njrat | hxxps://github[.]com/ki1erz/NitroGen-ki1L/blob/main/k1iL/Data/Helper[.]exe

Analysis

max time kernel
87s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ki1erz/NitroGen-ki1L/blob/main/k1iL/Data/Helper.exe

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Helper.exe

Executes dropped EXE 9 IoCs

pid	Process
5612	Helper.exe
5812	Helper.exe
5840	Helper.exe
5956	Helper.exe
5988	Helper.exe
6132	svchost.exe
4168	Helper.exe
6000	Helper.exe
2128	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a7f21f6241b3a13bae51122d4afa0197 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a7f21f6241b3a13bae51122d4afa0197 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 205728.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 320257.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	msedge.exe
944	msedge.exe
2592	msedge.exe
2592	msedge.exe
4940	identity_helper.exe
4940	identity_helper.exe
5516	msedge.exe
5516	msedge.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe
5612	Helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	5612	Helper.exe
Token: SeDebugPrivilege	5812	Helper.exe
Token: SeDebugPrivilege	5840	Helper.exe
Token: SeDebugPrivilege	5956	Helper.exe
Token: SeDebugPrivilege	5988	Helper.exe
Token: SeDebugPrivilege	6132	svchost.exe
Token: SeDebugPrivilege	6064	taskmgr.exe
Token: SeSystemProfilePrivilege	6064	taskmgr.exe
Token: SeCreateGlobalPrivilege	6064	taskmgr.exe
Token: 33	6132	svchost.exe
Token: SeIncBasePriorityPrivilege	6132	svchost.exe
Token: 33	6132	svchost.exe
Token: SeIncBasePriorityPrivilege	6132	svchost.exe
Token: SeDebugPrivilege	4168	Helper.exe
Token: 33	6132	svchost.exe
Token: SeIncBasePriorityPrivilege	6132	svchost.exe
Token: SeDebugPrivilege	6000	Helper.exe
Token: 33	6132	svchost.exe
Token: SeIncBasePriorityPrivilege	6132	svchost.exe
Token: 33	6132	svchost.exe
Token: SeIncBasePriorityPrivilege	6132	svchost.exe
Token: SeDebugPrivilege	2128	svchost.exe
Token: 33	6132	svchost.exe
Token: SeIncBasePriorityPrivilege	6132	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe
6064	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2268	2592	msedge.exe	84
PID 2592 wrote to memory of 2268	2592	msedge.exe	84
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 4324	2592	msedge.exe	85
PID 2592 wrote to memory of 944	2592	msedge.exe	86
PID 2592 wrote to memory of 944	2592	msedge.exe	86
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87
PID 2592 wrote to memory of 936	2592	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ki1erz/NitroGen-ki1L/blob/main/k1iL/Data/Helper.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd452846f8,0x7ffd45284708,0x7ffd45284718
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,12850118724407507823,13414031613389746285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5516
- C:\Users\Admin\Downloads\Helper.exe
  "C:\Users\Admin\Downloads\Helper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6132
- C:\Users\Admin\Downloads\Helper.exe
  "C:\Users\Admin\Downloads\Helper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5812
- C:\Users\Admin\Downloads\Helper.exe
  "C:\Users\Admin\Downloads\Helper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5840
- C:\Users\Admin\Downloads\Helper.exe
  "C:\Users\Admin\Downloads\Helper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5956
- C:\Users\Admin\Downloads\Helper.exe
  "C:\Users\Admin\Downloads\Helper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3416

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:916

C:\Users\Admin\Downloads\Helper.exe
"C:\Users\Admin\Downloads\Helper.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Users\Admin\Downloads\Helper.exe
"C:\Users\Admin\Downloads\Helper.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Helper.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\63865f1d-13df-4f23-bab3-9897edff68af.tmp

