Analysis
-
max time kernel
164s -
max time network
166s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-09-2024 18:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ninjaui.net/
Resource
win11-20240802-en
General
-
Target
https://ninjaui.net/
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 3 IoCs
resource yara_rule behavioral1/files/0x0005000000025c64-534.dat family_agenttesla behavioral1/memory/1500-537-0x00000000067B0000-0x00000000069C2000-memory.dmp family_agenttesla behavioral1/memory/2312-604-0x000001795D960000-0x000001795DB72000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 4492 NinjaUI-Setup-v2.0.exe 1500 NinjaUI-Setup.exe 2312 NinjaUI.exe -
Loads dropped DLL 2 IoCs
pid Process 1500 NinjaUI-Setup.exe 1500 NinjaUI-Setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 23 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 59 raw.githubusercontent.com -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\NinjaUI\Guna.UI2.dll NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\Credits.txt NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\Credits.txt NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\DiscordRPC.dll NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\NinjaMapInjector32.exe NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\NinjaMapInjector64.exe NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\NinjaUI.exe NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\Updater.exe NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\Updater.exe NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\Newtonsoft.Json.dll NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\NinjaLLInjector32.exe NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\NinjaLLInjector64.exe NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\nui-logs.log NinjaUI.exe File created C:\Program Files\NinjaUI\NinjaUI.exe NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\DiscordRPC.dll NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\Newtonsoft.Json.dll NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\NinjaLLInjector32.exe NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\NinjaLLInjector64.exe NinjaUI-Setup.exe File opened for modification C:\Program Files\NinjaUI\NinjaMapInjector32.exe NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\NinjaMapInjector64.exe NinjaUI-Setup.exe File created C:\Program Files\NinjaUI\Guna.UI2.dll NinjaUI-Setup.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\NinjaUI-Setup-v2.0.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NinjaUI-Setup-v2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NinjaUI-Setup.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion NinjaUI-Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS NinjaUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer NinjaUI.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS NinjaUI-Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer NinjaUI-Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion NinjaUI.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 259520.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 944576.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\NinjaUI-Setup-v2.0.