njrat | c2cf11a33909db8e4043e88b0119f099d9360fd1f275f4c5b3f7fd204048815c

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 04:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85e63cb6ed366d4b548bfff49528e6ac.exe
Size

1.4MB
MD5

85e63cb6ed366d4b548bfff49528e6ac
SHA1

d58aeb222fff4730f194346b793b6e1a2773dba9
SHA256

c2cf11a33909db8e4043e88b0119f099d9360fd1f275f4c5b3f7fd204048815c
SHA512

44f3c62b38e3a88cef16c5f541354bcdad7a528e73df2c8694f2826da9ec8dbdd76e2015bc41ba657f6440581e8ce001eb4fde6a1ad7e14afd5c343adc71a647
SSDEEP

24576:Gk/y1uiGoqf3GKjvYyCzbkI8DOhjrqnXDGX72e6meg:GQy1ubo0GKrhCzbkxSIXDGr2er

Score

10^/10

njrat hacked microsoft phishing trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

bixigalixa00s.duckdns.org:1177

Mutex

0835cb7495591383306ffedb0ea7c256

Attributes

reg_key
0835cb7495591383306ffedb0ea7c256
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\I:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\L:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\M:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\S:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\V:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\A:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\B:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\X:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\K:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\W:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\O:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\Q:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\R:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\U:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\Y:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\Z:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\E:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\N:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\P:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\T:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\H:	85e63cb6ed366d4b548bfff49528e6ac.exe
File opened (read-only)	\??\J:	85e63cb6ed366d4b548bfff49528e6ac.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4116 set thread context of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4192	msedge.exe
4192	msedge.exe
4044	msedge.exe
4044	msedge.exe
1076	identity_helper.exe
1076	identity_helper.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4116	85e63cb6ed366d4b548bfff49528e6ac.exe
Token: SeCreatePagefilePrivilege	4116	85e63cb6ed366d4b548bfff49528e6ac.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4116	85e63cb6ed366d4b548bfff49528e6ac.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85
PID 4116 wrote to memory of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85
PID 4116 wrote to memory of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85
PID 4116 wrote to memory of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85
PID 4116 wrote to memory of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85
PID 4116 wrote to memory of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85
PID 4116 wrote to memory of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85
PID 4116 wrote to memory of 2980	4116	85e63cb6ed366d4b548bfff49528e6ac.exe	85
PID 2980 wrote to memory of 4044	2980	85e63cb6ed366d4b548bfff49528e6ac.exe	91
PID 2980 wrote to memory of 4044	2980	85e63cb6ed366d4b548bfff49528e6ac.exe	91
PID 4044 wrote to memory of 4328	4044	msedge.exe	92
PID 4044 wrote to memory of 4328	4044	msedge.exe	92
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 392	4044	msedge.exe	94
PID 4044 wrote to memory of 4192	4044	msedge.exe	93
PID 4044 wrote to memory of 4192	4044	msedge.exe	93
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95
PID 4044 wrote to memory of 2948	4044	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\85e63cb6ed366d4b548bfff49528e6ac.exe
"C:\Users\Admin\AppData\Local\Temp\85e63cb6ed366d4b548bfff49528e6ac.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\85e63cb6ed366d4b548bfff49528e6ac.exe
  "C:\Users\Admin\AppData\Local\Temp\85e63cb6ed366d4b548bfff49528e6ac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=85e63cb6ed366d4b548bfff49528e6ac.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ff822ac46f8,0x7ff822ac4708,0x7ff822ac4718
      4⤵
      PID:4328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
      4⤵
      PID:2948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:3068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:4540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1
      4⤵
      PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8
      4⤵
      PID:4632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
      4⤵
      PID:1864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
      4⤵
      PID:4240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
      4⤵
      PID:1216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:3536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11869739060407251350,16603971379541079478,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=85e63cb6ed366d4b548bfff49528e6ac.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff822ac46f8,0x7ff822ac4708,0x7ff822ac4718
      4⤵
      PID:3736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\538bf1b2-add3-4f50-92ec-b0d25b4ab2d2.tmp

