discordrat | hxxps://github[.]com/Taykooss/Discord-RAT

Analysis

max time kernel
64s
max time network
65s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-06-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Taykooss/Discord-RAT

Score

10^/10

discordrat discovery evasion execution persistence rat rootkit spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Processes:

MpCmdRun.exe

pid process

5020 MpCmdRun.exe
Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

192 powershell.exe
4276 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

bound.exesetup-.exesetup-.exeSteam.exeOperaGX.exeOperaGX.exeOperaGX.exeOperaGX.exeOperaGX.exe

pid process

4856 bound.exe
4860 setup-.exe
2404 setup-.exe
2392 Steam.exe
4640 OperaGX.exe
4148 OperaGX.exe
2388 OperaGX.exe
4228 OperaGX.exe
4028 OperaGX.exe

pid	process
5020	MpCmdRun.exe

pid	process
192	powershell.exe
4276	powershell.exe

pid	process
4856	bound.exe
4860	setup-.exe
2404	setup-.exe
2392	Steam.exe
4640	OperaGX.exe
4148	OperaGX.exe
2388	OperaGX.exe
4228	OperaGX.exe
4028	OperaGX.exe

Loads dropped DLL 64 IoCs

Processes:

Builder.exesetup-.exesetup-.exe

pid	process
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
1516	Builder.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe
2404	setup-.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI24922\python310.dll	upx
behavioral1/memory/1516-263-0x00007FFA917C0000-0x00007FFA91C2E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_ctypes.pyd	upx
behavioral1/memory/1516-287-0x00007FFAA4CC0000-0x00007FFAA4CCF000-memory.dmp	upx
behavioral1/memory/1516-286-0x00007FFAA4D80000-0x00007FFAA4DA4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24922\libcrypto-1_1.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI24922\libffi-7.dll	upx
behavioral1/memory/1516-295-0x00007FFAA4680000-0x00007FFAA4699000-memory.dmp	upx
behavioral1/memory/1516-294-0x00007FFAA45C0000-0x00007FFAA45ED000-memory.dmp	upx
behavioral1/memory/1516-299-0x00007FFA932B0000-0x00007FFA93421000-memory.dmp	upx
behavioral1/memory/1516-298-0x00007FFAA3EE0000-0x00007FFAA3EFF000-memory.dmp	upx
behavioral1/memory/1516-303-0x00007FFAA4CB0000-0x00007FFAA4CBD000-memory.dmp	upx
behavioral1/memory/1516-302-0x00007FFAA3340000-0x00007FFAA3359000-memory.dmp	upx
behavioral1/memory/1516-307-0x00007FFA931F0000-0x00007FFA932A8000-memory.dmp	upx
behavioral1/memory/1516-306-0x00007FFAA32C0000-0x00007FFAA32EE000-memory.dmp	upx
behavioral1/memory/1516-310-0x00007FFA91440000-0x00007FFA917B5000-memory.dmp	upx
behavioral1/memory/1516-313-0x00007FFAA3320000-0x00007FFAA3334000-memory.dmp	upx
behavioral1/memory/1516-316-0x00007FFAA3ED0000-0x00007FFAA3EDD000-memory.dmp	upx
behavioral1/memory/1516-320-0x00007FFA91320000-0x00007FFA91438000-memory.dmp	upx
behavioral1/memory/1516-319-0x00007FFAA4D80000-0x00007FFAA4DA4000-memory.dmp	upx
behavioral1/memory/1516-315-0x00007FFA917C0000-0x00007FFA91C2E000-memory.dmp	upx
behavioral1/memory/1516-362-0x00007FFAA45C0000-0x00007FFAA45ED000-memory.dmp	upx
behavioral1/memory/1516-368-0x00007FFAA32C0000-0x00007FFAA32EE000-memory.dmp	upx
behavioral1/memory/1516-379-0x00007FFA931F0000-0x00007FFA932A8000-memory.dmp	upx
behavioral1/memory/1516-378-0x00007FFAA3340000-0x00007FFAA3359000-memory.dmp	upx
behavioral1/memory/1516-376-0x00007FFA932B0000-0x00007FFA93421000-memory.dmp	upx
behavioral1/memory/1516-374-0x00007FFAA4680000-0x00007FFAA4699000-memory.dmp	upx
behavioral1/memory/1516-373-0x00007FFA91320000-0x00007FFA91438000-memory.dmp	upx
behavioral1/memory/1516-372-0x00007FFAA3ED0000-0x00007FFAA3EDD000-memory.dmp	upx
behavioral1/memory/1516-371-0x00007FFAA3320000-0x00007FFAA3334000-memory.dmp	upx
behavioral1/memory/1516-370-0x00007FFA91440000-0x00007FFA917B5000-memory.dmp	upx
behavioral1/memory/1516-377-0x00007FFAA4CB0000-0x00007FFAA4CBD000-memory.dmp	upx
behavioral1/memory/1516-375-0x00007FFAA3EE0000-0x00007FFAA3EFF000-memory.dmp	upx
behavioral1/memory/1516-360-0x00007FFAA4D80000-0x00007FFAA4DA4000-memory.dmp	upx
behavioral1/memory/1516-359-0x00007FFA917C0000-0x00007FFA91C2E000-memory.dmp	upx
behavioral1/memory/1516-361-0x00007FFAA4CC0000-0x00007FFAA4CCF000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaGX.exeOperaGX.exe

