44caliber | 0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0

Analysis

max time kernel
510s
max time network
515s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2023 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nexus.exe
Size

37KB
MD5

61bd0fa2e9ebe3b4d414addcc8f5d63a
SHA1

6f40e191b6231d1f5d28c0e47e7442bc90c4dd47
SHA256

0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0
SHA512

460f8abd06c7e4b48c1bdacb3bd7c137260aa961459a5edabaf8a02b56a6e7225f517385d48172ed068842ca590270993df9d4c137e0a4666a168311c8e6abe2
SSDEEP

384:GLU1ehaNitJFbOn0aH2ykr64v1Zmz/UBorAF+rMRTyN/0L+EcoinblneHQM3epzR:11/KNWtkr64NgbU2rM+rMRa8NuA1kt

Score

10^/10

44caliber njrat mastur bist evasion spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

MASTUR BIST

4.tcp.eu.ngrok.io:11745

Mutex

72e8f6d7acdae0089da4f2a44787bd9e

Attributes

reg_key
72e8f6d7acdae0089da4f2a44787bd9e
splitter
|'|'|

Extracted

Family

44caliber

https://discord.com/api/webhooks/1176494863273959484/5QDLXZvNwP_u2tt2pM_skPPZf9EYt7KOHQoIOXzHdSrz_cEuNYDOrwhNGiYE9Aulovd_

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2516 netsh.exe

pid	process
2516	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nexus.exeRutnime.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Nexus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Rutnime.exe

Executes dropped EXE 3 IoCs

Processes:

Rutnime.exetmp4E84.tmp.exetmp6A90.tmp.exe

pid process

4376 Rutnime.exe
1772 tmp4E84.tmp.exe
4976 tmp6A90.tmp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

101 freegeoip.app
45 freegeoip.app
46 freegeoip.app
100 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4376	Rutnime.exe
1772	tmp4E84.tmp.exe
4976	tmp6A90.tmp.exe

flow	ioc
101	freegeoip.app
45	freegeoip.app
46	freegeoip.app
100	freegeoip.app

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp4E84.tmp.exetmp6A90.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	tmp4E84.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tmp4E84.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	tmp6A90.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tmp6A90.tmp.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

tmp4E84.tmp.exemsedge.exemsedge.exeidentity_helper.exetmp6A90.tmp.exe

pid	process
1772	tmp4E84.tmp.exe
1772	tmp4E84.tmp.exe
1772	tmp4E84.tmp.exe
1772	tmp4E84.tmp.exe
1692	msedge.exe
1692	msedge.exe
4584	msedge.exe
4584	msedge.exe
3296	identity_helper.exe
3296	identity_helper.exe
4976	tmp6A90.tmp.exe
4976	tmp6A90.tmp.exe
4976	tmp6A90.tmp.exe
4976	tmp6A90.tmp.exe
4976	tmp6A90.tmp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Rutnime.exetmp4E84.tmp.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: SeDebugPrivilege	1772	tmp4E84.tmp.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	556	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	556	AUDIODG.EXE
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe
Token: 33	4376	Rutnime.exe
Token: SeIncBasePriorityPrivilege	4376	Rutnime.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Nexus.exeRutnime.exemsedge.exe

description	pid	process	target process
PID 1700 wrote to memory of 4376	1700	Nexus.exe	Rutnime.exe
PID 1700 wrote to memory of 4376	1700	Nexus.exe	Rutnime.exe
PID 1700 wrote to memory of 4376	1700	Nexus.exe	Rutnime.exe
PID 4376 wrote to memory of 2516	4376	Rutnime.exe	netsh.exe
PID 4376 wrote to memory of 2516	4376	Rutnime.exe	netsh.exe
PID 4376 wrote to memory of 2516	4376	Rutnime.exe	netsh.exe
PID 4376 wrote to memory of 1772	4376	Rutnime.exe	tmp4E84.tmp.exe
PID 4376 wrote to memory of 1772	4376	Rutnime.exe	tmp4E84.tmp.exe
PID 4376 wrote to memory of 4584	4376	Rutnime.exe	msedge.exe
PID 4376 wrote to memory of 4584	4376	Rutnime.exe	msedge.exe
PID 4584 wrote to memory of 572	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 572	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4344	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1692	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1692	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2464	4584	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Nexus.exe
"C:\Users\Admin\AppData\Local\Temp\Nexus.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\Rutnime.exe
"C:\Users\Admin\AppData\Roaming\Rutnime.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Rutnime.exe" "Rutnime.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2516

