njrat | f96909c54e460ec8c89fc3b8a160d523d27089844fa8bbfffa2c99eef188cee3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fetg.exe
Size

37KB
MD5

ae4e4403a38930cfb2162c624e8b38d2
SHA1

b9cedecd6d6b365d785b1da0543b3957461d19d4
SHA256

f96909c54e460ec8c89fc3b8a160d523d27089844fa8bbfffa2c99eef188cee3
SHA512

c73fa77c3cf00808633a7a52a8db3b137e15ad4ae97912caced69287ca34debfb79516218a17b287d5234969b2ca11d11f3775ea427b3799de808ef8dd56f1cf
SSDEEP

384:zaqIiuVjtD+P3V+y0bf2TKtvN4suKfYrAF+rMRTyN/0L+EcoinblneHQM3epzXdk:ONmV10bf2TKtClKQrM+rMRa8Nuyvt

Score

10^/10

njrat hacked evasion spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

tcp.eu.ngrok.io:15640

Mutex

cbe1352502f3ef3b65e89dcbf4c51389

Attributes

reg_key
cbe1352502f3ef3b65e89dcbf4c51389
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3196 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

fetg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation fetg.exe
Executes dropped EXE 1 IoCs

Processes:

tecsrur.exe

pid process

1508 tecsrur.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3196	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	fetg.exe

pid	process
1508	tecsrur.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2752-216-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2752-218-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2752-220-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2752-225-0x0000000000400000-0x0000000000472000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

32 tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

tecsrur.exe

description pid process target process

PID 1508 set thread context of 2752 1508 tecsrur.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
32	tcp.eu.ngrok.io

description	pid	process	target process
PID 1508 set thread context of 2752	1508	tecsrur.exe	vbc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133575152054581571"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exetecsrur.exe

pid	process
2480	chrome.exe
2480	chrome.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe
1508	tecsrur.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2480 chrome.exe
2480 chrome.exe
2480 chrome.exe
2480 chrome.exe
2480 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tecsrur.exechrome.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1508	tecsrur.exe
Token: 33	1508	tecsrur.exe
Token: SeIncBasePriorityPrivilege	1508	tecsrur.exe
Token: 33	1508	tecsrur.exe
Token: SeIncBasePriorityPrivilege	1508	tecsrur.exe
Token: 33	1508	tecsrur.exe
Token: SeIncBasePriorityPrivilege	1508	tecsrur.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: 33	1508	tecsrur.exe
Token: SeIncBasePriorityPrivilege	1508	tecsrur.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: 33	1508	tecsrur.exe
Token: SeIncBasePriorityPrivilege	1508	tecsrur.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: 33	1508	tecsrur.exe
Token: SeIncBasePriorityPrivilege	1508	tecsrur.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe
Token: SeDebugPrivilege	2752	vbc.exe
Token: SeShutdownPrivilege	2480	chrome.exe
Token: SeCreatePagefilePrivilege	2480	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fetg.exetecsrur.exechrome.exe

description	pid	process	target process
PID 3380 wrote to memory of 1508	3380	fetg.exe	tecsrur.exe
PID 3380 wrote to memory of 1508	3380	fetg.exe	tecsrur.exe
PID 3380 wrote to memory of 1508	3380	fetg.exe	tecsrur.exe
PID 1508 wrote to memory of 3196	1508	tecsrur.exe	netsh.exe
PID 1508 wrote to memory of 3196	1508	tecsrur.exe	netsh.exe
PID 1508 wrote to memory of 3196	1508	tecsrur.exe	netsh.exe
PID 2480 wrote to memory of 1512	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 1512	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 3592	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 420	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 420	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe
PID 2480 wrote to memory of 564	2480	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\fetg.exe
"C:\Users\Admin\AppData\Local\Temp\fetg.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\tecsrur.exe
"C:\Users\Admin\AppData\Local\Temp\tecsrur.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tecsrur.exe" "tecsrur.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\1778012"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdb856ab58,0x7ffdb856ab68,0x7ffdb856ab78
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:2
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:1
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:1
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:1
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6812eae48,0x7ff6812eae58,0x7ff6812eae68
3⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4516 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:1
2⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5028 --field-trial-handle=1808,i,137350020203139284,6306740871255353390,131072 /prefetch:1
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
696B

MD5
8416cdf04f71978397c1630e0a2bd188

SHA1
a21a77c6342f80a1e51222b276cc2c6f9a235709

SHA256
ab7349721cd4ffe5ec400b92fa8d15e1f7bef5721db64ba5cff033a91d13fd68

SHA512
0779761ad3b57d5ab48087a37ef7a42d9e1f51a44060a8b52eda5dab64fce3cf36938eddf197b771b7b0dbf9bd023e6a2cd861b653e457c8418f41ca2c8a41e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
83a2269e222030c0d0fe2c72762b7f91