Filesize
10KB

MD5
c4e8a612274bb8cbd87d60d509e650d1

SHA1
bb87ac64b3f9eff18be7892544b5f2d53e490c09

SHA256
21b9cc01a2c4a28f67d11bd1d5e6a5356960aa7268f1ad6fd9779cdc3882d68e

SHA512
6b60c6ba073716de2daa6a99f57e4231a346a11f6f530fecf2edd0666ea35e265c3a23169b8e6a86dea046be1b4261449b72b3dcd040d4e97bbeca219162e01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
4d685997c527d49b4117fa900e0e9c91

SHA1
d21e1baca5bfa2db488b18bf5dc87960bb437d03

SHA256
96a54974d150b9750ab0b0f3b3f814623345ad2f8160eddb5e3697062461ecc2

SHA512
fe5423ee20fce550d33a0f919b7502cb7bb227226b15293f50129c7743295c4709eabebd487dafee53a8a544608c914892b3f08b5aed2eafd504b89a128ab1ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
31c4e5752644f7c2ef5bccd3636bb2a9

SHA1
c9ae8dfd6b6656a9bff117120205a2d436e193df

SHA256
d6fc047deead9edcfa43d4f37ed96a68b7132fc1fbc167c0c4f4fe51fa9542bd

SHA512
313bdee3377bfe85cbe13eae761370a367c607ef59a52571b2fb4473c7ddb81d953c55e6a56a24547cbe4d04901c18cc8beb79fac74ca46addfc99e1bff0acdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1219c13c0bf6ab1b58b0c669ac45ab5d

SHA1
dec04e1ca13e489bf2b28bdb9aa2c2e5c34f07c4

SHA256
dbb59ac70a2071de568b84e39a5302337e4f48b4d27a9e07f3ce547a811f623e

SHA512
559b0daf72bedf9929893c30c0144d992d5417c6e302286e3086b2eab894340c6b9a199a406492fa696832e24849636d963a1d75c2f92721e876f0ec870c7070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae468bfc8835b7b68fe7f9d6381b200d

SHA1
fe02b0e9abf151cd045ed524b051302cb98b2e9f

SHA256
03ad3f31856d0b9134916e210f186d81ecf9ae7edc5c84c034873eccd6e7d425

SHA512
58a57f6d6f7418e084f65f8cf8e059fd31d61e64ac2fd7a80e12af09bc05243efcb58cc595dbe1e672e9023109121b54c8d9d2ad8cbdbf2b064a9210c8e8249d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
7058bc2344f11a279fe4e198731fdd9d

SHA1
1940726733290c363a22dd6f191d9ef99ab242b3

SHA256
ec7972858065ee543c9dbe3036c9b60d03bd5b7ee4279099f4e88efad61eb879

SHA512
e80ba16b1d62872a2deec51a99a72577ce31b6a90c198af43f9993267821a3a4910faba99945fbb37059354dadd2610affc9f4674636bb05f6803479f57a412b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c15c.TMP

Filesize
371B

MD5
1b43ffe101576fc05eefa7b75a1ad0dc

SHA1
609224af9917206d1e21e0f0460bbbae9cabac4d

SHA256
4073821e42345ad7fe984829998566e1942f63e60bde4cd3ed22662378644a99

SHA512
579c8519c874df10a462dc80cab45cb6149fafd303eabb6d6abb8c8f3f9611a9912ca5118c36e395cc15fd3fb39787536be97d5ced55284040685c697b3be869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
28da5fc6d51b3c6f47346128e33aca3d

SHA1
c6013d6cea53e21dd2bf4cf4d7c6759d47c8dae7

SHA256
38e4b18863412cd01754c01695a27ca7b44cc94024a68ec53fbfbf52206c3e30

SHA512
2c5f33c3930b1fd00224efffd37b11a7133086b607fa25f407ddacd78eaede6cbc02a161dd7b219cdcdbf92dfb5684577f3ababcaaefb256377b9c4c7345bf52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
memory/2980-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download