efd1fd7a7b476800994b295c650f64a8132eb1350f4d400198c83f

SHA512
de363e7496bbc4c5bfd1c3088e2285eec833ddd920c285c9c408aa932b68b729ee021b1a5fd336ca1ed8d5126004158098e2488dfe3de8248d2c71d1a9ed659e

Download Submit
C:\Users\Admin\Downloads\1njectedspoofer.zip:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/3572-358-0x000001B74D480000-0x000001B74D492000-memory.dmp

Filesize
72KB

Download
memory/3576-359-0x0000027580A50000-0x0000027580A62000-memory.dmp

Filesize
72KB

Download
memory/4648-353-0x000001C2DF0C0000-0x000001C2DF282000-memory.dmp

Filesize
1.8MB

Download
memory/4648-355-0x000001C2DF550000-0x000001C2DF5C6000-memory.dmp

Filesize
472KB

Download
memory/4648-356-0x000001C2C6700000-0x000001C2C6712000-memory.dmp

Filesize
72KB

Download
memory/4648-357-0x000001C2DF060000-0x000001C2DF07E000-memory.dmp

Filesize
120KB

Download
memory/4648-354-0x000001C2DF8C0000-0x000001C2DFDE8000-memory.dmp

Filesize
5.2MB

Download
memory/4648-352-0x000001C2C4A30000-0x000001C2C4A48000-memory.dmp

Filesize
96KB

Download