njrat | f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Extreme.Injector.v2.4.5.-.by.master131.exe
Size

164KB
MD5

2fd45c4572749ca9537fde2dadf1b8dd
SHA1

77fce1f2295d640962321c15e628f374525f6689
SHA256

f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b
SHA512

7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f
SSDEEP

3072:hodc4/cHmSPrcerD+fR6DBBLzy7zRJZGuQkIJ4gRqE2uIE28uEwBZSZbM1hePf:mdHeDtUZabmO

Score

10^/10

njrat collection persistence spyware stealer trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 6 IoCs

Processes:

Google Crash Handler.exeGoogle Crash Handler.exetmp7DE5.tmp.exeGoogle Crash Handler.exebrowser.exeemail.exe

pid process

2252 Google Crash Handler.exe
1160 Google Crash Handler.exe
4460 tmp7DE5.tmp.exe
628 Google Crash Handler.exe
4400 browser.exe
1400 email.exe

pid	process
2252	Google Crash Handler.exe
1160	Google Crash Handler.exe
4460	tmp7DE5.tmp.exe
628	Google Crash Handler.exe
4400	browser.exe
1400	email.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Extreme.Injector.v2.4.5.-.by.master131.exeGoogle Crash Handler.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Extreme.Injector.v2.4.5.-.by.master131.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Google Crash Handler.exe

Drops startup file 2 IoCs

Processes:

Google Crash Handler.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Crash Handler.exe	Google Crash Handler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Crash Handler.exe	Google Crash Handler.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

email.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	email.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Google Crash Handler.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Crash Handler.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Crash Handler.exe\" .."	Google Crash Handler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google Crash Handler.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Crash Handler.exe\" .."	Google Crash Handler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5088 schtasks.exe
3360 schtasks.exe
2336 schtasks.exe
1652 schtasks.exe
4880 schtasks.exe
1652 schtasks.exe
4676 schtasks.exe
4336 schtasks.exe

pid	process
5088	schtasks.exe
3360	schtasks.exe
2336	schtasks.exe
1652	schtasks.exe
4880	schtasks.exe
1652	schtasks.exe
4676	schtasks.exe
4336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Extreme.Injector.v2.4.5.-.by.master131.exe

pid	process
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe
3404	Extreme.Injector.v2.4.5.-.by.master131.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

Extreme.Injector.v2.4.5.-.by.master131.exeGoogle Crash Handler.exeGoogle Crash Handler.exeGoogle Crash Handler.exeemail.exebrowser.exe

description	pid	process
Token: SeDebugPrivilege	3404	Extreme.Injector.v2.4.5.-.by.master131.exe
Token: SeDebugPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: SeDebugPrivilege	1160	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: SeDebugPrivilege	628	Google Crash Handler.exe
Token: SeDebugPrivilege	1400	email.exe
Token: SeDebugPrivilege	4400	browser.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe
Token: 33	2252	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	2252	Google Crash Handler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Google Crash Handler.exe

pid process

2252 Google Crash Handler.exe

pid	process
2252	Google Crash Handler.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

Extreme.Injector.v2.4.5.-.by.master131.exeGoogle Crash Handler.exeGoogle Crash Handler.exeGoogle Crash Handler.exetmp7DE5.tmp.exe