description	ioc	process
File opened (read-only)	\??\D:	OperaGX.exe
File opened (read-only)	\??\F:	OperaGX.exe
File opened (read-only)	\??\D:	OperaGX.exe
File opened (read-only)	\??\F:	OperaGX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

35 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2488 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2288 tasklist.exe
2844 tasklist.exe

flow	ioc
35	raw.githubusercontent.com

pid	process
2488	timeout.exe

pid	process
2288	tasklist.exe
2844	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641200254784375"	chrome.exe

Modifies registry class 3 IoCs

Processes:

bound.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	bound.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Opera GXStable	bound.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

setup-.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup-.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup-.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup-.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exesetup-.exebound.exe

pid	process
2272	chrome.exe
2272	chrome.exe
192	powershell.exe
192	powershell.exe
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
3564	powershell.exe
3564	powershell.exe
192	powershell.exe
3564	powershell.exe
4276	powershell.exe
192	powershell.exe
3564	powershell.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4860	setup-.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe
4856	bound.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2272 chrome.exe
2272 chrome.exe
2272 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeIncreaseQuotaPrivilege	5044	WMIC.exe
Token: SeSecurityPrivilege	5044	WMIC.exe
Token: SeTakeOwnershipPrivilege	5044	WMIC.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe

pid	process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bound.exe

pid process

4856 bound.exe
4856 bound.exe

pid	process
4856	bound.exe
4856	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2272 wrote to memory of 2240	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 2240	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1700	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 5040	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 5040	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1892	2272	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Taykooss/Discord-RAT
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaa7d89758,0x7ffaa7d89768,0x7ffaa7d89778
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:2
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:1
2⤵
PID:360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:1
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5096 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:1
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1660,i,3166868127770997659,14560047851537503465,131072 /prefetch:8
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4536

C:\Users\Admin\Desktop\release\Builder.exe
"C:\Users\Admin\Desktop\release\Builder.exe"
1⤵
PID:2492

C:\Users\Admin\Desktop\release\Builder.exe
"C:\Users\Admin\Desktop\release\Builder.exe"
2⤵
- Loads dropped DLL
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\release\Builder.exe'"
3⤵
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\release\Builder.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
4⤵
- Deletes Windows Defender Definitions
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
3⤵
PID:4944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
3⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Users\Admin\AppData\Local\setup-.exe
C:\Users\Admin\AppData\Local\setup-.exe hhwnd=524492 hreturntoinstaller hextras=id:d8d090d10951db6-AU-error
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
6⤵
PID:5052

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 4860" /fo csv
7⤵
- Enumerates processes with tasklist
PID:2844

C:\Windows\SysWOW64\find.exe
find /I "4860"
7⤵
PID:3492

C:\Windows\SysWOW64\timeout.exe
timeout 5
7⤵
- Delays execution with timeout.exe
PID:2488

C:\Users\Admin\AppData\Local\setup-.exe
C:\Users\Admin\AppData\Local\setup-.exe hready
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
5⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Local\OperaGX.exe
C:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=0
5⤵
- Executes dropped EXE
- Enumerates connected drives
PID:4640