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1368 msedge.exe 1368 msedge.exe 1608 msedge.exe 1608 msedge.exe 2184 msedge.exe 2184 msedge.exe 4784 identity_helper.exe 4784 identity_helper.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3288 msedge.exe 3288 msedge.exe 2312 NinjaUI.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1500 NinjaUI-Setup.exe Token: SeDebugPrivilege 2312 NinjaUI.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 5056 1608 msedge.exe 80 PID 1608 wrote to memory of 5056 1608 msedge.exe 80 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 4336 1608 msedge.exe 81 PID 1608 wrote to memory of 1368 1608 msedge.exe 82 PID 1608 wrote to memory of 1368 1608 msedge.exe 82 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83 PID 1608 wrote to memory of 2816 1608 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ninjaui.net/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb6db3cb8,0x7ffcb6db3cc8,0x7ffcb6db3cd82⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:22⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:82⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:12⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:12⤵PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:12⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4708 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:12⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵PID:444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:12⤵PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:12⤵PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7088 /prefetch:82⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2936 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:82⤵PID:4100
-
-
C:\Users\Admin\Downloads\NinjaUI-Setup-v2.0.exe"C:\Users\Admin\Downloads\NinjaUI-Setup-v2.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Program Files\NinjaUI\NinjaUI.exe"C:\Program Files\NinjaUI\NinjaUI.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD53956130e36754f184a0443c850f708f8
SHA14874cd51b0fa5652ed84e3b0c123bee05dcdffc8
SHA25625c39f91f737d80040c72c9e3f95db0fece1c9653f501828adc16cfb1ec59d26
SHA512157143dd69378e9914ddbb934229cfbc99ae7d80f4f787b7799fc254054d2c7b1e6f4551cddea30470e28b61309f858fcdb2d009b1c32953dfe5ea7fe78e9e48
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
770KB
MD5d52fbb3251165f268ebd170d84cc6ccc
SHA1d139e9dc7ed028ab1653c262ef0c24e79fa87cf1
SHA256cc603448c5876488b87fa407eaa2f50461a8306d62aa12919f3a03189197ef5d
SHA512233ea93cd494bd3d8a58320e77a143becd7d69f8788629c43788d491ad75de5565aeabb27424d31f80a060db14d14fd33f18468736356402b4bddd4870470951
-
Filesize
152B
MD53e2612636cf368bc811fdc8db09e037d
SHA1d69e34379f97e35083f4c4ea1249e6f1a5f51d56
SHA2562eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9
SHA512b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d
-
Filesize
152B
MD5e8115549491cca16e7bfdfec9db7f89a
SHA1d1eb5c8263cbe146cd88953bb9886c3aeb262742
SHA256dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e
SHA512851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54
-
Filesize
20KB
MD5ddecb50cf7f3cf6e0ebe9b3374ea2f6c
SHA1dba013bcbc2aaadd3089cfcf720c42348a48817d
SHA2569cea35a9fbde3b0328bc0e72f696919f707112dc8a15c3032becce86c48153c6
