njrat | 1608067bcfbc0d33c37ca63583e9cc3c45026d7c6077989740a5cfce9f9a6624

Analysis

max time kernel
69s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2025, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

31KB
MD5

c1e1a897a37cba513dc9dfddedbcde38
SHA1

374066888f20838dc30e66b2c096e79b80fa69ab
SHA256

d696e8d25a81c50c80c1ecf6e771aa6f611ab06fbab8361b93b042b21a74569a
SHA512

91077e9239ef5827669b4bd3355c80fd980920ea59cbbd335b4eba3d853c0c339e362a8875f17b953e3d2de17f144d9526a9392a47e8a3ca1bc04adb7f31d220
SSDEEP

768:zFM5TP1/plIzxTCfVYAvN1Zvy/QmIDUu0tiUVj:Ob1ay/YQVkJj

Score

10^/10

njrat defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1492	netsh.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848928822112924"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe
3188	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	Client.exe
Token: 33	3188	Client.exe
Token: SeIncBasePriorityPrivilege	3188	Client.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: 33	3188	Client.exe
Token: SeIncBasePriorityPrivilege	3188	Client.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: 33	3188	Client.exe
Token: SeIncBasePriorityPrivilege	3188	Client.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: 33	3188	Client.exe
Token: SeIncBasePriorityPrivilege	3188	Client.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: 33	3188	Client.exe
Token: SeIncBasePriorityPrivilege	3188	Client.exe
Token: SeShutdownPrivilege	4420	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 1492	3188	Client.exe	78
PID 3188 wrote to memory of 1492	3188	Client.exe	78
PID 3188 wrote to memory of 1492	3188	Client.exe	78
PID 4420 wrote to memory of 5108	4420	chrome.exe	85
PID 4420 wrote to memory of 5108	4420	chrome.exe	85
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 232	4420	chrome.exe	86
PID 4420 wrote to memory of 1092	4420	chrome.exe	87
PID 4420 wrote to memory of 1092	4420	chrome.exe	87
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88
PID 4420 wrote to memory of 2112	4420	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Client.exe" "Client.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0bf7cc40,0x7ffd0bf7cc4c,0x7ffd0bf7cc58
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1384 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3580,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4436,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3112 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5080,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3520,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3252,i,3324429517146577369,14553798226076513972,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3448

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038

Filesize
139KB

MD5
004b5efa422c66c7205a4f81cf6b9e3f

SHA1
65cc028865b516a3af27088ddc660a52f3f72411

SHA256
546d72ef596719bc110aa68b1ee098c723df7305419a447d647ffaaad59cd725

SHA512
21ea01d60b56655c83ccde152ad6c2a72eee2ed1880f66aa667817ec25b4a86ee891c3c386cf9bc6c34a8f365cd111f8a9a4f6af79ebef9aa4deef1b7b51da7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
83962094b69e2375b739432392ed701e

SHA1
53c7b4d6bb53bad424f90e9b3295e4a47f6e010d

SHA256
b74cdbadeb98384fa53834229718ab944555dfdcaea003b430c6b439159059fd

SHA512
165be00b377e9eaa43c21c4575bc1186f6dd45df9e7fcc2c9b1766e56082b74ffb349e567425936cac357af5cbd53b9cc4b16daa0c8c6c4af548139ad90c86dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
120B

MD5
513b51b8343e4ff855d59da7567e7f14

SHA1
261fc45e11676f508ee1ebbaf23b85512d564fe6

SHA256
23c27ae107a3d73da03bffc91811e7a2e195f42dd300325f06aba30484b1b7d8

SHA512
6d605c731488ed96b40a80cc3184fba6ea160f001642e33f908973b06cd2d249c4d5390ac33521f6464297580722d70729b7d2223e66b410db56c4c8313aad78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
ec8ad45169ad6fb4d34f9d6a32f4d1f4

SHA1
ea171d18d4524fefd232769d4f8c1042a2023bfa

SHA256
833478739232a3b5ffdb6dad6fcd0b4168dff09a4869e39f6313abfbd17000c0

SHA512
2cc0f8b4bac7a9af68ce97f159a35f48fd5d77be8805be59ad8ecccf238433e6d886478025476866f0993965671b8baf4814880cc074909dda07fa2193c817c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_embed.figma.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.figma.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
a5a5749293a2ebdf24215cc8ee9286d9

SHA1
d06042cd5316c336eff9e6a981f20ad8ceddb448

SHA256
6bf2974c5fec2b06ad3424c7ef94fadff78e3063df99c752b0f986c28c656768

SHA512
2431848bf155a82fd3822c7402b97a6f58aab082c7b5671a8fd61d37ef5745f080eff621ddb6b0902b34e56dd72306254d6a35cdec31a4b78611aef7e9c80dff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
849B

MD5
3da79c1452afe0fcc12bee163041905d

SHA1
275185ece47b35c3a736b339680359bfc52c9294

SHA256
48284720ee30d945a9abe76cdb86a46702852134b1cc7650a7d41c687fe3ad0a

SHA512
c4cb3ba9e53d1f040bae5cce6b8bc7809ab6c108c41e5a2d26e90169f00f24cbbad683674773666233db596c6450eef3c7be0a211f727be100f8e7ecf318cb94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
2059201b20757dec7b2f5b76672746bc