SHA1
98ce9dda64a318a982e9acbb805321b7d7ebf109

SHA256
0187ca34a1405ca528a6198febf89a3a9792709888e0d02d7fa0133602566565

SHA512
baa702e762655a505943f3ec9753a0f82b523afd4ddceb6f90197fab6d107bbb9e11c9dfc421d1022cd729b677c778056f88a9b180ab12d7ed2ef17825af47e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
3fa513e5391f1d006df4175d1ed94930

SHA1
a5ae17ff87eaefbde70ab9995b7f633918c8037d

SHA256
8f730a65ccff982041df0c558b29c96d9eed97dddfbf6eb41aad35b6fb8f3b7c

SHA512
7648bf9a9ff378cfef2a76be9fc7ce19e337e7d67eb577662997f14d6b54d38e8aa7d583935c55c5bd67a44422190b78ccc77779d13a00e8612c4c6b3b696e1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6b985967dcdc77579f1e5cf98008ee0f

SHA1
d1c2470656be0da72738714b29f4c4143f44d483

SHA256
6cd8f20eba1e5cafea67640b8a85c92ced37fe4fdf0a9d924f90a761c2916dbd

SHA512
c30f698b8881401afc5bb0146d051386f6f5c42f5b1a330e6205bf70da14bbf06fcf2afff4167eefbb84807f5078e01f96e446854c6e7e7a5655a9b06c82e1b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
454bbd6a47c59c86cfb80f775223ec1f

SHA1
ad4433e809aa5f1e723b7285a38a9ffd464a6771

SHA256
c3ebcd44f1aa005704c3ef204e94cad16114d81e8637e571e3e53a0d81414d7b

SHA512
f99c7e824f833dd5556c613762dc0c4af5fbc05b202cead8d02dabb12db254a6b995378ae030083669da8162737329af5cae8e47bfd8ce9eed38a4cb294e3549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
66aaca2a6d4d723458c38ede90b39d8f

SHA1
c970c510aca4e3e753d5a16aacdc8ecec8d78209

SHA256
c05584647151c5fe11d365a747ab9405c6f37e698485e8a6a85b2ae226d2a8b4

SHA512
18451856e53332f64c6b9942e40ec24060428b62b90c6138f95b6c0fd0a4c815edf0bbe94be65a744fb81bfcf6fc8aa39ba663e7ca84c667e62c077292a43044

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57f695.TMP
Filesize
120B

MD5
d3684648a6c0d9324ef6cc2f67145b8a

SHA1
599f4f53a0e7a6f55f3ad9fc7ffe88a40f8cc171

SHA256
794926cf847da8956fa1a4632ce6b7b652356ce97272908ab786e0926f2dbe8d

SHA512
d25d2f45221a11ca7a0d9edb31689df8e97e705b7abab5e795180d93e5198e4892d52724c1874590164c6c5f3652a47ab22f559171219bdc5b8a0f687161071f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
251KB

MD5
9d8b0ce9cad61ac3e284cab9bd379506

SHA1
87d8e8a41bc23cf2363afdb5cccc774eccd72c48

SHA256
c1fbe25a20bde9f64a22d2edb887f1d72fd587992e2a8e088605eac355b7949f

SHA512
cf9fdd59c263dda1dcb6a5b4c747d3a191da6329dbe95b11a12e11818bd4e898a216b7c34643476faf5bf081e25eb60d32610636a040f6f4e01d7ddefa29773f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1778012
Filesize
507B

MD5
6d0e849b0647746facd7c73f03b4d366

SHA1
3138201a6608428b922bd86168b51cf80615bc91

SHA256
c2f229ba47f29fccb6d35a908e887bf97e9e87cdb1110e855d5caa39571e5d72

SHA512
3839589f64141ba269f95e2726dd040ee09b6c9c09f5765dcdba847b02f68fa000b588a272f17e73ac42e81b3bb154535dc20da6dce0682b4b3a1ac2daada86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tecsrur.exe
Filesize
37KB

MD5
ae4e4403a38930cfb2162c624e8b38d2

SHA1
b9cedecd6d6b365d785b1da0543b3957461d19d4

SHA256
f96909c54e460ec8c89fc3b8a160d523d27089844fa8bbfffa2c99eef188cee3

SHA512
c73fa77c3cf00808633a7a52a8db3b137e15ad4ae97912caced69287ca34debfb79516218a17b287d5234969b2ca11d11f3775ea427b3799de808ef8dd56f1cf

Download Submit
\??\pipe\crashpad_2480_AFKCMWITQSRYTCOV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1508-15-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1508-14-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/1508-57-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/1508-17-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1508-16-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/1508-13-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1508-68-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2752-216-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2752-218-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2752-220-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2752-225-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3380-12-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-0-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-2-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-1-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download