SHA51238ca3a3421504ed4d5a6a9488fc2d686d99c0755970b713742ed2b24d8d0c3c971580d16669f187f1d3db428f2804ba8a463dd3c6ddca7cf6128cc97c9082648
-
Filesize
20KB
MD502507bb10d4f62115e72d3459ad3145e
SHA1d75939d5767852a71428a1d466917e111e4f2ecb
SHA256e65a23b49614545b65f1bc81750e14711621f6b992085cffe5b30597b972830d
SHA51224d3b2831c7cba2fd0878811220a9bcfdac0fab8aef4dbe8c5547ee977b5586e616e975a940d15fde509d8e3faabbe4ee0c6fe7c6fa49cb6189448e3b41ce35b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize984B
MD5346105f53a389f31f3c1fc99665098cb
SHA1d3fef7bd935a991e04e91c315fe43bda6881e0ba
SHA256c3eed0a6daa1f3e70e21e9b9bcaa857ecef4efd84319914c1cef769585f7ccbe
SHA512d8dbdb7e8e2bb1671e4c7a0b60ff7ffcd9ebc00aa5b376012f4f260fe30d95c1fe700801b62facf96d01474f2848482e06a56bcb8b94582709466e7fc1a2ea01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize672B
MD58abb1ff3aa0b831b3500dd40a0af9a16
SHA16d1952a2ad2aa7944ab9eab6d7e978875d7f62a4
SHA256f45169302aa21ccea479dcf937b56c8fbd22206b013fb69a4b3d039ee655ac42
SHA512603e5fdfc67ef17e69b240394ec068496423946e63fdb4f2af5581ad65bb1231985d7e8b80bcf66d2c5aa2069fea15823026b7e39e1b1b45fbc3d948b671eeb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize960B
MD552e43b38671cba54b19d7e6f4f448aac
SHA183889828240fadeb709dfa80f5b6dd1890e61415
SHA256d4c1ed500199462b276773c0977f6005b08aeb67586c55264937d85bc0e63595
SHA512c715f56b39354ce091c5ef4756593921da89f4b4492cf3db946314e6ae2958b1f1b4138970b139d8181fb6ed846894119665f3706c51414d6c69b8b0cd709c1e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD5d2cbca387ca2fd289dba42ff2cd04e11
SHA1d4482b900860a7b8308c01af8d1979f19e22239a
SHA256a8f9517869605b3508c2b53c720a5790000c1d63cf6d8b84ad54ceac9ada67c2
SHA51251cbfae265e9a7e84443ad66ccd2c7c5ef6d76b856ebc13a549484145578910a8b32b709b11a3bd4468e6d9c70e214b9f5cfa9aa175d064e7bacc5664c74394a
-
Filesize
2KB
MD5f7a66d3b0ed5c01ee819022527d0c8b4
SHA11536f7ed5d11aa7b09f85a44fdd32cfb06ddbf10
SHA256ee11f33fe4f97abebcec393d07751c5c0298c5b4549fa25957d52d1f16dbb8ef
SHA512e768c8ab60821011fee3ae4671de1d7464cbfef2db380db5a02ca21e7a82f64587bb97ea4fb48e1ecd708139e72860f082c9c5ba8c6af5167f9813a409a0994e
-
Filesize
5KB
MD59de3734250366bd9e0a1f01388eed2ad
SHA1f4b400d488bfd75d0c42b9a5c0f5d3cae38ea1d4
SHA2565e84380aa14b7fde9f16e09b54241bb561d4f8ea9bff65b0c4bcd8340891a6ee
SHA512cfa14e3c6bbc08e42f61279d198542fa409c30bd2d0a2cd9b2597ef064897979adf0f84b70de97ba67989dece97fc28c1ca83940b6d607033b8ac246ebe48310
-
Filesize
6KB
MD590b74d1a52ab10ccb0abf49bc5988a2e
SHA1912b0770a03b11a3082b5e70284091ed32d88227
SHA2564365f2ebe6fe1638f0d839e38c2d330659be600ff4a3895cd7bcda3b7a45d78e
SHA51261480b6f752332cbe7774c0dc02105236c60eae67826268c6fd61ed9059a2ff66ba3f206aa04e6f59e2075c395f01902828ba80c012360f198c9d579d96c66d2
-
Filesize
6KB
MD563472f516111c51f3c86ad74ab89dc6b
SHA1c23a376bd40a7230878bbc576d199bca84f8a802
SHA256c60249c28da28162bef18304f23921491c3692f14e070dd35158a6721f389b26
SHA5122ed9b1f67c985d2ef7b7935ec9e009b4f027ae12bf55e7d1ecaa0dc17841759b1e0da31122d2a8c48b1f260b971763e1230397f44e7a603041752348e9c8eee3
-
Filesize
6KB
MD56fcf41681686bcd4c40c741e57134fd5
SHA1531e1195e57174aec4c6aa5bf1ab25831cd5817b
SHA256c7e104e436488b358d8f42bc1688888b6d82d97917c6eade6b8aedf6be5dc770
