njrat | 559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707

Analysis

max time kernel
68s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707.exe
Size

23KB
MD5

4834daaa2464378474669c26607f8c55
SHA1

0798e7d96aaaa629c232ad4398a307e25013d585
SHA256

559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707
SHA512

20757819ff1eb2b63155bfbbc983e1e95e4bb0eff6aad703db6cb557f89c6ad26b48ae090367539219dab58b2bf8df2574c7dbde206b60e63c58e5b16d62386d
SSDEEP

384:tY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3tVmRvR6JZlbw8hqIusZzZo69:CL2s+tRdRpcnudG

Score

10^/10

njrat zayan1 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

zayan1

65.0.50.125:22158

Mutex

a4cbdc4b353efef9adf0da32b8aa4cb1

Attributes

reg_key
a4cbdc4b353efef9adf0da32b8aa4cb1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3044	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	server33.exe

Loads dropped DLL 1 IoCs

pid	Process
2112	559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4cbdc4b353efef9adf0da32b8aa4cb1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server33.exe\" .."	server33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a4cbdc4b353efef9adf0da32b8aa4cb1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server33.exe\" .."	server33.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2472	chrome.exe
2472	chrome.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe
2644	server33.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	taskmgr.exe
Token: SeDebugPrivilege	2644	server33.exe
Token: 33	2644	server33.exe
Token: SeIncBasePriorityPrivilege	2644	server33.exe
Token: 33	2644	server33.exe
Token: SeIncBasePriorityPrivilege	2644	server33.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: 33	2644	server33.exe
Token: SeIncBasePriorityPrivilege	2644	server33.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: 33	2644	server33.exe
Token: SeIncBasePriorityPrivilege	2644	server33.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: 33	2644	server33.exe
Token: SeIncBasePriorityPrivilege	2644	server33.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe
Token: SeShutdownPrivilege	2472	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2496	taskmgr.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2644	2112	559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707.exe	28
PID 2112 wrote to memory of 2644	2112	559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707.exe	28
PID 2112 wrote to memory of 2644	2112	559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707.exe	28
PID 2112 wrote to memory of 2644	2112	559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707.exe	28
PID 2644 wrote to memory of 3044	2644	server33.exe	29
PID 2644 wrote to memory of 3044	2644	server33.exe	29
PID 2644 wrote to memory of 3044	2644	server33.exe	29
PID 2644 wrote to memory of 3044	2644	server33.exe	29
PID 2472 wrote to memory of 2492	2472	chrome.exe	33
PID 2472 wrote to memory of 2492	2472	chrome.exe	33
PID 2472 wrote to memory of 2492	2472	chrome.exe	33
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2884	2472	chrome.exe	35
PID 2472 wrote to memory of 2920	2472	chrome.exe	36
PID 2472 wrote to memory of 2920	2472	chrome.exe	36
PID 2472 wrote to memory of 2920	2472	chrome.exe	36
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37
PID 2472 wrote to memory of 1736	2472	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707.exe
"C:\Users\Admin\AppData\Local\Temp\559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\server33.exe
  "C:\Users\Admin\AppData\Local\Temp\server33.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server33.exe" "server33.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3044

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6eb9758,0x7fef6eb9768,0x7fef6eb9778
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:2
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1296 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1476 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2200 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1728 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:2
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1308 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3736 --field-trial-handle=1284,i,18428242240731148502,6743755749192836063,131072 /prefetch:1
  2⤵
  PID:1196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\731edbb1-8a43-400d-b0fd-20cfc877ff9d.tmp

Filesize
257KB

MD5
7bf7831d81f9510e265eb4b112d5c51d

SHA1
248b8060accf119444143b458389fb8c3c54ea21

SHA256
7c11738e2a9af47ccf92398dcce55e437f7734ac102bd33efeeef587f3f8530a

SHA512
0ef999473e30f78682fcee80811063795f37676841a9ff192a8edbbb3c5ea832a379bb9906d114c89e28caadc08baf0387601e7fa5412e5a7a87d83f6f74ba62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
eb196ac2a45fd635d5dd198fbe71d14b

SHA1
6788ae3e110b945288b3468d5fa64b44d03a4214

SHA256
572d7b3092685b64c74cb9d2f37c3b3f08a4f119253261309c5492177e1bee3b

SHA512
abe1e34d3238cf1b452f8bc0de70b82a521e4b9feb96751a3fd10c4c1e38a4706aa7c64374b3c525c5db7737cc84ca2a01f0365e8f847d5ea0a5649b858b6f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
258e2202421aa93c47c067d7306c14ca

SHA1
3e28c3d947289f77873795fb21ed2cf29a00c509

SHA256
d398fb1cc2ed60613f86f6b1354138a3a441dfbe55f6cacab399b47324e34f6e

SHA512
a8703d8d01867998f11bb03620e0a55496a8ff030cdc147ea1e4afa62ac8ce5216af13d3fc480eab4ed2ec41729a2a938cb25ec2ac7d1b12975e0838a7331a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f1b539bab4ff7e36b1c1a5071c8e4645

SHA1
57e452c60c18b6b5a2140fc2a45b5c454e8d706b

SHA256
7337cb390a9f733193fd67a40b2f3cad9ab3336ecfcbd7489ded607cdf981612

SHA512
d6c437c079b612b2692b3adb284b5eff1d516e56015e9350f278f4cd4af1e5895a19c4e6f60247533d70bc0c095b263049c21f87c5e460f4f3656625cee6fa24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d61451a07dd98c9e368f64a08aef08cd

SHA1
7c8aeeeb75326764612ea9e52db0d545c4c27989

SHA256
e7bc2b1a16952331fa82dda9f0199144d14c91bdfca78cd8b320c23bc1038d59

SHA512
a24ffad7e65614245088b57f163c9bfa6c240903551168f22eff6819827c023e7cf64868f81d2b808769163af731a9f6c1cde47ae67392b0e55bd40ef736d3d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b913a08d7d80c9a300adbe60ffbf77bc

SHA1
d1043c8ecbd96a65b3b3f69fbc7a344f43a97db4

SHA256
40c210dba482bfb7611e59d84d0a38ec73389f6f6735198a472eaa37fc003bae

SHA512
f71d84dd4c356b119dcafe609cabff2404aec0da6d71b0f1e1a089f5eeeb470f3557f259159739119aca746de1559625da7d87a1bbfc897676be7135bdbccc9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
4f0f60647eb9a21092ebaf5508dd888f

SHA1
4d1470fc01958209bdec5741dd8aa9f0fd3ba7df

SHA256
a478eb7c5611381525f63dbb6a5dbcd28a5b0bb5433204ec826a28d7a5c15f6e

SHA512
2f2e8e9c6d3939306326decce0feefd35829ea4c65890fae1217781f1f5cb1e4bdeb6b3878ba0a873a60782c30c8f1492f048d7686b6868b2858ede865f1485e

Download Submit
\Users\Admin\AppData\Local\Temp\server33.exe

Filesize
23KB

MD5
4834daaa2464378474669c26607f8c55

SHA1
0798e7d96aaaa629c232ad4398a307e25013d585

SHA256
559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707

SHA512
20757819ff1eb2b63155bfbbc983e1e95e4bb0eff6aad703db6cb557f89c6ad26b48ae090367539219dab58b2bf8df2574c7dbde206b60e63c58e5b16d62386d

Download Submit
memory/2112-11-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-0-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-1-0x0000000000130000-0x0000000000170000-memory.dmp

Filesize
256KB

Download
memory/2112-2-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-15-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2496-14-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2644-12-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/2644-10-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-13-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-65-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-16-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download