njrat | a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
Size

711KB
MD5

61ad9e5151fa5909d9e5ef8881b15870
SHA1

e6853896639f59c4fadc69fa5e025f50c5daab52
SHA256

a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc
SHA512

a29ee9b434f148c3c43c0121e945493f6c86504019e9dfad5887a211bb561200674ddbf17d42ea1103e209b69045e872dd020f1dfa940c0c22522a2a60c3edd1
SSDEEP

12288:jhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4agIe4wPx/K:pRmJkcoQricOIQxiZY1iagIhe/K

Score

10^/10

njrat microsoft persistence phishing trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 1 IoCs

Processes:

a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe

description	pid	process	target process
PID 2684 set thread context of 5056	2684	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b28dec8f-a48d-4e5d-aaca-03ce47d7f2a8.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221003043834.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

4404 msedge.exe
4404 msedge.exe
2304 msedge.exe
2304 msedge.exe
3972 msedge.exe
3972 msedge.exe
1644 identity_helper.exe
1644 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3972 msedge.exe
3972 msedge.exe
3972 msedge.exe
3972 msedge.exe
3972 msedge.exe
3972 msedge.exe
3972 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3972 msedge.exe
3972 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
4404	msedge.exe
4404	msedge.exe
2304	msedge.exe
2304	msedge.exe
3972	msedge.exe
3972	msedge.exe
1644	identity_helper.exe
1644	identity_helper.exe

pid	process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

pid	process
3972	msedge.exe
3972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exea2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2684 wrote to memory of 5056	2684	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
PID 2684 wrote to memory of 5056	2684	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
PID 2684 wrote to memory of 5056	2684	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
PID 2684 wrote to memory of 5056	2684	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
PID 2684 wrote to memory of 5056	2684	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
PID 2684 wrote to memory of 5056	2684	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
PID 2684 wrote to memory of 5056	2684	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
PID 5056 wrote to memory of 3972	5056	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	msedge.exe
PID 5056 wrote to memory of 3972	5056	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	msedge.exe
PID 3972 wrote to memory of 2172	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 2172	3972	msedge.exe	msedge.exe
PID 5056 wrote to memory of 2916	5056	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	msedge.exe
PID 5056 wrote to memory of 2916	5056	a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe	msedge.exe
PID 2916 wrote to memory of 2484	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 2484	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 2916 wrote to memory of 3848	2916	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe
PID 3972 wrote to memory of 3232	3972	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
"C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
"C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8ab0346f8,0x7ff8ab034708,0x7ff8ab034718
4⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
4⤵
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3288 /prefetch:8
4⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
4⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
4⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
4⤵
PID:424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5456 /prefetch:8
4⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
4⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
4⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6204 /prefetch:8
4⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
4⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
4⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 /prefetch:8
4⤵
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1ec,0x22c,0x7ff7770e5460,0x7ff7770e5470,0x7ff7770e5480
5⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10726876696422306373,3745923825570900128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8ab0346f8,0x7ff8ab034708,0x7ff8ab034718
4⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5507390484768167747,11823546253069981099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
4⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5507390484768167747,11823546253069981099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
b2eb40bbc2497cd170740d37eb1abbf5

SHA1
23875cde952221031044e734882274ee826f282d

SHA256
6dfc5aaed644f6c56fd6522a9c029e6760f32e3acdb3a4efc971919c0f5cc809

SHA512
7042aab52cfe09f04e8117b9adb8db1e6e5a38dce125cabf3d12c6337d6692f426feccf0712e9326a776087594d1a50361f709f9b86b419262b2c7193566f7f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
412B

MD5
0aeedf3db6c101dcab0dfa8a20f00cf7

SHA1
2e851a1e911749ef1ff4bfe08264f8018e43d5e5

SHA256
a710c5163522f1d68e8e12d99749bbbb9f818029bf5e8b3ba16f25434b63e44b

SHA512
316ed4390e6996b073fd1f86d9047e04e5d555e6e374e1d989d7dd91462eeaaedd703e066cf0ec3fb07b7ad747b90e8f742961997195aab26f43d4661f47a383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
237d137bbc8b9f4a35538584e75bf88f