C:\Users\Admin\AppData\Local\Temp\tmp4E84.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4E84.tmp.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0b6546f8,0x7ffd0b654708,0x7ffd0b654718
4⤵
PID:572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
4⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
4⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
4⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
4⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
4⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
4⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
4⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
4⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
4⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3780131173754915538,8686992742648389714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
4⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\tmp6A90.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6A90.tmp.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
675B

MD5
690d569a2a6bfe0ff8cd418bb358d23a

SHA1
28a26cca2d6688af4f587f09d5965185661c64ff

SHA256
911aec72f7d61e27170ea78406bb600e0fb9f3030be9ec51ce600fbbbec70ebe

SHA512
7c5d144488f5107de55499a3fd57ea1b8257062a60f653faccbf5917b2d2bee7514459774b8dec87d8960f8b25a53eacd12460a8be358631c23e7fd2089f7aa4

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
1e79e75a7613ee7d1d5a112c297286e5

SHA1
255640b316ef39a9b05d85ae0c738135b659765c

SHA256
62f2c5cebd6d5de2397a423b89e36be4a9ef9161e02bf2b8535fcb6f195ecb06

SHA512
191d0a584098a57f38c9ab0468a27a8864c6207532e1fc22b863608e472c542183146e4e2b47ed352308bbba27e58adb1870560c858d68d39214f799aa268151

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
660B

MD5
329e1990fa06f43cb51b924fe63a1bb0

SHA1
565604b3c05eb0957abf249c03c1e46fbc30bb8a

SHA256
9315c2eb12bb1f4cb90dce95e848019362850332a9b673f038416c471f006ea4

SHA512
db79f79aab4604cd0d0aaf331bf27712363f3d40eace5529c566457a19e07ce52c02a1b1fc6baed6bff37167b068e65b3f8b1fdba11faa120b53721676e18f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
9d37cfcbee324f9a74cf67f60b4dfd73

SHA1
9736ade3f2ad7fd65d67dc01f8ad581a68f36e1e

SHA256
ea5963099fe78a966365b2ffe487867292a738e1b0ddacf78f2854187a83f9e9

SHA512
f4fc7837b245d1acd1922e6e84456230028ef93ed0ce303df7cd044c725755a2edc2ef2665e7a59a09b1b1492c859cdd8a880aae7b1f0d09851f3c31b8025df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5bb7c1f50f560aa21cd7bb8fa708910a

SHA1
889ccb097aa7e52a363334b9241248d8ce9ba453

SHA256
a0b71086d1e269952f88b2437591ffa7a83694c848b88fa3c15627c19c293671

SHA512
e90d305933255c313347bb17d6e94b29c8b1e287974d57573a0e3c429770eb68bc43f39895c499cac9d073754942a46b4eb37dc2f3ead19975ff4607f26568cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
276e4c80d5315a1520becc50bd53263e

SHA1
517bd296d147254ce85c01476c3925d2083d55d2

SHA256
1b5327788645d801d9d09806ba4e6b6e98f098b3491bcfe2a5c789cf88f165b5

SHA512
4647a4042766ec0c002ce412f53a00d10645ec076f3a108b87e0ed8fd8f62db9cfb81923f7e2d413c47e7687817738b8e96e9be04eb0e51964c16191a8e7df84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85518e556d6046a1d46e6950f1404b55

