njrat | 962a9410609dda2ee32b704ba31d4cb4f70f14249cd8a183f5ebfaea63973c1d

Analysis

max time kernel
119s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Client.exe
Size

65KB
MD5

73d3a7f8e88738107d9af5dce1d0aa01
SHA1

4fc3adf92eb563101d218e67e65e66321a9609ad
SHA256

962a9410609dda2ee32b704ba31d4cb4f70f14249cd8a183f5ebfaea63973c1d
SHA512

12ed60a8cbd417e42297c14b5527c7eeb60b828a3124463b96e4d228c9b3ea96da11b836bde9478fcb65aadd1ba9cd743b038825aa24460ccd82fbc869a63612
SSDEEP

1536:Aaawk8oN36tlQviFw10AglBnvA3fLteF3nLrB9z3n3aF9bJS9vM:Aaawk8oN36tlQviFCnUBnofWl9znaF9J

Score

10^/10

njrat debilu discovery trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Debilu

127.0.0.1:7999

Mutex

COM Surrogate

Attributes

reg_key
COM Surrogate
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Deletes itself 1 IoCs

pid	Process
2180	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	AcroRd32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe
2960	New Client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	New Client.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3060	AcroRd32.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3060	AcroRd32.exe
3060	AcroRd32.exe
3060	AcroRd32.exe
3060	AcroRd32.exe
3060	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2768	2960	New Client.exe	31
PID 2960 wrote to memory of 2768	2960	New Client.exe	31
PID 2960 wrote to memory of 2768	2960	New Client.exe	31
PID 2960 wrote to memory of 2768	2960	New Client.exe	31
PID 2960 wrote to memory of 2768	2960	New Client.exe	31
PID 2960 wrote to memory of 2768	2960	New Client.exe	31
PID 2960 wrote to memory of 2768	2960	New Client.exe	31
PID 2960 wrote to memory of 2180	2960	New Client.exe	32
PID 2960 wrote to memory of 2180	2960	New Client.exe	32
PID 2960 wrote to memory of 2180	2960	New Client.exe	32
PID 2960 wrote to memory of 2180	2960	New Client.exe	32
PID 2180 wrote to memory of 2672	2180	cmd.exe	34
PID 2180 wrote to memory of 2672	2180	cmd.exe	34
PID 2180 wrote to memory of 2672	2180	cmd.exe	34
PID 2180 wrote to memory of 2672	2180	cmd.exe	34
PID 2768 wrote to memory of 3060	2768	rundll32.exe	35
PID 2768 wrote to memory of 3060	2768	rundll32.exe	35
PID 2768 wrote to memory of 3060	2768	rundll32.exe	35
PID 2768 wrote to memory of 3060	2768	rundll32.exe	35
PID 1320 wrote to memory of 752	1320	chrome.exe	38
PID 1320 wrote to memory of 752	1320	chrome.exe	38
PID 1320 wrote to memory of 752	1320	chrome.exe	38
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 1672	1320	chrome.exe	40
PID 1320 wrote to memory of 688	1320	chrome.exe	41
PID 1320 wrote to memory of 688	1320	chrome.exe	41
PID 1320 wrote to memory of 688	1320	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\ProgramData\COM Surrogate
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\ProgramData\COM Surrogate"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6df9758,0x7fef6df9768,0x7fef6df9778
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:2
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1532 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2096 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2104 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1116 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1420 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3392 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1624 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3744 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2700 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2400 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3832 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4060 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4092 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4104 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4200 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 --field-trial-handle=1304,i,2745275975699680413,6298494662727324061,131072 /prefetch:8
  2⤵
  PID:2584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
PID:3024

C:\Users\Admin\Downloads\New Client.exe
"C:\Users\Admin\Downloads\New Client.exe"
1⤵
PID:2592
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\ProgramData\COM Surrogate
  2⤵
  PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\Downloads\New Client.exe"
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\COM Surrogate

Filesize
65KB

MD5
73d3a7f8e88738107d9af5dce1d0aa01

SHA1
4fc3adf92eb563101d218e67e65e66321a9609ad

SHA256
962a9410609dda2ee32b704ba31d4cb4f70f14249cd8a183f5ebfaea63973c1d

SHA512
12ed60a8cbd417e42297c14b5527c7eeb60b828a3124463b96e4d228c9b3ea96da11b836bde9478fcb65aadd1ba9cd743b038825aa24460ccd82fbc869a63612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\789621ec-34b8-42a7-bae2-961dfac7719e.tmp

Filesize
344KB

MD5
1b0cd159a441aaadaa2cce80e8de952d

SHA1
5b365d0d31d7b1708a15ec71b0342b25ba69c8c0

SHA256
50611fb5c04dc8f257df8f982413f600972fa4f867bf304281b549c1a960c336

SHA512
4dfd225bbc679a9f45222cbeedd510be2e2ce4d11ed8d3058d1efa7fba66d4a59d2279a9c3273e1cd6691e61895dd0a953a3352bdd8123bc0231f36b360949ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
4d99cadabdc8b28b1bfa1e61470f581d

SHA1
2221bbd102e172dd1dc191b4afdda87a55a5d63e

SHA256
d7be0d5c75c5791bd2ac81aa9843bc62c44512f51018363f47f215b864805648

SHA512
bdf5893508a03afc6abe9c7eefdca4cab79faf19da91f511d64f70d4597ba15d81a888f3e5d5a44c1bd833b492391d5d6eb03f22036d5219e145077ce264a0e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f2f8594628f6e31f9ba9ac703dc428af

SHA1
364bff833a5cf67df6e6a3e663b29a621f88770d

SHA256
c9ae7935cc7566bcdbc76c2104e6d9807167054b27b84f48b45c9e9c86f2cd2a

SHA512
1991ac7522c439f1d515ea00012fee35512f5373a202ed59e6396c0f3fbbfa10106787d2abefac1b10f9da743a665548c2bbcb4caa3326eafae5778cfdb57495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
492dd2c141a95cb2aa142e0dc51b452f

SHA1
f4fa952ca7d3e802ed3fc2c75a069a07f7dd8aee

SHA256
22a07e1f5691e0d5ba1825eb47e075b3ff4fb26852d80ee754bb8b0a6221fa5b

SHA512
0efbf8155c3ef05e4d91ddcb2e42cd3b393982d37678e231c4032fa95606aa6b10a48860d7cd7b22d6efb1877b7acde23cb799211779420d82fb8cca744a39ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
0d3997009402045fdf7e8f3d3e2a8015

SHA1
1aa38b02b51dc7fbe1b64e6958aa6f27d75faa38

SHA256
293f22a4d2104a3bde947612836bda48db2b557c9bc22f8853e221436a639ae9

SHA512
4172759aee2a760bfa23d61a51b0b84f21b41e9d1e376e5880ac937ee523f8f481c62b40bdeac32bfb3efe59b66119dee7c5c5ad17c37b2a6994a4105705b7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB637.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB659.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
da5ef790505fdd2e36d3e8e62598ed36

SHA1
e8c7c88ba02e436319d789cc0f5fef6b96fd33c0

SHA256
338cac49580426f9516a2c7b33dd274b91e93480f209f201112ee0cec7f6e4af

SHA512
b0d67fd5a2dd3ea42d2c3b37313e970d094a653eb366e33de95a130ddcd718bdf6de8daff84e88e38702cb9ed8665f2f0e55e3418a17e9dabed526ee0ef4029d

Download Submit
memory/2960-0-0x0000000074C81000-0x0000000074C82000-memory.dmp

Filesize
4KB

Download
memory/2960-7-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2960-2-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2960-1-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download