bdaejec | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

Analysis

max time kernel
68s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nCbq.exe
Size

15KB
MD5

56b2c3810dba2e939a8bb9fa36d3cf96
SHA1

99ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA256

4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA512

27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
SSDEEP

384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr

Score

10^/10

bdaejec aspackv2 backdoor discovery spyware stealer

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 2 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/2612-0-0x00000000013D0000-0x00000000013D9000-memory.dmp	family_bdaejec_backdoor
behavioral1/memory/2612-3-0x00000000013D0000-0x00000000013D9000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000017497-156.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	chrome.exe

Deletes itself 1 IoCs

pid	Process
912	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2980	chrome.exe
1740	chrome.exe
2720	chrome.exe
2220	chrome.exe
2196	chrome.exe
1968	chrome.exe
2452	elevation_service.exe
2000	chrome.exe
1796	chrome.exe
2888	chrome.exe
2676	chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	Process not Found
1204	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	nCbq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	nCbq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	nCbq.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	nCbq.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	nCbq.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	nCbq.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	nCbq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	nCbq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	nCbq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	nCbq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	nCbq.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	nCbq.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	nCbq.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	nCbq.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	nCbq.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	nCbq.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	nCbq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	nCbq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	nCbq.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	nCbq.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	nCbq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	nCbq.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	nCbq.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nCbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe
Token: SeShutdownPrivilege	2980	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1740	2980	chrome.exe	36
PID 2980 wrote to memory of 1740	2980	chrome.exe	36
PID 2980 wrote to memory of 1740	2980	chrome.exe	36
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2720	2980	chrome.exe	38
PID 2980 wrote to memory of 2220	2980	chrome.exe	39
PID 2980 wrote to memory of 2220	2980	chrome.exe	39
PID 2980 wrote to memory of 2220	2980	chrome.exe	39
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40
PID 2980 wrote to memory of 2196	2980	chrome.exe	40

C:\Users\Admin\AppData\Local\Temp\nCbq.exe
"C:\Users\Admin\AppData\Local\Temp\nCbq.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\22ee0901.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:912

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5839758,0x7fef5839768,0x7fef5839778
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3256 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3288 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3232 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:1
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 --field-trial-handle=1288,i,6862538971357106956,9826505206534602039,131072 /prefetch:8
  2⤵
  PID:920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2452

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RatCore\" -spe -an -ai#7zMap25676:76:7zEvent24510
1⤵
PID:2752

C:\Users\Admin\Downloads\RatCore\nCbq.exe
"C:\Users\Admin\Downloads\RatCore\nCbq.exe"
1⤵
PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3164454d.bat" "
  2⤵
  PID:2620

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.6MB

MD5
ec6386b63c3a5ffe0577905e94262c3a

SHA1
8f8c428d0e7f32c9d733ca28384ded413a060588

SHA256
302c968ab3e1227d54df4e72f39088d7483d25eeb3037f0b16bc39cef2728fa4

SHA512
ddbefb759858493de1f9d7addc6ff4488c8be3164374e0a88c3cbe97751510005dfe6d91c5499fcbdc35aa33a8eda2d45591a66e54ab9462277dc833faef77c3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
a28cb705249a5c3bcaf1847c78c3b1ef

SHA1
c9c77d745298146a5edbd1aaea81790c94c1ee65

SHA256
525f54e4f5d58ea2a9912f570200f377f1294d5bc68575be49336d823c510a63

SHA512
38c13036d6d4a5b7560ace7b95551433f498400d03ae3b6e13e1e53347c4857fe4f048e8b62a1d768805e93851573b1487240f4d189bf51b8406425d8945c6f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
01577aad4c23d7085a1955b3aab714e7

SHA1
abafb4e1e29a9173af6fcb3f72ebbbc11ed0f28b

SHA256
a46cebcd7e0a6f56b68c87a7f3ad09596094b3bedcb8430d92d78a4e26615576

SHA512
71e6b08947249a577d0c2c66e0b7338e9aa985e1902a434089d74ba255ddcf3c6fd838967f7102625a6c691a8b7659afcc3ff4c71f719b8897a0e0294297433f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3437d20728961045b679a506bac42746