SHA512e4f0eee41b2cad88837c3de4011b4996c9017b52fb184c6e4ec99a482a89fb7000eb63994a69a1c0b3fd993615bf9364db68340c7a74a93a45f58fd618354b50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b0d64717ebe9ca8e5c0242b29132e88ac9fa2f52\883cba4c-75e8-4978-aa9a-7a2a9fab4f87\index-dir\the-real-index
Filesize72B
MD525104e6d244e987abfa9e3d00b9c47ea
SHA1505b344e3ef56b217866f18b43421ce27c618fa1
SHA256a80ba3475dbe378cc8a016e06e0d261b63b466e5d89e927c120f7477913f9a35
SHA5123e0567511d8bdae80e64715a99cb1dccdd6518a076774ca79eb87767c2640c54e3af3be9b8212d164f536d7c7d5e3e37a4291e05b3cb227df6a7436a9d0119fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b0d64717ebe9ca8e5c0242b29132e88ac9fa2f52\883cba4c-75e8-4978-aa9a-7a2a9fab4f87\index-dir\the-real-index~RFe57f1a3.TMP
Filesize48B
MD53323d625e364fb558e696a336c5c0220
SHA1e5a9044095a4c578410507b800ba98b5a6049b56
SHA2561b3bfc118602319cda5bd17bf386f0ca4a9b38b89872a03a908c528af4b37053
SHA5125937f840e9c3faa7e1c2c5e8ef2edefb286e7412c9b105d403632dc189f9ee67e82d288c09404604366da753206de620e58e6c52754d8f283bd93dd56e2a1686
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b0d64717ebe9ca8e5c0242b29132e88ac9fa2f52\index.txt
Filesize116B
MD508efa6ee3bc4b9052e171aca1b2a97ad
SHA14f975c0f7e57e62265190ac73f4a5c3d069fc379
SHA2567b9cd01ddd6e7e273e925e7f5e1e3a680d491caad0cb2371736ac666be3015ed
SHA5123cad133bb3006c7d7d4301f14839f9a9df4a2303be4f3afd9206e0d5c87cc0db41aca9b9a86586169d5cfe84d75e30192d27cd7212ce8d8d3ab4bb5501e28274
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b0d64717ebe9ca8e5c0242b29132e88ac9fa2f52\index.txt
Filesize110B
MD599bba61204fbdadcd460ce8254a12334
SHA1046eb9f82c4354ff048e1f52cb73f12770be14f3
SHA256ba5d80d67c6f511bb1b4f298a07f15349a8d42e139e810e57b4028a5a6478f6f
SHA512f95e3f06d4e07be95cf661c9a39c840404af65bbea07b9030d10c54b754758911120ba65fcb08764e960612ea13522bc6d0ee1be9dc8e3bb4741f80027104e9d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0
Filesize14KB
MD5130fd23b9fd7d0751c7cfeb37f760559
SHA14ee5e44140de419511e091a2661068b62a7c5fd9
SHA2565194f460a8ffa4b95ee5760b722b74001c5b7e851ea59720570ef2e720f04cbc
SHA5125c3b966e74c21366c5df438311aa50bab9980efb9f01a9e484e0e18db81511974cb17045f62c3699e358ff3094f1c4c478165de9b05ba485157d3a358e6fc8f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1
Filesize10KB
MD54dc058e380cbf7b360387be194eaa77a
SHA11d9c16998dae2ea69bc0f9fc425eed1e9218a547
SHA256a66427172c72b9dffff26d96c49b12a2ffbb4e5259669db885fff0c995f11b07
SHA512fcccafbb38165940b3c631279f73856296afd5140b23a9f9db396c3e5c3a24ab6c7064b83583d7022dc5a831437a06099c3b51d9aaf797f3d0e2d63fd7df557d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5406588591316ddb12999351f59f00254
SHA166d7630ff996d24562bd30b3c6f6e61673ee5b38
SHA256f8d622d075a1994674f82df5bf6e07f0fcad6cd125e9c56c401edb7c894d45c5
SHA512f08f655a5daa78006582170cb77816ff10a09f1fb1557f34b3ed165537149bf15ec9a2b0a793685a126305609bc7555fce6eba7224e8487e69d386c64dc6b169
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f08a.TMP
Filesize48B
MD5f59099e3debb4a9a9b5a433295ef54a0
SHA18f8e73beb3102c451b8a2722af8478888c9d8758
SHA25680f1d49609ef191f5d1c427a84af9ca11df48a1cc97a5ff0c79dafa996ca7d9f
SHA5122b16ad95dba48d7a8e87e80f24b634c1232b396a72bfabc27f141814ef13796e96d2fd76bfc569cbf350924600fa02a6900f8fc016ceb252390249d08d33549e
-
Filesize
1KB
MD55bb7fdcf5fa04226902ab2670c7ffbe2
