discordrat | 6e5a7e84c00bb60841597ca8d72e1c97df3b65a5c983a38c7e30123d80c2b353

Analysis

max time kernel
101s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
05-07-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FNcheats-external V2.zip
Size

276KB
MD5

42d568ccb0414085ad31aefcc234cfe3
SHA1

51bd9a739f500b3c8ea9de978fe0227b1ff8ca67
SHA256

6e5a7e84c00bb60841597ca8d72e1c97df3b65a5c983a38c7e30123d80c2b353
SHA512

ab015818d1d22c0b1d7af623099d4f96618ead26c390e464fcfbd2a501762539c93876cfc5d95178ddbe916edd6a4e1adce35387da6969a9e397d746cb18ead9
SSDEEP

6144:6CoMo2n9dH5M2vkm0y3Cl3pId9RC9pvZJT3CqbMrhryfQNRPaCieMjAkvCJv1Vim:VoMo2n9dH5M2vkm0y3Cl3pId9RC9pvZq

Score

10^/10

discordrat evasion persistence privilege_escalation rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1ODYyODA0MjA5NjUwODkyOA.GGFvBA.PJRyO9Y1MLr7S58RTAV0VkCKcrUamDKm39x04w
server_id
1258309505909919774

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4864 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
28 raw.githubusercontent.com
31 discord.com
33 discord.com
2 discord.com

pid	process
4864	netsh.exe

flow	ioc
3	raw.githubusercontent.com
28	raw.githubusercontent.com
31	discord.com
33	discord.com
2	discord.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3996 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\FNcheats-external V2.zip:Zone.Identifier msedge.exe
Runs net.exe

pid	process
3996	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\FNcheats-external V2.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
244	msedge.exe
244	msedge.exe
4128	msedge.exe
4128	msedge.exe
3900	identity_helper.exe
3900	identity_helper.exe
3604	msedge.exe
3604	msedge.exe
1848	msedge.exe
1848	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exefornitecheats-external.exe

description pid process

Token: SeDebugPrivilege 3996 taskkill.exe
Token: SeDebugPrivilege 4584 fornitecheats-external.exe

description	pid	process
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	4584	fornitecheats-external.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4128 wrote to memory of 4340	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 4340	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 5084	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 244	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 244	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 3788	4128	msedge.exe	msedge.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\FNcheats-external V2.zip"
1⤵
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff822e43cb8,0x7ff822e43cc8,0x7ff822e43cd8
2⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
2⤵
PID:128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
2⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
2⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
2⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
2⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
2⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7643802885887181524,18430437413320066838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\FNcheats-external V2\cheats-external V2\setup.bat" "
1⤵
PID:3480

C:\Windows\system32\net.exe
net stop "WinDefend"
2⤵
PID:1512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WinDefend"
3⤵
PID:580

C:\Windows\system32\taskkill.exe
taskkill /f /t /im "MSASCui.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\system32\net.exe
net stop "security center"
2⤵
PID:4504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "security center"
3⤵
PID:1240

C:\Windows\system32\net.exe
net stop sharedaccess
2⤵
PID:3312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sharedaccess
3⤵
PID:2680

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode-disable
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4864

C:\Windows\system32\net.exe
net stop "wuauserv"
2⤵
PID:468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wuauserv"
3⤵
PID:2800

C:\Users\Admin\Downloads\FNcheats-external V2\cheats-external V2\fornitecheats-external.exe
"C:\Users\Admin\Downloads\FNcheats-external V2\cheats-external V2\fornitecheats-external.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4af3ab7cb0460a8ca1bc42c663f441ea

SHA1
47603056b2829b869fbab04884da29544077fc3e

SHA256
e4c2390de67f4be3f7a84f4ef879a25c15c68c62a226ab9c9007c03597184369

SHA512
9c4cb6eee3f90f4cf46c0544d371cbe3b93a092f0057963e54bdbc6c6e584564aa4e3e8cc0085360ac7661a18c929c37cdabaa35035d925fc23446dba609323a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f9e5616c068d89c288975cccf486ba9

SHA1
049ff88576a2a7c47740819b750a2f8edfa0d0b7

SHA256
680a4ebe591a39c80dc406530a6e51aa0bdee8ab91b8d326f90616435b595e26

SHA512
98147f31a4d6372e73970295464c8943709632e78b15f581436f30d63f9cbdcbaaf9c80e2cce366f95709f52c7bb2283770de686dac7d1c0b7e2cb704b7a0383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
faed443f8f19a315bdd5ca3e36a3c446

SHA1
430196a3547a82a532e85687649082bb1819ca9b

SHA256
897c820cf8a6897b40e3ce62a05a311964f146897efe0086c303e98e92bb2a1d

SHA512
e19a2cd48a8f945e5784c1801cd186b28092f034b825133d23472f5710c349a9324ad08e144e9686e6a1215c4f5678bba02fe1bd4a50b6ac673249d4d0047a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
649B

MD5
b3e878cca9d896031a77b24627a66b40

SHA1
cc048a7cdcb508dbbb2fe129808d7b3fcbb5083a

SHA256
a769a91190ecea5528aafb081de334c148bd28da6d961d225a6ab1bd7b79863e

SHA512
533666d3dee9e6d2db28bc126095055c24b7476bfbbacb6308c75e1a509179d3b96b46e3da0dc5712e5af79b571d3334cdf7b9d32ed466da0f47d0e939c2e21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3cdf7cf2d2c62566dba584f9497260b5