C:\Users\Admin\AppData\Local\OperaGX.exe
C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.142 --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0x6d3d52b8,0x6d3d52c4,0x6d3d52d0
6⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe" --version
6⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Local\OperaGX.exe
"C:\Users\Admin\AppData\Local\OperaGX.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4640 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240629073434" --session-guid=438625b3-48de-42cf-ac29-34caa3974ed3 --server-tracking-blob=NTVmOTIyNGZmYjUzNDNlNGZlMGY1N2M4YTJjMDVjNDU5YTc1NjljMzljMzhjYTI4NjI3NjljYzk4ZWUwMTE1Njp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD1jOWU5ZDMxMDMxYTQ0MzY5YmI3OTQ4NjdkYzIyMzI4ZiZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxOTY0NjQ3My45OTczIiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiJjOWU5ZDMxMDMxYTQ0MzY5YmI3OTQ4NjdkYzIyMzI4ZiIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6Ijg0NGY4YjljLTRjNWUtNDhmMS1iM2E5LTVlYzE2NzZjNGQxZSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=AC04000000000000
6⤵
- Executes dropped EXE
- Enumerates connected drives
PID:4228

C:\Users\Admin\AppData\Local\OperaGX.exe
C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.142 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2b8,0x6c7c52b8,0x6c7c52c4,0x6c7c52d0
7⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:1948

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:2212

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Users\Admin\Desktop\release\Release\Discord rat.exe
"C:\Users\Admin\Desktop\release\Release\Discord rat.exe"
1⤵
PID:2128

C:\Users\Admin\Desktop\release\Release\Discord rat.exe
"C:\Users\Admin\Desktop\release\Release\Discord rat.exe"
1⤵
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
5b36b55b623b373ea3801f3f4e54fdc0

SHA1
f63d50926af8bea99cdb675d5f6a1fc890727eed

SHA256
5fa9d39a039f4a1fa6513ec4b6a893a0a52abb88632f54dae78422e89328dfdd

SHA512
50c94fa20a58e32bf8f1f0f8596af5001912ddafe1b5b07da0485cf3d8149b0907ffc677070a985fa51f79056b8a3caa297054b6c797779dc050d7e13128f44a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9c377c8ff57796dd0767c5eee692079f

SHA1
065e85d017df7c31ab55ac12f9cfc44488a6c44f

SHA256
cd4d2d9932e5787954b7d7e42a7a5890b8db44c0bf13e4e48bc3a3144b77593a

SHA512
6daf23bebc01934a0eec2148a5e37afb20577d5b210625b00d699a718956d28ce6120cf4234c07986bdcc13f308efd70d03ffee37e4cf199eb9d833710343eed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d37a639fa6b239558b9225e5da87bef6

SHA1
0086c141683156d6d3bbd5249fde46e5d230226e

SHA256
bf80a21332f772fd96a116f48d4625b66f66ed5b05c1e261c49fe8ac65a0606d

SHA512
14d1137638e778684d17d29751baa07f57faeb6bc136a7ed54f3cbd3b2802fdcdbbbbbe62f38541a877094e0ee0f53a5c42171357f4d6b94a0a138b4fdab1efc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a8c8ddbd096908a50182318cb9321810

SHA1
0d230ca86c71db13dbc593b71f006ca9f901d9d4

SHA256
6b264fa85af1993e1424aaaa21942de9770092e9ba5c6488e8fe5c4f81377235

SHA512
7047767535e4528c4aad265103b0a2c095d36f82128654a52c68c32c1e62843a7970726500e3094bd43973a578ceaa0889591496ad44be193975d95433a99978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
98755a5effc466aa1cd3999ea111a589

SHA1
999fdb4fb24f2cbe9478797412e569e32e6c9173

SHA256
f176f28ed33c52e355b714a25d02978308cdd06137d8dbd7c45a60c9fd6ea8b7

SHA512
99dfb4f951f5789030ef2dd11639ed22c71d9f227e48e2eaa07a211712b78ae3d8dfefadd31b39ebc52b9904d87137c4c04a5a464660c0562543279ab6efa82a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e2abb651-83b3-4467-9514-dd66629c80b6.tmp
Filesize
6KB

MD5
abbef907849f2dd1a8aaafcbba3f6c7f

SHA1
5b709ee0440a1e3ac8411810cc745ce64c863449

SHA256
32476e5ef66934706739a48f8058954f767508ecfcf5f5e7eb862b6a9a95de27

SHA512
db18eefa0fcd7bcb454af76d219d83b704d0c1a1c6d439a2e780839282cf3352ef1e2bc508c282d7cffe26443fb08c65bb812a94617c48b095caa0641244fe5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
7d6d38e63041dec546d9b43ab74a5301