SHA1f420d4243648ad063bf681dda544c21ba67aa4ae
SHA2563929c51f5c794e5d1728ead4b70f44b5d6358b607fe1d4d3693352658e6b136e
SHA51212564763725dad7ea8d9a11aa3904a5110f3036f54a1ce3a679095769d11c6ee50e2df2742a7f71a3a1e9ae9378862f7107e0ef59bc8b2a5abadf29f4defe134
-
Filesize
1KB
MD5da66b098341793360ebb3efa2d5c6ce3
SHA18baf16cafc49ce86ae9382134d44add7a4533631
SHA25646982a9c3aa6bc495a1980e6ed6c3381c03c057af4e737abc02839adf1c143e5
SHA5129d58099ff85fe52d14e12f8a6fa59cf5d9ce082fe2657457896d3eaa14d7a4b17885f999a526ea50a18efb54bf796c597d4b0e5746c5c915b3e5273b2e1fae66
-
Filesize
706B
MD5ba28842c8f788a2439524fe06d83d3e7
SHA1b94dba1c77a9a3e03e877ca470ba2198fd6a43b0
SHA25641f0614c3b6fa32df16d410ebabbe4b5fa68ba4e3b02267286d31ff42cc2428b
SHA51235f2688f80cc4f79c3a995f41162b08f1e856493702074fa74917ec472ada881b1f9a32b278e5813b07960e39d65b4766f4e47ca4e876377b9865ec5249adc7f
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5169779dbdbfb188bd14022c71f61ba1b
SHA18f89f3b1d889ae1293a147a030aff06998ded354
SHA256862f0c95a902fa67820386825526e03145c5d449f0adef171e7dfa3a0a3b9f39
SHA51223f16ff607b5f535600744a992b6fa3607b322ca6ef0343271d23aa49e58b130220b23375bff12ab8f50896058d271fc4f1e3173969291f9a91f87bcab44ef36
-
Filesize
10KB
MD5a686d7e1cc52c067da3d07e46532cb1f
SHA12e145a2128f0c86e97498434399b1453f3f6475f
SHA2569db145d08ba2dede2ea11a5a0b56125ac7cbeb2407a207ed09878a8e3610f9c1
SHA512373261671a17e3f4dc5bc54bc8cf1e9e93d89f774e453d60c667b21656fac7f97a0be0acb55d271c53bafa96fe1aa9406b929382be4ff4f11bd57d268345e5d5
-
Filesize
11KB
MD5404408db4a2416fbde4ed2a705e609ce
SHA12ac8ebc9e8085054cf68a84c711d4b9e163dcc41
SHA256939f2731097d442ac927d5ee07f87d81e9ad4f70689f8c620a19cf0f7fa0dd17
SHA512cd280d966732e15bd5f8c649856f3db3eb56d6ff849f19b8e3659a6a847b7b43f1a183347772a08256a3291e2f3c0a260c46355076710edce2f3087173e74535
-
Filesize
11KB
MD5640506ce623dae7c3999c790f5c74483
SHA107675e3597ed7b0fe331720c82efeceea543ebf5
SHA2568c0bcaeeecc265baddfab9c21f7c8b38ddc3e7081eb2772ca5df446bfae741d8
SHA512f638e7230a947de90a788b17d01f9af8f7b6b6e9c435405b428cdfbfddad449ed649592d6ff647be179804e0d09c361886a9f19cbe0faa62d3415edc719b381f
-
Filesize
2.1MB
MD5c97f23b52087cfa97985f784ea83498f
SHA1d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89
SHA256e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd
SHA512ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512
-
Filesize
827KB
MD5ba506f8678f4d9fbb99dda4beacdb7f3
SHA12eb97ba4a0c8197287c192d7e5d10e52be06eaa8
SHA256293cbe499c9225cd140993e77c42f76a2f06ef0b59739659b3c1bab727d5750f
SHA5125ae2dee8a048f49bd09ca2353e6cdcefc9e7d4b3727d2e30d581a1163b7398910feb33ab8f463ffe4482bb109ce8d635411b1010e62d294d253b2f476d4ba485
-
Filesize
1.6MB
MD5aaa0815a139a84b11e846705e05bc814
SHA177d07cc005e031a6782f6ab7d44a30e035f68fe7
SHA256284ff705a6cd2a91a146dc23e70967e12e6ef18a01dd9013cfe05a2b16fbae68
SHA51224d083eadc2036d4419aead6c9fd0cac1ad093a6c587695b681c1c0f9e6de31cf01efc53984aeac04e9e6e137f5b883e085206b4f14e21c5692e07bef138b156
-
Filesize
60B
MD5f82e923383422bf2c5dc039bbb88efd6
SHA1bcadc2f5c50c4530d20cc452ce68b5263d33a768
SHA2561ef29ab910859be907ae4e419e92eea9e2782f6e24653e193423f597dbf67fde
SHA512bbd3e024278fe97f6d61fcc4a694f447a9a733cb17e93146bf43d5d5fedbc5ff74de4f25d0b24bc955390d13e9ee8a6e6bee956ce2435c5d390984eef608471b