njrat | f17fd9ff93d1b3db6c3e4463d5ca5c11b99827890c58721d2860df75d4323705

General

Target

d33dec279966da2024c05d5fde688253.exe
Size

1.2MB
MD5

d33dec279966da2024c05d5fde688253
SHA1

74bde021ba65fdd33fd420568b6a2da406ac07e8
SHA256

f17fd9ff93d1b3db6c3e4463d5ca5c11b99827890c58721d2860df75d4323705
SHA512

67ec505fb9305493699af82de2054ebedcf033867bd9cd14bac7fef392d5f69ce9aaa61a408e67f346153aaa05c1c65aff8e0c63d99477bd04fc6e25c4262fd8
SSDEEP

24576:ANA3R5drXPrfi4T6sNNuT0Zb7mnyxuYuroyvUC0l6:55jl6GuT0tmNTrTsCe6

Score

10^/10

njrat gold trojan

Malware Config

Extracted

Family

njrat

Version

20

Botnet

gold

C2

149.248.52.61:87

Mutex

165d6ed988ac

Attributes

reg_key
165d6ed988ac
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d33dec279966da2024c05d5fde688253.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	d33dec279966da2024c05d5fde688253.exe

Executes dropped EXE 1 IoCs

Processes:

winhosti.exe

pid process

1352 winhosti.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1352	winhosti.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

d33dec279966da2024c05d5fde688253.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	d33dec279966da2024c05d5fde688253.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe
3336	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

winhosti.exe

description pid process

Token: SeDebugPrivilege 1352 winhosti.exe
Token: 33 1352 winhosti.exe
Token: SeIncBasePriorityPrivilege 1352 winhosti.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3336 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

3336 AcroRd32.exe
3336 AcroRd32.exe
3336 AcroRd32.exe
3336 AcroRd32.exe
3336 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1352	winhosti.exe
Token: 33	1352	winhosti.exe
Token: SeIncBasePriorityPrivilege	1352	winhosti.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d33dec279966da2024c05d5fde688253.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3388 wrote to memory of 1352	3388	d33dec279966da2024c05d5fde688253.exe	winhosti.exe
PID 3388 wrote to memory of 1352	3388	d33dec279966da2024c05d5fde688253.exe	winhosti.exe
PID 3388 wrote to memory of 1352	3388	d33dec279966da2024c05d5fde688253.exe	winhosti.exe
PID 3388 wrote to memory of 4528	3388	d33dec279966da2024c05d5fde688253.exe	WScript.exe
PID 3388 wrote to memory of 4528	3388	d33dec279966da2024c05d5fde688253.exe	WScript.exe
PID 3388 wrote to memory of 4528	3388	d33dec279966da2024c05d5fde688253.exe	WScript.exe
PID 3388 wrote to memory of 3336	3388	d33dec279966da2024c05d5fde688253.exe	AcroRd32.exe
PID 3388 wrote to memory of 3336	3388	d33dec279966da2024c05d5fde688253.exe	AcroRd32.exe
PID 3388 wrote to memory of 3336	3388	d33dec279966da2024c05d5fde688253.exe	AcroRd32.exe
PID 3336 wrote to memory of 3668	3336	AcroRd32.exe	RdrCEF.exe
PID 3336 wrote to memory of 3668	3336	AcroRd32.exe	RdrCEF.exe
PID 3336 wrote to memory of 3668	3336	AcroRd32.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 4912	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2244	3668	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\d33dec279966da2024c05d5fde688253.exe
"C:\Users\Admin\AppData\Local\Temp\d33dec279966da2024c05d5fde688253.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Roaming\winhosti.exe
"C:\Users\Admin\AppData\Roaming\winhosti.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\u.vbs"
2⤵
PID:4528

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Phase-3 of Nationwide Vaccination Registration.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AB8E859607E337E1242DFC1BA85ED593 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4912

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6AB9B470692B70667CA6194134207A1B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6AB9B470692B70667CA6194134207A1B --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2244

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=17D1B672FA604F4025415905C50B6C5C --mojo-platform-channel-handle=2156 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3756

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=582D7CD14D481AAA7A2C1F2F06BAF9C2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2E39EDACDBB4B291E4A70C5855A0E53D --mojo-platform-channel-handle=2236 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DC07320F66842034E7A2B381B4DEEDDA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DC07320F66842034E7A2B381B4DEEDDA --renderer-client-id=7 --mojo-platform-channel-handle=2136 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
8d67008eb549fb96db0e89a6f87e1143

SHA1
1cc7d69ffcb4a8d25967dab1efbd8b97ef5c8c1a

SHA256
7a65c8c7aeb043171b208b643c09a26356f019843c5fffc47858e0e61bfc1fcf

SHA512
12fbdb4ea65376ffd767caaa69846ab6a50d1df0d491c590ee20ee640b11f7eca0b539014230aa8b56323f07ce62a50111aa14e246347ec2394568a4fd7b8fca

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Phase-3 of Nationwide Vaccination Registration.pdf
Filesize
956KB

MD5
0fa12ed69cc54281b003b26adc5d05a9

SHA1
5f186fb3817297baf51e8b697ed044ac437dc996

SHA256
fa344d98fdf10e10c32971dcdad234925143120e50200048b510e64c4c5c5cf4

SHA512
36d2b93a3674b5c8edba8bda3f477b4e2e889ea27862bc00a00c8fa4da31d9683ecd7a3fb1aeec78528ed997663ac3c85af1c00a06190e0a1f74d074cb5c60f9

Download Submit
C:\Users\Admin\AppData\Roaming\u.vbs
Filesize
1KB

MD5
3ce49084a8ccb465d430e750ec9a2df3

SHA1
26fdb9476e7259cc399c2cb311dfe5779d0528a6

SHA256
6d4f18ec7564d4e1abcd0c6e4697f9cd029fba5fb4889d647dacd938d9aabb65

SHA512
32892546b3526e5b877d15a531ad98e637c2caa282e0043290078456121ff648ead57a58e9740f42cf275850a87c0fac8f504958b58959740f271dd0c1b697fd

Download Submit
C:\Users\Admin\AppData\Roaming\winhosti.exe
Filesize
22KB

MD5
7cbc3b6a36f71c584b08fac91478f033

SHA1
e1b3fc39592cc02aa8b40487c827bc96fb3c830d

SHA256
1dab360111d8a0f59674bc5c725b88edac598dd7e0171ab7c3bc5416d45e6e89

SHA512
f85e4344be0cf30ee9d00e754dcbccfb2bd0833fb16a0a9423388fe2020981e46c20323c385f6be96e0fa52af06b859a65fc006762bd9f2f89062fb7ae180c41

Download Submit
memory/1352-21-0x0000000072A30000-0x00000000731E0000-memory.dmp

Filesize
7.7MB

Download
memory/1352-54-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/1352-22-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/1352-20-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/1352-152-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/1352-158-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/1352-159-0x0000000072A30000-0x00000000731E0000-memory.dmp

Filesize
7.7MB

Download
memory/1352-160-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/1352-172-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads