njrat | a9dfed16b30cfef2106e4d1626e4cb7cffdacbdcbf2fc13865be64a918e0f255

Analysis

max time kernel
138s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Size

1.1MB
MD5

d2208a80c24abd0ccfcaf45dd9d332ab
SHA1

ae076b92ee7853ae263ccb4f73c39e6441066b3b
SHA256

a9dfed16b30cfef2106e4d1626e4cb7cffdacbdcbf2fc13865be64a918e0f255
SHA512

1f8fc8b99c3138db816b90e4335ff5a31cd4226795e6bcc1a3a8c0d1934d5893d8f26dfd4ddfd5354ab2d2bc2b35f06d715b5b71eb67b62de4a696d4c112f0a9
SSDEEP

24576:64lavt0LkLL9IMixoEgeakVR0x3+Dey45nxGq9MmCS:Nkwkn9IMHeakHYuf+EaPCS

Score

10^/10

njrat hacked discovery evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

192.168.31.130:5552

Mutex

0a2e5cfbc3a5b8d96d011c7841e3236a

Attributes

reg_key
0a2e5cfbc3a5b8d96d011c7841e3236a
splitter
|'|'|

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	7366.exe

Executes dropped EXE 4 IoCs

pid	Process
4532	7366.exe
4728	Server.exe
4204	cat2.exe
3296	Server.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4728 set thread context of 3296	4728	Server.exe	90

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7366.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cat2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
1324	msedge.exe
1324	msedge.exe
4560	identity_helper.exe
4560	identity_helper.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4728	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 4532	2456	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe	86
PID 2456 wrote to memory of 4532	2456	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe	86
PID 2456 wrote to memory of 4532	2456	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe	86
PID 4532 wrote to memory of 4728	4532	7366.exe	88
PID 4532 wrote to memory of 4728	4532	7366.exe	88
PID 4532 wrote to memory of 4728	4532	7366.exe	88
PID 4532 wrote to memory of 4204	4532	7366.exe	89
PID 4532 wrote to memory of 4204	4532	7366.exe	89
PID 4532 wrote to memory of 4204	4532	7366.exe	89
PID 4728 wrote to memory of 3296	4728	Server.exe	90
PID 4728 wrote to memory of 3296	4728	Server.exe	90
PID 4728 wrote to memory of 3296	4728	Server.exe	90
PID 4728 wrote to memory of 3296	4728	Server.exe	90
PID 4728 wrote to memory of 3296	4728	Server.exe	90
PID 4728 wrote to memory of 3296	4728	Server.exe	90
PID 4728 wrote to memory of 3296	4728	Server.exe	90
PID 4728 wrote to memory of 3296	4728	Server.exe	90
PID 3296 wrote to memory of 1324	3296	Server.exe	92
PID 3296 wrote to memory of 1324	3296	Server.exe	92
PID 1324 wrote to memory of 2712	1324	msedge.exe	93
PID 1324 wrote to memory of 2712	1324	msedge.exe	93
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 464	1324	msedge.exe	94
PID 1324 wrote to memory of 4384	1324	msedge.exe	95
PID 1324 wrote to memory of 4384	1324	msedge.exe	95
PID 1324 wrote to memory of 2300	1324	msedge.exe	96

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456
- C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
  "C:\Users\Admin\AppData\Local\Temp\7366\7366.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp\Server.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Server.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xb4,0x110,0x7ff9651f46f8,0x7ff9651f4708,0x7ff9651f4718
        6⤵
        
        PID:2712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        6⤵
        
        PID:464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
        6⤵
        
        PID:2300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        6⤵
        
        PID:4404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        6⤵
        
        PID:1900
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
        6⤵
        
        PID:1444
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
        6⤵
        
        PID:3604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
        6⤵
        
        PID:2456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
        6⤵
        
        PID:1620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
        6⤵
        
        PID:332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
        6⤵
        
        PID:2560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
        6⤵
        
        PID:4536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
        6⤵
        
        PID:4172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Server.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        
        PID:1896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x8,0x108,0x7ff9651f46f8,0x7ff9651f4708,0x7ff9651f4718
        6⤵
        
        PID:2280
- - C:\Users\Admin\AppData\Local\Temp\cat2.exe
    "C:\Users\Admin\AppData\Local\Temp\cat2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\333a6534-0389-494d-8f8d-d0bce5f0547a.tmp