SHA1
ab80610a52f152bb6d39e4dc0e56277e76fb1c1f

SHA256
4d85b05ca8b6fc0c10017ef8e3cd38ef12ef56ccd362a7a1bef2ff2515307f31

SHA512
d39992c15e4aca9a07dd7591bbc04e2dd85f7ae44cbaebcdab1295b2a0d4711c770f961e8be2337683b413d36a43a42c3a97b6d109308f04751088c57312a8e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\22ee0901.bat

Filesize
183B

MD5
8048dcbd530d39977a73d5132208ddea

SHA1
b28ba430a4264ff6029fc28dd9822157b74e5393

SHA256
2ff2b8131b883b0a25270f1cf0e92ff6841d550d82551f6d2f7671189e2b8e42

SHA512
49922fa70b0c6cf3e48aacb7afb01e18f5146299591289561c2c582336603406af440d6771f21cf6eb11d6e278d74e2621c9404dab91cbbbe58731fa6d249470

Download Submit
C:\Users\Admin\AppData\Local\Temp\3164454d.bat

Filesize
181B

MD5
06f247491c507bcca8bc53ab8b055569

SHA1
679cf00bac7037da45aec72d694994d7610da450

SHA256
3cf778adb2c7bbc5c258cb7f98d3d7583b0afd7c169b383b528f2eef9439aa2b

SHA512
50d2d27c0190eb61b3773b6444395437c7d6648f6675846eda479e069f90803b53f302e3047e597f140ed4358d64f49222383b1091dec9c2622caada67afdf58

Download Submit
C:\Users\Admin\Downloads\RatCore.rar

Filesize
12KB

MD5
b3cba2b28c5096743ac4d9c342e4fb60

SHA1
d959eaf1e741564ed7694e80a1e5e11b9eebaf07

SHA256
e616502422732b58899f58cd7728ead37c6e51963fc99909b3a35e9e4178eb87

SHA512
b0dba8295740318368e1d410f32727aeceb36ead5c1d9351b7e7b02ff9fe4f3e8dc132fc528cd2ecc8b3063b71c8ca8678047bf24a07374e4d53085616f9a2a3

Download Submit
C:\Users\Admin\Downloads\RatCore\nCbq.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Program Files\7-Zip\7zG.exe

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
\Program Files\Java\jre7\bin\javacpl.exe

Filesize
74KB

MD5
931b7ae616b78225bd2a3bcbbbb800ab

SHA1
530a78651469f64ea438d42ff67ab55b6f843ee5

SHA256
41cc8fa985caae53db27419b4bfa4aee82c135ec28dafa1cfdb43524ad323608

SHA512
6c6795a699216e3e28888774dba8eb4c80c1dfbb61fcaadd3c1e4ba3a5e88b5bd6502854517e34743cbea904b4e01aef13481a5517a0c03cd156ec1d28bbb1bf

Download Submit
\Program Files\VideoLAN\VLC\vlc.exe

Filesize
966KB

MD5
3740507a1dc4ff4cb5c6e52652c10c20

SHA1
b2c8a0a736fe81c101f4ab4cd6be8099c3f902b3

SHA256
6a72cc8649a63b017844c4c1f3885a250d1a982ffe5f1e58b6f1432fe9198e62

SHA512
d5299859a6121c6ae5813be61648ca1f005970ebe34a8217d05b570ffbd4651f64ad7b3a7bf5129e708e07b36e097333f754b213e73d5fe9246347afd8fa3c22

Download Submit
memory/872-158-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/2612-0-0x00000000013D0000-0x00000000013D9000-memory.dmp

Filesize
36KB

Download
memory/2612-3-0x00000000013D0000-0x00000000013D9000-memory.dmp

Filesize
36KB

Download