SHA1
7319837d4ac4d430dd5182496a5fb2287cadad91

SHA256
a1c47b2f1ead3215436c60d28b99214b10a498474939dc8486dd25b39db6b0a8

SHA512
6fa880676db8fc07ffe113899459d5805dea790c5391be0e35c5c85da562fe872c2ec8e462275d148356a4da2856939c7dafd03bbeac87b77a79dc4e62c3a7ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
56c65a699ce1b5219c23abeeef6cd801

SHA1
9ad456bca890b79622dfefec8c06241b2f8508e0

SHA256
a6b5d0e6cce57e2b850e44c9fe3a4817dda0746809c0361377ca31c7861562d1

SHA512
df3c2aaecf5e5300e0eb8794026c0a884561a3ff529161cfd2f802e874be1b4c6787f4058a35cf33bdca1a3f78f24d031199ebf861b02e41dac656ff39f7ebf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
92c6554dc9b3d4748e9ca318e7a87541

SHA1
44b87fea076b7dc225f26c58ab7acacc699ade2f

SHA256
fafcde73d3684911a3d2846212dd519aa0227cd77e7db20141d6745fb915af5d

SHA512
961e03e6986e2420ac4b5e8dc59a105e2fc436fbea6fb54bbe977f7069db278a902fc32733d94ad346aab75713b6118a96e9249116b3b8ad497b1d5ebb834b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0b7929190a7959786d8dd3cce9077afe

SHA1
cdf1baff6bd20e9f1c795ed8428dcf0542d76e0d

SHA256
c0b70d63453281b698d7d8bbae94a2992407a92317bca08def1f3118d7a0794b

SHA512
18560f63fcecfc1c78bfd3c4cbe5de1c22f6dc8e0be76e004f2cf5d8192a302532b9cf920fb445b65fb7929b5a0f84bf3f1550f4be63766e3fedb3127d6a129b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
f0e8d6e8db01bf62dbf8f5213cd9045c

SHA1
750a45c45b0fb699228d648fd305e68d184540f3

SHA256
9f8236f2d711597f14c66a0d9965407eccff771c7bb59be1066788d619a28515

SHA512
308632064d5b7da75147b402238aa2921a269c04d70cd483b92b1ce4d4dce141ffdfaddfb895ce2bf2b089ba7c6a6df2ed582c0053b1f803a02966c395a159fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
9741e408bdbfe846509af962fdda5431

SHA1
650cbac8c62186c4d7bdfe1681f25fba36b5cbdc

SHA256
884f2ffc1d8929df5669cadaf16bc495b121c3b019e756b7aef8f63e7367dce8

SHA512
75b4d3ce9a7fc346eb77114204ef78d6d809a4e2506dde182ea34999182f8999952e56bbf78d7324f2e544ce95e8d891e562dcb3ecd1936878ffcf613c56ed7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
69e8cd94673afb93f8f022d02d6e4960

SHA1
145bcc331ea842ecb8abd9a3bc9122eb38248e20

SHA256
f00bb19f80f0396bd794b68261880785112a8087bc212254f317b8beb4a4b6ee

SHA512
4836c74cf58154e154f51dd4068e0db9cd42e66c13502fc3664da5afbd6647e0ac28015d74a3b0c42e7167e35d4529a06361a12b7361934aa24d13d98713a6a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58297c.TMP
Filesize
874B

MD5
b6659d424f7e4552f459519705323abf

SHA1
cea634a81a5bee49cc374374c67284c63f8fbae3

SHA256
cd827c5106cb6ead3b99d5b63c9330805ec707dc1d105e9cd3c404a94ce05d34

SHA512
112bb4dfc285ba8e6e7519910c622c6b9cceb7cab035cb5870d42e0af11680615249f13cc02a057513a2989d09d36641b2a3ae40ce1c47d1b4866a3dd1596d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
06e56f80f333c23ded34a2e306d855a2

SHA1
e24ba6cf8cb07a7e69070948cd55ce46babcbb40

SHA256
1243611e59756c7c9b3bbdf67bc863776b0809118bdc59078c6cc7b35d3b61e5

SHA512
a1791085b2718f9d2ff768ee59c77d9cef487c4e5f2a92aef988e4789ab5c9d18ed1d4f7c1d3cec8c59ac70acc4586322af63d6443d7e4bb696996ccd3e46a94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
221a7561bdbe541883727092b945eb1c

SHA1
ed51b4aaae3e2ecbe62dfac9820ba9f080e77643

SHA256
4866a74888973ebebba9c628043f1377051df252c81cdd112810e168c23e9332

SHA512
060c814482ad27f4fb59a82cf229cddecdf598b4346aceceb60cfca5fa0c63db07e218d491141c4a467b3ea074d1000b1a6e1c440f734fc4bbfd473729a01a35

Download Submit
C:\Users\Admin\Downloads\FNcheats-external V2.zip
Filesize
29KB

MD5
a0d168cddd277bb4cc8a6b80b5145202

SHA1
b00271f09faf861e2e4a3ec1ea1f2459cdd0597b

SHA256
d8f1657fbbf6e1c11b9f9487fdb79358b097211f6b9d22dfca06fcaf80d6337d

SHA512
7492f89ce3a9c1b0e58e18b9442f9f903dffec794c514054fbcd9e86c01bc98e1e5f8483bd8a20ac262d098c32c8e19c230a8296d78657aba3869e302281c03d

Download Submit
C:\Users\Admin\Downloads\FNcheats-external V2.zip:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\LOCAL\crashpad_4128_DYNGJNUVQCJKNPZY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4584-422-0x000001F947DA0000-0x000001F947DB8000-memory.dmp

Filesize
96KB

Download
memory/4584-423-0x000001F962520000-0x000001F9626E2000-memory.dmp

Filesize
1.8MB

Download
memory/4584-424-0x000001F962C20000-0x000001F963148000-memory.dmp

Filesize
5.2MB

Download