SHA1
e170a9c437bd3de990c67692f551369355f40f9c

SHA256
c8cf49da875c76b4cf920feab0dac3febe4ca85e336e1c77bcc40bfc5a6478c6

SHA512
3241b17fe8f1a2d7a26adee95220eb2cf25214a4e3c81a5a38cbb400d94ca85984ca1814a5c987d142ae1df1cb4376218f1ae8b38c54a3a361ab3ec7a565b25c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2c001f56f430971fcb51756ab77decaf

SHA1
b022d1a003d2ba424a6a88b8e3c8f0f59cf2555d

SHA256
5deccedf03f996b05597edc23a632455e33c3e1a0bccfcb28c7cb205afc80466

SHA512
0b40c68037525c8b88b32c446f008e96e92bd20bc3b8dfbd9f1816b201bcff44782d73898791e45e996cd69ac93a8285e724e600528428f8d6f003d0a0c28c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E84.tmp.exe

Filesize
274KB

MD5
c02c76967b409f72b8f08b43e1d31d26

SHA1
9d613eb32e844a4d71ae3b2a468a1cbeda409aa0

SHA256
4fe4b7e12035592580045ab2846b7a5ceabda4a293559dd2037f841afef6512d

SHA512
76d1f9d7bbeb4eed7927d052414b02a1dc24b25395e721ddb125c070d60cefd4961d2cdaa418a3f245d63f8bd53bb374394eb713941f1409bdd7229ba789549e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E84.tmp.exe

Filesize
274KB

MD5
c02c76967b409f72b8f08b43e1d31d26

SHA1
9d613eb32e844a4d71ae3b2a468a1cbeda409aa0

SHA256
4fe4b7e12035592580045ab2846b7a5ceabda4a293559dd2037f841afef6512d

SHA512
76d1f9d7bbeb4eed7927d052414b02a1dc24b25395e721ddb125c070d60cefd4961d2cdaa418a3f245d63f8bd53bb374394eb713941f1409bdd7229ba789549e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E84.tmp.exe

Filesize
274KB

MD5
c02c76967b409f72b8f08b43e1d31d26

SHA1
9d613eb32e844a4d71ae3b2a468a1cbeda409aa0

SHA256
4fe4b7e12035592580045ab2846b7a5ceabda4a293559dd2037f841afef6512d

SHA512
76d1f9d7bbeb4eed7927d052414b02a1dc24b25395e721ddb125c070d60cefd4961d2cdaa418a3f245d63f8bd53bb374394eb713941f1409bdd7229ba789549e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A90.tmp.exe

Filesize
274KB

MD5
c02c76967b409f72b8f08b43e1d31d26

SHA1
9d613eb32e844a4d71ae3b2a468a1cbeda409aa0

SHA256
4fe4b7e12035592580045ab2846b7a5ceabda4a293559dd2037f841afef6512d

SHA512
76d1f9d7bbeb4eed7927d052414b02a1dc24b25395e721ddb125c070d60cefd4961d2cdaa418a3f245d63f8bd53bb374394eb713941f1409bdd7229ba789549e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A90.tmp.exe

Filesize
274KB

MD5
c02c76967b409f72b8f08b43e1d31d26

SHA1
9d613eb32e844a4d71ae3b2a468a1cbeda409aa0

SHA256
4fe4b7e12035592580045ab2846b7a5ceabda4a293559dd2037f841afef6512d

SHA512
76d1f9d7bbeb4eed7927d052414b02a1dc24b25395e721ddb125c070d60cefd4961d2cdaa418a3f245d63f8bd53bb374394eb713941f1409bdd7229ba789549e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B0C.tmp.dat

Filesize
92KB

MD5
4bd8313fab1caf1004295d44aab77860

SHA1
0b84978fd191001c7cf461063ac63b243ffb7283

SHA256
604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9

SHA512
ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B4F.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
12173a517434538fbc559bb33c2ed7ca