Filesize
5KB

MD5
e681f04c63170363131dd575dcb36f3a

SHA1
b80a5abd7a164b7c521f4ac99771bea227319601

SHA256
bce35480bb0dde99e4e51ee3410cebc1d8c5b7ac0521ea5ee4e885079a351586

SHA512
48db2f5a0b83950d13dc53c02a5a07127ffe05548c0999a226b6bcecb862279f3622b921390a7af19d77a1cb39c040be791356a855c66812c941af53f327895c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
b4eca22374416e2367aed2029900aab9

SHA1
916177c73358f59f230730852f3e232cd4e0fc2c

SHA256
da7c79c9f5bb5152cc437cd45c6f0e36f64d9ce85efee116b2bff8aa16121472

SHA512
7c5ed0aaa553f4d57666300af2e27068ed56a9fcb7fc6f49755df5e91970e22e710b650f95cb1855757240bdf2ac34bdb7267f24adad66e62f679fd7b7b6bab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d82276921e7598283092b6ae47077ac9

SHA1
62ec39762f55d7535746dc338f4d90415dccd8e1

SHA256
b27133cfaa909f43b8f4331dc1db0b2a73dd9108a119c932901e507b98e5c67e

SHA512
9b49b8a66a213b8ff40422be64e820a569714e36a6342dcc74b24b6c43fcb031610934e072a709ea4e93315af9115fd4de5cda7f2074fba5a6aea621ebe81489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51a98a863ceed5a6ed5029fb9e44a639

SHA1
bbe2befe4ab37a8ad77f35c116a5dc029da73fa8

SHA256
ba6dd4e45abc2eecb96bbcd92e7a726e0666f5d80f0d38ef70a6eebb4cfb3349

SHA512
f428085c1a0cadebe1ba6eba9ca785f588bb11d3f2dfa1ee70592b0f341d975d643702726ac865411f92eb20c03e3e881f069f19f6851253c4f4cce01247bbdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d5c10e639852aad558c5378eb2ced20e

SHA1
ef2cd7f7059068192727b2bece297f0b20cf4846

SHA256
6d4d8ea8c48486daa6d37db92ab5cb3f2f3c3f8f54d8e789a922c6a3b5cbb277

SHA512
7f91628f86247d1d22649119710648e77b07388e6ab340b087fe891148f19fa18ee8809ee5d787d943121ce3fdbdfe07b8dc013f2d2bd20c50e7b483443767a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7366\7366.exe

Filesize
195KB

MD5
8434e4174c6477cf4f53c667d8403ab1

SHA1
cd33e7822c591d85225c07217c78189c25b5f75b

SHA256
662b4f9336665edd36208b48c94f61bdcf32df0c6e5f92f03e34c662c0c09be4

SHA512
540bb033b2099138a1498554ea2f5216236d56db106ba07589e6842a2272a1ee468e2e894a2b4d214ab6f614bad9added522950d319de899a39ebc46f1a9cdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
47KB

MD5
e3d8ec29da5489a16a5e9630bafb4a40

SHA1
298c51871b537951eadf69f13d3b3c61e1e8e55c

SHA256
18b0624fbc10e1732b69a6e87dbe4b09f13368119a7085153b7f12d6802a1c81

SHA512
4fb4b54729dcaf8d53c998fa18ebeaff743be20df30f49a153f5c2e366302a42c32011fc3a0fa350748490e2cc069333ba3b1e28f3f9a831fec2c27792a34369

Download Submit
C:\Users\Admin\AppData\Local\Temp\cat2.exe

Filesize
372KB

MD5
cdf4fedcd923d85043598b7f5232a794

SHA1
35043dec26dd11862797ffeb87611e0a6e466b2a

SHA256
540e5a66a4241fb7a2a68a007abb96c2cb6b49755a3482e796a98ca93d654b8a

SHA512
4685560f46c32c170c850e686f7c504d5800caf005428ba145c54ab0cdc429f5ef361db2f0a114a0054085be80bcf3d74393e59fbb6402efc89a5d159bb70359

Download Submit
memory/3296-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4532-26-0x0000000000400000-0x000000000043299E-memory.dmp

Filesize
202KB

Download
memory/4532-8-0x0000000000400000-0x000000000043299E-memory.dmp

Filesize
202KB

Download