njrat | 18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13

Analysis

max time kernel
1799s
max time network
1799s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-10-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

javasfsdtgkoratg (2).exe
Size

43KB
MD5

75f876f184505cc110923210adf581cc
SHA1

2670bf9724001fd9ba1370682c8deddb22d1a35c
SHA256

18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13
SHA512

345c6cbeba7d3db55dee9a4717dea12b32693b19f8588920e2841330ba821fe0fb85769c26cb4b3050d1f851b3bfd26ea14b3dae24be095658243141ae151f74
SSDEEP

384:GZy8tFgpWfxyiihvhAhjEhHSLizYIij+ZsNO3PlpJKkkjh/TzF7pWnD/greT0pqD:c7tWofYiYhcYy4uXQ/oO/+L

Score

10^/10

njrat assault discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

assault

pro-fundraising.gl.at.ply.gg:43768

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	ChromeUpdater.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	ChromeUpdater.exe

Executes dropped EXE 30 IoCs

pid	Process
644	ChromeUpdater.exe
1568	Server.exe
1492	Server.exe
3668	Server.exe
3056	Server.exe
2836	Server.exe
2332	Server.exe
1936	Server.exe
5880	Server.exe
480	Server.exe
4220	Server.exe
3380	Server.exe
5620	Server.exe
4656	Server.exe
4992	Server.exe
4172	Server.exe
2920	Server.exe
2296	Server.exe
1268	Server.exe
5236	Server.exe
2680	Server.exe
4680	Server.exe
2676	Server.exe
3216	Server.exe
1036	Server.exe
4368	Server.exe
6060	Server.exe
896	Server.exe
6084	Server.exe
2860	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeUpdater.exe\" .."	ChromeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeUpdater.exe\" .."	ChromeUpdater.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasfsdtgkoratg (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5940	msedge.exe
5940	msedge.exe
3336	msedge.exe
3336	msedge.exe
5168	identity_helper.exe
5168	identity_helper.exe
4120	msedge.exe
4120	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2460	javasfsdtgkoratg (2).exe
644	ChromeUpdater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	644	ChromeUpdater.exe
Token: 33	644	ChromeUpdater.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 644	2460	javasfsdtgkoratg (2).exe	77
PID 2460 wrote to memory of 644	2460	javasfsdtgkoratg (2).exe	77
PID 2460 wrote to memory of 644	2460	javasfsdtgkoratg (2).exe	77
PID 644 wrote to memory of 996	644	ChromeUpdater.exe	78
PID 644 wrote to memory of 996	644	ChromeUpdater.exe	78
PID 644 wrote to memory of 996	644	ChromeUpdater.exe	78
PID 5940 wrote to memory of 5524	5940	msedge.exe	89
PID 5940 wrote to memory of 5524	5940	msedge.exe	89
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 4624	5940	msedge.exe	90
PID 5940 wrote to memory of 3336	5940	msedge.exe	91
PID 5940 wrote to memory of 3336	5940	msedge.exe	91
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92
PID 5940 wrote to memory of 4828	5940	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\javasfsdtgkoratg (2).exe
"C:\Users\Admin\AppData\Local\Temp\javasfsdtgkoratg (2).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe
  "C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:996

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3668

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbbd233cb8,0x7ffbbd233cc8,0x7ffbbd233cd8
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8499295822194988195,10912987267089969430,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3348 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5880

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:480

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4220

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3380

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5620

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4656

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4172

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5236

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4680

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3216

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1036

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6060

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6084

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log

Filesize
507B

MD5
a5dcb915b1da3d8018340dba2a1f9974

SHA1
a43d74ff34081e4aa9084823ad1a478db8ab71d8

SHA256
045747003a499b85c29dc17bf70ae48279d05a87b8971b23ede053ba8a404750

SHA512
b778c0ba685be49fe295d2b3dea3dd727db14c7fade7521ddb3fd845641082751abcb8b2c8f59635c576ec550c2218585804890c2e2c4cb28f2ebbf1128142e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed8d519f50e5dea4ff7aaca9f7d10a00

SHA1
9ba0f05d02d2255d155d632def169588378ceab5

SHA256
d9a9a81a94bbd38964979f11f01ac7417afb101ea6922cf0054ba73b8d0dc232

SHA512
6e2abdf7112a91a085bfc84cb3ae9cec7021fee4a950125fff6b837fa2b056310edefae4b50b250691fe78bce40bc2b29a94053b88864683d37fd81f0815e563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c0649560d082ce2046f91a8dbf3cfe79

SHA1
0d0f9038a21372a0da7d79e1e16c7bca960a5c44

SHA256
f4afd2bdfc044ce8e61a5f386fcd454f73302b3b6b53594786eaee94cb5e9f82

SHA512
b668e6f9aedfc9306b9a12ff79922c37a1f2e60de4cc9b7e860784e1c4ca553ad4b469d6a1054f6e16ccea2b23a7990b74d0ca2d9fad7f93ae53b484fca3990e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
24aa6bb27d9361837aea7aa265211179

SHA1
d7d3f9c74904b0f6969270a5e60fb605576cf533

SHA256
08ee91bfaba775538be9a50dc274a1e081e9678708b9901b6bf1555001d18a48

SHA512
41b46ade3cae98ff1c34932abd8dba8ac88ae304fe68f22b0cebbc8d5eff912d427e63853edb43a2191fa59812b8dbeba6a09864363b13e0aa8ae06e5fccf72b

Download Submit
C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe

Filesize
43KB

MD5
75f876f184505cc110923210adf581cc

SHA1
2670bf9724001fd9ba1370682c8deddb22d1a35c

SHA256
18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13

SHA512
345c6cbeba7d3db55dee9a4717dea12b32693b19f8588920e2841330ba821fe0fb85769c26cb4b3050d1f851b3bfd26ea14b3dae24be095658243141ae151f74

Download Submit
memory/644-16-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/644-17-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/644-21-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/644-22-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/644-23-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/644-24-0x0000000006220000-0x0000000006238000-memory.dmp

Filesize
96KB

Download
memory/644-20-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/644-33-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/2460-15-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/2460-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/2460-5-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/2460-4-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/2460-3-0x0000000005E80000-0x0000000006426000-memory.dmp

Filesize
5.6MB

Download
memory/2460-2-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/2460-1-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download