SHA1
ea2c1738d2bc9775b381545c93e1704d94a8c1fd

SHA256
a7765f08214b467a20b319a5a06c70c48155384301ccd68c9d93b34b17aac889

SHA512
7a3f48de1af3ec4409f33b4f0ae445c5592d4dccffeadd6ea3f280f1da6614b8e2482bcae265c937617604b00bd6efe65daf29e76ac2b0325c3a2e75f757e62e

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
12173a517434538fbc559bb33c2ed7ca

SHA1
ea2c1738d2bc9775b381545c93e1704d94a8c1fd

SHA256
a7765f08214b467a20b319a5a06c70c48155384301ccd68c9d93b34b17aac889

SHA512
7a3f48de1af3ec4409f33b4f0ae445c5592d4dccffeadd6ea3f280f1da6614b8e2482bcae265c937617604b00bd6efe65daf29e76ac2b0325c3a2e75f757e62e

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
12173a517434538fbc559bb33c2ed7ca

SHA1
ea2c1738d2bc9775b381545c93e1704d94a8c1fd

SHA256
a7765f08214b467a20b319a5a06c70c48155384301ccd68c9d93b34b17aac889

SHA512
7a3f48de1af3ec4409f33b4f0ae445c5592d4dccffeadd6ea3f280f1da6614b8e2482bcae265c937617604b00bd6efe65daf29e76ac2b0325c3a2e75f757e62e

Download Submit
C:\Users\Admin\AppData\Roaming\Rutnime.exe

Filesize
37KB

MD5
61bd0fa2e9ebe3b4d414addcc8f5d63a

SHA1
6f40e191b6231d1f5d28c0e47e7442bc90c4dd47

SHA256
0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0

SHA512
460f8abd06c7e4b48c1bdacb3bd7c137260aa961459a5edabaf8a02b56a6e7225f517385d48172ed068842ca590270993df9d4c137e0a4666a168311c8e6abe2

Download Submit
C:\Users\Admin\AppData\Roaming\Rutnime.exe

Filesize
37KB

MD5
61bd0fa2e9ebe3b4d414addcc8f5d63a

SHA1
6f40e191b6231d1f5d28c0e47e7442bc90c4dd47

SHA256
0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0

SHA512
460f8abd06c7e4b48c1bdacb3bd7c137260aa961459a5edabaf8a02b56a6e7225f517385d48172ed068842ca590270993df9d4c137e0a4666a168311c8e6abe2

Download Submit
C:\Users\Admin\AppData\Roaming\Rutnime.exe

Filesize
37KB

MD5
61bd0fa2e9ebe3b4d414addcc8f5d63a

SHA1
6f40e191b6231d1f5d28c0e47e7442bc90c4dd47

SHA256
0fb476fcf470f8a77b075a31969e0351bca63392e38ba970f50580b4bc1f5fc0

SHA512
460f8abd06c7e4b48c1bdacb3bd7c137260aa961459a5edabaf8a02b56a6e7225f517385d48172ed068842ca590270993df9d4c137e0a4666a168311c8e6abe2

Download Submit
\??\pipe\LOCAL\crashpad_4584_ZGWGNEKIGMNDYNHF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1700-2-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/1700-1-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/1700-0-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/1700-12-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/1772-152-0x00007FFCFB4B0000-0x00007FFCFBF71000-memory.dmp

Filesize
10.8MB

Download
memory/1772-53-0x00007FFCFB4B0000-0x00007FFCFBF71000-memory.dmp

Filesize
10.8MB

Download
memory/1772-31-0x00000288B4260000-0x00000288B42AA000-memory.dmp

Filesize
296KB

Download
memory/1772-54-0x00000288CE7E0000-0x00000288CE7F0000-memory.dmp

Filesize
64KB

Download
memory/4376-16-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/4376-15-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4376-14-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/4376-18-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/4376-19-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/4376-13-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4376-17-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-271-0x00007FFCF9510000-0x00007FFCF9FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-410-0x00007FFCF9510000-0x00007FFCF9FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-284-0x00000209750C0000-0x00000209750D0000-memory.dmp

Filesize
64KB

Download