SHA1
dec1e003cfdb23d587bfd5717291d7fc34d36657

SHA256
d0a764ef1c820e953a1135fae00ad8ccf6a074576faba0269eef1aec48babe60

SHA512
b96837da8e8e8674cbf5c2cd30456c53c901aff34f51694c542a473cf85aef1a06cbd10fb63ed2a182beff86c270175749adaf47dce2041549d4575c4807d3b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9a8ec197bd2d0a84e85fc131bb04b3a3

SHA1
27cff3058dcd26d2fe21574786d1450eed62146f

SHA256
b11c6f11788adbfc876346f0c9e3c551cb5e36f00d88b53a52c9d9d00c0645e0

SHA512
26b7a99e8ff7d4993493637ae4fb22637543380710493f55446c492965d8b5c98a739bf1da8d36011e303ae93df644d237463414b65947e5167d8cb3e495dfa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aaecf40915c83f7b7185e44e518650ca

SHA1
e2f497d62457bba851a6c801c45b828f815e5b7e

SHA256
508677e0ec9ea166312032f7bbc738a43b366cdaf435923af395c360d3cd7abe

SHA512
1ae1ca5cd3e8e281930b2cfa31e1576daa2718bfac52fc6f54cf1e0161d668672df89df442f4ce0ce1f5439ad07a37378ea2d46b95c7af3aa05019f71bff347f

Download Submit
C:\Users\Admin\AppData\Local\OperaGX.exe
Filesize
6.3MB

MD5
a38b7c005472b8a64ffc315ea6302165

SHA1
f27078ff82dfe3bd8f1129a99aec462e9fe8f0ea

SHA256
29727593944f56a789a41b4e3bf849e801ccc2757807bcf746c1907c99cb6a6a

SHA512
c151c708184ecd01bc48202c3cae9a9b19b9b8844143f0be97f401c616b79d7ddb0fa25052c4b55c7d1719fffc20d09e5ca7107503aba76c03cbfd20148e4aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2406290734343752388.dll
Filesize
5.8MB

MD5
1a4fdbb85e2b99ec1f3ca6e4716ddf62

SHA1
fb4698270b8664980407b932d76a99907ce1033a

SHA256
e9ead6307f9461d7cadf9a37cae959082e08d9d8d98374e4f7ea15ddd5d53b2a

SHA512
a7da63f9d7f95c0984f120f12df31a7051624fc0825a658cc54676b2835ecffc8f549e37d777158925901b520642d0adf1c3e3046302e24a70514266acf04cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.exe
Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_bz2.pyd
Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_ctypes.pyd
Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_decimal.pyd
Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_hashlib.pyd
Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_lzma.pyd
Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_queue.pyd
Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_socket.pyd
Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_sqlite3.pyd
Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\_ssl.pyd
Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\base_library.zip
Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\blank.aes
Filesize
69KB

MD5
6052e1e03516c15524417105a4155283

SHA1
a28ecaa2f3205085622a6f8232f6b87bf2c19709

SHA256
9b6e1e3e69184dd5e3aac967ad1f79b162e914492794ab9d792925d8ee4d70cf

SHA512
232c95932f355a0a532a69a59edfa75637cb144bd954ce98dabdfb79a6271745e071d27bbbea9657dd0310fc328486c580c56a9a104cbec7c96ee1c664767904

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\blank.aes
Filesize
69KB

MD5
4ef9098cb1d059ea38360e549aeaa6e3

SHA1
b1af8b8b029d60ee9536e63def364cb1580ada87

SHA256
9870c529742d21622b00cf2266a9504be2fe262323d4012824c2e2a9404da342

SHA512
43663da3a19bdf37f2c412650a358fb7f7c8eda0e82c23872c3cc7aa9b6401684086ade98613f038eeefb92cb5900a2558d66877d1d02d7cd62cb0419af2c4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\bound.blank
Filesize
6.4MB

MD5
026a33c82c9c23cb93dbff5d7bc824f3

SHA1
27b5527bca72ec574efc4fca7844ddd17fbfc005

SHA256
ec50b3895c804b9d3b3f7662ee52ca1d0deda7cf2d438e3a73202b3a5a818f92

SHA512
4d2d7d892a243eecbe37b43874ce709e2822f58c87b1301ef35404a29e81a59381c2677e6f9d17047b3589edc3d2f99d83c45f5d24ab38d0f0815dbbdf53ef46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\libcrypto-1_1.dll
Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\libssl-1_1.dll
Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\python310.dll
Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\select.pyd
Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\sqlite3.dll
Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24922\unicodedata.pyd
Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkw13dzf.43h.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe
Filesize
9.5MB