description	pid	process	target process
PID 3404 wrote to memory of 1136	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 1136	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 1136	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 4880	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 4880	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 4880	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 5008	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 5008	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 5008	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 1652	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 1652	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 1652	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 3404 wrote to memory of 2252	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	Google Crash Handler.exe
PID 3404 wrote to memory of 2252	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	Google Crash Handler.exe
PID 3404 wrote to memory of 2252	3404	Extreme.Injector.v2.4.5.-.by.master131.exe	Google Crash Handler.exe
PID 2252 wrote to memory of 4512	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4512	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4512	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4676	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4676	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4676	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4384	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4384	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4384	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4336	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4336	2252	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4336	2252	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 4232	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 4232	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 4232	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 5088	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 5088	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 5088	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 3724	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 3724	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 3724	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 3360	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 3360	1160	Google Crash Handler.exe	schtasks.exe
PID 1160 wrote to memory of 3360	1160	Google Crash Handler.exe	schtasks.exe
PID 2252 wrote to memory of 4460	2252	Google Crash Handler.exe	tmp7DE5.tmp.exe
PID 2252 wrote to memory of 4460	2252	Google Crash Handler.exe	tmp7DE5.tmp.exe
PID 628 wrote to memory of 4972	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 4972	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 4972	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 2336	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 2336	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 2336	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 3324	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 3324	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 3324	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 1652	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 1652	628	Google Crash Handler.exe	schtasks.exe
PID 628 wrote to memory of 1652	628	Google Crash Handler.exe	schtasks.exe
PID 4460 wrote to memory of 4400	4460	tmp7DE5.tmp.exe	browser.exe
PID 4460 wrote to memory of 4400	4460	tmp7DE5.tmp.exe	browser.exe
PID 4460 wrote to memory of 4400	4460	tmp7DE5.tmp.exe	browser.exe
PID 4460 wrote to memory of 1400	4460	tmp7DE5.tmp.exe	email.exe
PID 4460 wrote to memory of 1400	4460	tmp7DE5.tmp.exe	email.exe
PID 4460 wrote to memory of 1400	4460	tmp7DE5.tmp.exe	email.exe

C:\Users\Admin\AppData\Local\Temp\Extreme.Injector.v2.4.5.-.by.master131.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme.Injector.v2.4.5.-.by.master131.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\Extreme.Injector.v2.4.5.-.by.master131.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:5008

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Extreme.Injector.v2.4.5.-.by.master131.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1652

C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
"C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
3⤵
PID:4512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe" /sc minute /mo 5
3⤵
- Creates scheduled task(s)
PID:4676

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:4384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:4336

C:\Users\Admin\AppData\Local\Temp\tmp7DE5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7DE5.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\dump456\browser.exe
C:\Users\Admin\AppData\Local\Temp\\dump456\browser.exe -f C:\Users\Admin\AppData\Local\Temp\\dump456\pass1.txt
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Users\Admin\AppData\Local\Temp\dump456\email.exe
C:\Users\Admin\AppData\Local\Temp\\dump456\email.exe -f C:\Users\Admin\AppData\Local\Temp\\dump456\pass2.txt
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
"C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:4232

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:5088

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:3724

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:3360

C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
"C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:4972

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:2336

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:3324

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Google Crash Handler.exe.log
Filesize
588B

MD5
e293216bc892a819986fbe64a0f8d0b4

SHA1
5152f6fec6914c0b0561d444837f79b8436f403c

SHA256
5185c5bb61a3163e462585f5016cafb6b957948cf1fdd72e700a8d437e84b787

SHA512
f78cb3635a06c7f94f11c60fac8b962df34784f166529db81022dc18b5e233449ae04e62ae0e9298d87646eedcb4e52c09d3ac2754ffaf98a277ce8916a953be

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump456\browser.exe
Filesize
439KB

MD5
10ae9f2eb3e7e79590493c47e39eb04b

SHA1
87490001bce150fd684e6ffe9343aa8f62dac963

SHA256
2a403b01727b1f8d2a7079427946f178c3c66dc17a00e6d1ab7547b11680d012

SHA512
764cd1f5f5466dbb55ec8ee1360ec8a8671468c761d3f70e2e9bc4f548e1d4bb920254abf68eb6c3c2a44bad7e9d7e7c205d4e316d3d0fdab2f2f55e398f9ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump456\email.exe
Filesize
464KB

MD5
9b222f92f7c7da9287e5daa968638638

SHA1
99b8f6deaa13d04e9ec49a23eadbc9736209df26

SHA256
941d0b28c048462fcaad246d6c0721d261a18d233732bef9a900adfb29ad7364

SHA512
8ff915bda99d0ea3a5426c2f92c9f583af8a4aa162c3fddfe0734d7617135a1fa5f6a85ec5eae80a1f0b9f95e595e53998e3da262aa5bdc4489a0876010472e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DE5.tmp.exe
Filesize
915KB