SHA1
44c5721f6ebefedc04b48c16bde4f771734f9e74

SHA256
1ff888d0dadc2e3480b52805c3c02af4344a437dc4e0cabce1195193f5816e9f

SHA512
5fbc17c7db1a4b346a788618535d93dc58c9842c0a51c4abba937611baa21f6efa1f63c61ba3e0227dfe8bedf78c1c1ec4be803528e7c892e1f079dfa66f404a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638003595764092343
Filesize
4KB

MD5
0c89e90a698ad14530077337d45e0e37

SHA1
b60f90cb4ce9c3e16eb8156029b320ca4e66244e

SHA256
957b8c3a1ed6c8003e981a541b08aa58d8387df09eb0dff7cc30febda72a382d

SHA512
1fa87caf85f22e4e8faf30182d0dc0d6d8ebcc032add60a8843527751663347df5c78dbad2c809cf799f4a5d67712b84c9723956e19b539a8d55cc5d61d989a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
d4dba390ab9454a5408405d55f013558

SHA1
f3ce9d1b11ba8cb019cac4178a37b4a7d9b72891

SHA256
fa728d3a97a5694c54522b3bbe9ae4fef0970ef62b1bab8ba316a56f8e429caf

SHA512
ef0b93e93758b60816ebc23a44fdde3cf3dc5ead7f9db4fe0caa10159c9a171541149d17366b1f64c62d3933f792d757e8dc96b15db31920a7f49ccef506666d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638001453611427348
Filesize
4KB

MD5
aa56253d312d3451434537905afef826

SHA1
11d20acb0ace460ad1420b71c0d11fc391ec1e15

SHA256
7c0274f5ab035fb059a0eabbfbfecb71d0e7d3de0c18389d55fae371d8e9b3be

SHA512
74b6806b7f5fc514189ee98e3becb76db6191388aa03876564a15e831b0d392c5650733f8dbb3614a3f4f0cf4f315836cdc2cf1f56fd0ccafbc7d17daa28e406

Download Submit
\??\pipe\LOCAL\crashpad_2916_IBIWNRBQFRCTUGFY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3972_ONLJJSYRSHMMFCTT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-164-0x0000000000000000-mapping.dmp

Download
memory/424-166-0x0000000000000000-mapping.dmp

Download
memory/624-170-0x0000000000000000-mapping.dmp

Download
memory/1644-181-0x0000000000000000-mapping.dmp

Download
memory/2172-135-0x0000000000000000-mapping.dmp

Download
memory/2304-145-0x0000000000000000-mapping.dmp

Download
memory/2376-174-0x0000000000000000-mapping.dmp

Download
memory/2404-172-0x0000000000000000-mapping.dmp

Download
memory/2440-162-0x0000000000000000-mapping.dmp

Download
memory/2484-137-0x0000000000000000-mapping.dmp

Download
memory/2916-136-0x0000000000000000-mapping.dmp

Download
memory/3136-176-0x0000000000000000-mapping.dmp

Download
memory/3232-144-0x0000000000000000-mapping.dmp

Download
memory/3544-179-0x0000000000000000-mapping.dmp

Download
memory/3768-168-0x0000000000000000-mapping.dmp

Download
memory/3848-143-0x0000000000000000-mapping.dmp

Download
memory/3972-134-0x0000000000000000-mapping.dmp

Download
memory/3984-180-0x0000000000000000-mapping.dmp

Download
memory/4172-152-0x0000000000000000-mapping.dmp

Download
memory/4404-146-0x0000000000000000-mapping.dmp

Download
memory/4792-178-0x0000000000000000-mapping.dmp

Download
memory/5056-132-0x0000000000000000-mapping.dmp

Download
memory/5056-133-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download