Filesize
11KB

MD5
55ae64051e7ed72260d5666c9b15fff9

SHA1
ae9375afd5ccdd20849eb32f1903c51a63390277

SHA256
e01383dc1b26112cc58d3618276c324252c1f5aee44d0d3afe7a5b1667e4279f

SHA512
5642d5d573b043c57da78131bfd09b74699699b44df2bbeeecb13842fab864294f158064b6515cb90f433835e7cc5a798c949432d1eabb18a40d5f1e16215d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7d407302b9bd86f6ef5b8fdc91804596

SHA1
7ad32ad0aeffbc379104615bfbd9033e00537dcd

SHA256
9aaa7d32cc5be99ea2fca126cc886e5671c8ccd748f9984f7c642f1bfb911987

SHA512
6dabcbb34d8e6da85503dd9b4959f5b0c579fbe6322ef638066f0666aeaa0cfff3ecc54c0a2686cf7e65eb7c1a4935155c7f827f910826bd6a0b0fa860edd5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18ed21ecc99ac3b0f3a667da0d252e1a

SHA1
f00fe582f51369821a87f0deee09538986b3bd85

SHA256
692732d8c1800f81d2ad05c731cc4735d0c5b27d47bb3245be8420dea8ded8b6

SHA512
eff95a6cd971d8b3ae4240ffed1ea9bdfc0b9e4bb4d96ea8cf763b5de1a856d639e122351967f7ccbf9c7b77408438ed19af36a0baa3761b3f8c5b8a7099bf21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
99c31b80822fc9b3f3054b6eb59e4b9b

SHA1
bffeef1f6076ef44498f3b3490d5f2e704125f66

SHA256
4adc86fcaeb57c24ab9d9ebf9d502eaa9b50711c589dd53f755505b058728446

SHA512
ca576d64c4c396ba90719f658188f20658a4e098b0f1995d978b54dc39d98920a12d774510576b0bf6f7db83b6fd40255810f068bdd60a94416688a0c676c384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2eb6fdfce08beecc36137047babb3c2a

SHA1
33c6cb85ca49df0a76434c20775dd9b441665fc7

SHA256
1260dcf01feeb3a663232646cfeb874cd4834ba48debd9416f0a0014e2f7db8b

SHA512
f2450643176a46dcb0bfaeaef0583a3d09e5d26a0c113266208ac4ddb9663caba6c150106b568e57749489b9138b4b45983a5baf8eaca527dc7fc8e301d15bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a766.TMP

Filesize
1KB

MD5
669621579251a5c613ea4926a4de1e80

SHA1
75e49a249fdd882501a10c5892f72f1212095437

SHA256
8d965d697a99d723fc4c846464f45c9862bd087e284db9ade0ca6e51c56cae5c

SHA512
0cc717325de9e27c5b53a42bf84398daa5a47854dd4e0a479e2c5d38d9c7fb08285fb7f2d02428820d7e53ab044842e94d1b299caed306a0c0670af7338135fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b37eb368-55d0-4ef8-a79d-e8171f0988d4.tmp

Filesize
11KB

MD5
5720b73bf5dab9206d3f6a1e823e8d8c

SHA1
d6a2e91e354ce977d99fa827bc774506155b4017

SHA256
ab7ea8c609851806047a19c9340599609ce0d9a930da516fa17bacf70f8ecb4c

SHA512
017e08b598d1168de20b59690d3d241b6b5b714b1f2033835084e20746fa1cc56a22957cddc1a2d06275b48c947b36325f46b4e4a4a59be06fc59b958d901c2e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 205728.crdownload

Filesize
55KB

MD5
1ddc055a8a01bd308f8241446643d642

SHA1
13c2869279a0084bf2eb8b7808eecb30a25b9689

SHA256
feaee85a19690a9b85cc0aebb018d4f3915e9704ce27ce83547f74b6344bebac

SHA512
0fc2467b3312a9193acb5cbcfff54b69637de4a60c2c773e5d67439fec4635d7179b40d4f21505e3151353bc4a2fe51476511d8ebe51654dc165d2c90a28c526

Download Submit
memory/6064-240-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-250-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-249-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-248-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-247-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-246-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-245-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-251-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-239-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download
memory/6064-241-0x0000022714C70000-0x0000022714C71000-memory.dmp

Filesize
4KB

Download