MD5
2e17223a079a3957be8009ebed5548fd

SHA1
63c6378d766db9b0a4a5cd960d9f5b6184d867e1

SHA256
eff6d9f2f2609be04c69339c21b69b77c6b2f9575ff1b8ea3218426032f28a29

SHA512
2b31424278b60708045e8ce4e3c7519fcf409aa755ccd8e942cdfee4e127112dbbf2f34e7e161cd511c21594b2679fd7c926848d7591f3283d4d9cb71f40a60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DE5.tmp.exe
Filesize
915KB

MD5
2e17223a079a3957be8009ebed5548fd

SHA1
63c6378d766db9b0a4a5cd960d9f5b6184d867e1

SHA256
eff6d9f2f2609be04c69339c21b69b77c6b2f9575ff1b8ea3218426032f28a29

SHA512
2b31424278b60708045e8ce4e3c7519fcf409aa755ccd8e942cdfee4e127112dbbf2f34e7e161cd511c21594b2679fd7c926848d7591f3283d4d9cb71f40a60f

Download Submit
C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
Filesize
164KB

MD5
2fd45c4572749ca9537fde2dadf1b8dd

SHA1
77fce1f2295d640962321c15e628f374525f6689

SHA256
f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

SHA512
7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f

Download Submit
C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
Filesize
164KB

MD5
2fd45c4572749ca9537fde2dadf1b8dd

SHA1
77fce1f2295d640962321c15e628f374525f6689

SHA256
f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

SHA512
7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f

Download Submit
C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
Filesize
164KB

MD5
2fd45c4572749ca9537fde2dadf1b8dd

SHA1
77fce1f2295d640962321c15e628f374525f6689

SHA256
f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

SHA512
7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f

Download Submit
C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
Filesize
164KB

MD5
2fd45c4572749ca9537fde2dadf1b8dd

SHA1
77fce1f2295d640962321c15e628f374525f6689

SHA256
f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

SHA512
7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f

Download Submit
memory/628-172-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/628-162-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/1136-133-0x0000000000000000-mapping.dmp

Download
memory/1160-153-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/1160-148-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/1400-167-0x0000000000000000-mapping.dmp

Download
memory/1400-171-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1400-170-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1652-163-0x0000000000000000-mapping.dmp

Download
memory/1652-136-0x0000000000000000-mapping.dmp

Download
memory/2252-146-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2252-137-0x0000000000000000-mapping.dmp

Download
memory/2252-140-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2336-160-0x0000000000000000-mapping.dmp

Download
memory/3324-161-0x0000000000000000-mapping.dmp

Download
memory/3360-152-0x0000000000000000-mapping.dmp

Download
memory/3404-132-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3404-141-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3724-151-0x0000000000000000-mapping.dmp

Download
memory/4232-149-0x0000000000000000-mapping.dmp

Download
memory/4336-145-0x0000000000000000-mapping.dmp

Download
memory/4384-144-0x0000000000000000-mapping.dmp

Download
memory/4400-169-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4400-165-0x0000000000000000-mapping.dmp

Download
memory/4400-173-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4460-164-0x00007FFFEC080000-0x00007FFFECAB6000-memory.dmp

Filesize
10.2MB

Download
memory/4460-154-0x0000000000000000-mapping.dmp

Download
memory/4512-142-0x0000000000000000-mapping.dmp

Download
memory/4676-143-0x0000000000000000-mapping.dmp

Download
memory/4880-134-0x0000000000000000-mapping.dmp

Download
memory/4972-159-0x0000000000000000-mapping.dmp

Download
memory/5008-135-0x0000000000000000-mapping.dmp

Download
memory/5088-150-0x0000000000000000-mapping.dmp

Download