MD5
3d50042e3e3991be509f56a2951a2183

SHA1
f027790afe9d7ce2ddf17973f0778fb9e983ded1

SHA256
76eee256f1223082e8396611baca498542c656edd0fac5fe903e06e6cb5677e2

SHA512
120c6a7778bd9f65f469d3335987b780e736bd895ed944d0988372f891b48f9ba09b50ed9dcffd0bf1fa23a12e215ed1f1ffe75d11c925ff4c08d3e48259a873

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll
Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll
Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll
Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll
Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll
Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll
Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll
Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll
Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj34C9.tmp\nsProcess.dll
Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\setup-.exe
Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload
Filesize
12.6MB

MD5
f3bf344b505893f403f29bba8a53797d

SHA1
07f98e6e08b750d93d913018cdfb8fe1c3f08f81

SHA256
658f91835d7daa63b43d3c618ade30f2444171fdd5c1dbfeefc287b2c5582921

SHA512
78aadce2e84fb813bd85e845f9d42e30f6cd497fa97027410831f78125f832fec045447a94e8f68fc7efe59ccf628fb9c9cf91cd2dc8145e22dbbbe8985350d8

Download Submit
\??\pipe\crashpad_2272_OBFJWQTJVEDPDXBW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24922\libffi-7.dll
Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll
Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll
Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll
Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll
Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll
Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
memory/1516-372-0x00007FFAA3ED0000-0x00007FFAA3EDD000-memory.dmp