SHA1
566cd8411c609e0684db06cba2bf8fcf11be1d1c

SHA256
b6df862017da5bc547dee74c3db6f2fad59ce9fbb0601fdd234acff70a7f90e5

SHA512
cbb63537aad857d6f2bd769d4a3e20e31ac6d57c77a1081b6734ed258f5907499e0baee782e059cab5f1870a928c78f40b3085df755a046f0ac3ee6d7fdc93c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
03de92e8f57ca407f1829c1004203124

SHA1
61f9bcac1ec821707bddc3c5464b7d8822489397

SHA256
d2e6f228364f29addfd46ab0710845a8198de7adf26aa9559c61fa6159f1de0b

SHA512
08e6d7d5f48a697d0d36f66a4cd49263fcd8483fe7a4731b5a4753832f3638c00fd93958a175d93190e53791a6675e2fac14dcccc9c61905d71ab4bd1e594742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
fd00bfcb65da9245b6e8e69f42694a40

SHA1
c90d881e1ea98df7b41c4575b6e1692cb293bb27

SHA256
b33a3e90303b132e08fc47f95f1e523c9353fd941a16cfaf7b7e4a6477a227a5

SHA512
a2e09a3e063a89ef9cf982eb7d5a3748bbf63ca1659da7cc5439ee8b3cfe11283cfb4627107212b24f7aa2e6e1a3315483537d7e7b500d491d59642e0bf48dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ccd37d9497ddb4b9ef89dbc05a257bf4

SHA1
7230a4712b50b4ff76be5aa3babbf9f615091112

SHA256
20c82714032aae7e829a0a0feb3ececf638a963e12f068d27fda52f065ea6a3b

SHA512
e3033962cacf496851de524617e254677be2f8bb1524b1c0bacdc2396cafcee2bb2eabc8dbbb9f0f691eca964965edf1c22a665bb06ad471ea71e09f49fea006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d2b8ec01413ca8034bbe9aa607b4cc6

SHA1
5a107ebbe9110d6e0ca571d897f6712a745aa070

SHA256
64f6b1bd797e77562eee16485002fb782943e6944fe7a5a41579893f4ad23a43

SHA512
45ef5c291dce69f4ea8c4b449ce2126eb842def4a8d2d469c7d1621a2fc48630e57342c696f021bd66cbadc0c5b09016f64e16d4b39879990d9056e4a0291ffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bbba8dd96d8f2dd191e6a615730ce570

SHA1
eb98d31ecb910f29825bb88e5fd1e34d80b516b7

SHA256
8bc5c0c0328fef631ffbd15e468ff0255cd88a5855b7c6a0f00092f7cc81a4b8

SHA512
67ab448caeebe0b5a67fbd3b6435975b63106ef528d65600ebd90ce5fe1ebecd97b6483919582da134837e08bb8369fa16a888394337388e3f45378ac8e166cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
319be53eb55ca214d7480658285bb18e

SHA1
0c603bd63c2c8061044076d2bc5b02739dc60456

SHA256
a61a4784a5339e62cbb53361c17a1f3e584bab134a0ccaaae2f2ed41e6e8ec75

SHA512
7bc2c9bde5f8756c31bec58adacd162b6c5d6e287c2dc3d42b9c1ae8a235d3f9bda7f0306ed0518f40a8c4f77e67f2e096ce90d62515bd9d8f5cc262b70ea4f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d0c136b6-cba3-4ecc-bc59-f105001cd299.tmp

Filesize
8KB

MD5
c221594815dfea1ea09e5da763ac07c6

SHA1
8ce66792b661af05b1b95bc434d0613bc6ee93f1

SHA256
a15e4db56cbc29c63ef2f44ae062c37690cf4c83b9c273e07c7c1e1d983ba3d6

SHA512
23d0dd6cc3f77897af9173e3613ac717b346f15d82aceb7c8d39119b6985cb732b4e9d7c91d71b594450d1a498a392f32cc7262f83f92f14f2c5e7569ff3556a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
48ffe36f254d96b296d2b4a052a1c22b

SHA1
11540772904677ba10862f0281143502fef65b69

SHA256
a93096b4fb81b71ee31459844b7bfb84154605715b917bfaa9f7f2af8aff9740

SHA512
8a5744194113b3b009f9028c95afadabd8b8c1637e34e4fb8590537f953f0170c9009ede6c839fdb32ec4a063eb2a5099b163cd890ee9116c1690b28eb741681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
47e9e8f24aa70d93c0a8c39d01270cb1

SHA1
51b41be6ec7498748ae4c7a0e3335587ec88e9a5

SHA256
4e55b2c4edffa646cce77d3a547a1ad67b38fc05f1b30e81068f623f5b2f9a53

SHA512
e2d2972a68538c5df282a1de4f286c3cdd7d4842bbdac7508a5cee55eecb9f97736130606d791bea25edd6d890945e8eef829e460e53d9033215c69b25ac9f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
1417c217698b23c39b89d025b8aca2eb

SHA1
d3667a0f6ea88b73b418320ae75b488d529613b2

SHA256
bf884d1c690c0bc8b8a4e537c2b8437ee4892be76f918412f91dfcd9090e14eb

SHA512
ff7e3f6c34b611ae447cc442f0694c5816464d2d70a7f67ea5393bb1cdb639067296756632e095a6c9733a0823d29619a9b7255f23a72ff7542af7336232aa92

Download Submit
memory/3188-0-0x0000000074721000-0x0000000074722000-memory.dmp

Filesize
4KB

Download
memory/3188-4-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-3-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-2-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-1-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download