Filesize
52KB

Download
memory/1516-295-0x00007FFAA4680000-0x00007FFAA4699000-memory.dmp

Filesize
100KB

Download
memory/1516-375-0x00007FFAA3EE0000-0x00007FFAA3EFF000-memory.dmp

Filesize
124KB

Download
memory/1516-360-0x00007FFAA4D80000-0x00007FFAA4DA4000-memory.dmp

Filesize
144KB

Download
memory/1516-359-0x00007FFA917C0000-0x00007FFA91C2E000-memory.dmp

Filesize
4.4MB

Download
memory/1516-361-0x00007FFAA4CC0000-0x00007FFAA4CCF000-memory.dmp

Filesize
60KB

Download
memory/1516-370-0x00007FFA91440000-0x00007FFA917B5000-memory.dmp

Filesize
3.5MB

Download
memory/1516-371-0x00007FFAA3320000-0x00007FFAA3334000-memory.dmp

Filesize
80KB

Download
memory/1516-373-0x00007FFA91320000-0x00007FFA91438000-memory.dmp

Filesize
1.1MB

Download
memory/1516-374-0x00007FFAA4680000-0x00007FFAA4699000-memory.dmp

Filesize
100KB

Download
memory/1516-376-0x00007FFA932B0000-0x00007FFA93421000-memory.dmp

Filesize
1.4MB

Download
memory/1516-263-0x00007FFA917C0000-0x00007FFA91C2E000-memory.dmp

Filesize
4.4MB

Download
memory/1516-378-0x00007FFAA3340000-0x00007FFAA3359000-memory.dmp

Filesize
100KB

Download
memory/1516-379-0x00007FFA931F0000-0x00007FFA932A8000-memory.dmp

Filesize
736KB

Download
memory/1516-368-0x00007FFAA32C0000-0x00007FFAA32EE000-memory.dmp

Filesize
184KB

Download
memory/1516-287-0x00007FFAA4CC0000-0x00007FFAA4CCF000-memory.dmp

Filesize
60KB

Download
memory/1516-362-0x00007FFAA45C0000-0x00007FFAA45ED000-memory.dmp

Filesize
180KB

Download
memory/1516-377-0x00007FFAA4CB0000-0x00007FFAA4CBD000-memory.dmp

Filesize
52KB

Download
memory/1516-286-0x00007FFAA4D80000-0x00007FFAA4DA4000-memory.dmp

Filesize
144KB

Download
memory/1516-307-0x00007FFA931F0000-0x00007FFA932A8000-memory.dmp

Filesize
736KB

Download
memory/1516-302-0x00007FFAA3340000-0x00007FFAA3359000-memory.dmp

Filesize
100KB

Download
memory/1516-315-0x00007FFA917C0000-0x00007FFA91C2E000-memory.dmp

Filesize
4.4MB

Download
memory/1516-306-0x00007FFAA32C0000-0x00007FFAA32EE000-memory.dmp

Filesize
184KB

Download
memory/1516-303-0x00007FFAA4CB0000-0x00007FFAA4CBD000-memory.dmp

Filesize
52KB

Download
memory/1516-319-0x00007FFAA4D80000-0x00007FFAA4DA4000-memory.dmp

Filesize
144KB

Download
memory/1516-320-0x00007FFA91320000-0x00007FFA91438000-memory.dmp

Filesize
1.1MB

Download
memory/1516-310-0x00007FFA91440000-0x00007FFA917B5000-memory.dmp

Filesize
3.5MB

Download
memory/1516-294-0x00007FFAA45C0000-0x00007FFAA45ED000-memory.dmp

Filesize
180KB

Download
memory/1516-316-0x00007FFAA3ED0000-0x00007FFAA3EDD000-memory.dmp

Filesize
52KB

Download
memory/1516-299-0x00007FFA932B0000-0x00007FFA93421000-memory.dmp

Filesize
1.4MB

Download
memory/1516-313-0x00007FFAA3320000-0x00007FFAA3334000-memory.dmp

Filesize
80KB

Download
memory/1516-311-0x00000152E0800000-0x00000152E0B75000-memory.dmp

Filesize
3.5MB

Download
memory/1516-298-0x00007FFAA3EE0000-0x00007FFAA3EFF000-memory.dmp

Filesize
124KB

Download
memory/2128-702-0x00000280B6960000-0x00000280B6978000-memory.dmp

Filesize
96KB

Download
memory/2128-703-0x00000280D1000000-0x00000280D11C2000-memory.dmp

Filesize
1.8MB

Download
memory/2128-704-0x00000280D2170000-0x00000280D2696000-memory.dmp

Filesize
5.1MB

Download
memory/2404-701-0x0000000005240000-0x000000000525D000-memory.dmp

Filesize
116KB

Download
memory/4276-346-0x00000207580F0000-0x0000020758166000-memory.dmp

Filesize
472KB

Download
memory/4276-337-0x0000020757FC0000-0x0000020757FE2000-memory.dmp

Filesize
136KB

Download
memory/4860-653-0x0000000006F70000-0x000000000746E000-memory.dmp

Filesize
5.0MB

Download
memory/4860-595-0x00000000053D0000-0x00000000053D8000-memory.dmp

Filesize
32KB

Download
memory/4860-583-0x00000000053A0000-0x00000000053C4000-memory.dmp

Filesize
144KB

Download
memory/4860-639-0x00000000062C0000-0x000000000634C000-memory.dmp

Filesize
560KB

Download
memory/4860-644-0x0000000006240000-0x000000000624A000-memory.dmp

Filesize
40KB

Download
memory/4860-645-0x0000000006350000-0x0000000006372000-memory.dmp

Filesize
136KB

Download
memory/4860-646-0x0000000006380000-0x00000000066D0000-memory.dmp

Filesize
3.3MB

Download
memory/4860-650-0x0000000006A50000-0x0000000006A5C000-memory.dmp

Filesize
48KB

Download
memory/4860-674-0x0000000006C90000-0x0000000006D22000-memory.dmp

Filesize
584KB

Download
memory/4860-609-0x0000000005380000-0x000000000539D000-memory.dmp

Filesize
116KB

Download
memory/4860-517-0x00000000004B0000-0x0000000000888000-memory.dmp

Filesize
3.8MB

Download
memory/4860-601-0x0000000005420000-0x000000000544C000-memory.dmp

Filesize
176KB

Download
memory/4860-589-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/4860-577-0x00000000052F0000-0x000000000530A000-memory.dmp

Filesize
104KB

Download
memory/4860-571-0x0000000005330000-0x0000000005362000-memory.dmp

Filesize
200KB

Download
memory/4860-565-0x00000000052C0000-0x00000000052E8000-memory.dmp

Filesize
160KB

Download
memory/4860-559-0x0000000005260000-0x000000000528E000-memory.dmp

Filesize
184KB

Download
memory/4860-552-0x0000000005110000-0x0000000005138000-memory.dmp

Filesize
160KB

Download
memory/4860-622-0x0000000005A90000-0x0000000005AA2000-memory.dmp

Filesize
72KB

Download
memory/4860-544-0x00000000050E0000-0x0000000005104000-memory.dmp

Filesize
144KB

Download
memory/4860-536-0x0000000005090000-0x00000000050A4000-memory.dmp

Filesize
80KB

Download
memory/4860-657-0x0000000007A30000-0x0000000007FE4000-memory.dmp

Filesize
5.7MB

Download