njrat | 18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13

Analysis

max time kernel
1800s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-10-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

javasfsdtgkoratg (2).exe
Size

43KB
MD5

75f876f184505cc110923210adf581cc
SHA1

2670bf9724001fd9ba1370682c8deddb22d1a35c
SHA256

18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13
SHA512

345c6cbeba7d3db55dee9a4717dea12b32693b19f8588920e2841330ba821fe0fb85769c26cb4b3050d1f851b3bfd26ea14b3dae24be095658243141ae151f74
SSDEEP

384:GZy8tFgpWfxyiihvhAhjEhHSLizYIij+ZsNO3PlpJKkkjh/TzF7pWnD/greT0pqD:c7tWofYiYhcYy4uXQ/oO/+L

Score

10^/10

njrat assault discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

assault

pro-fundraising.gl.at.ply.gg:43768

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	ChromeUpdater.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	ChromeUpdater.exe

Executes dropped EXE 31 IoCs

pid	Process
1180	ChromeUpdater.exe
3076	Server.exe
4240	Server.exe
868	Server.exe
4952	Server.exe
232	Server.exe
4556	Server.exe
3252	Server.exe
1416	Server.exe
4140	Server.exe
2840	Server.exe
4788	Server.exe
3244	Server.exe
3320	Server.exe
1948	Server.exe
2560	Server.exe
1904	Server.exe
4428	Server.exe
1224	Server.exe
576	Server.exe
4024	Server.exe
3080	Server.exe
1792	Server.exe
4884	Server.exe
3504	Server.exe
3704	Server.exe
2096	Server.exe
1788	Server.exe
3396	Server.exe
4928	Server.exe
2588	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeUpdater.exe\" .."	ChromeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeUpdater.exe\" .."	ChromeUpdater.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasfsdtgkoratg (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
2792	msedge.exe
2792	msedge.exe
720	msedge.exe
720	msedge.exe
2084	identity_helper.exe
2084	identity_helper.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3108	javasfsdtgkoratg (2).exe
1180	ChromeUpdater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1180	ChromeUpdater.exe
Token: 33	1180	ChromeUpdater.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1180	3108	javasfsdtgkoratg (2).exe	79
PID 3108 wrote to memory of 1180	3108	javasfsdtgkoratg (2).exe	79
PID 3108 wrote to memory of 1180	3108	javasfsdtgkoratg (2).exe	79
PID 1180 wrote to memory of 1188	1180	ChromeUpdater.exe	80
PID 1180 wrote to memory of 1188	1180	ChromeUpdater.exe	80
PID 1180 wrote to memory of 1188	1180	ChromeUpdater.exe	80
PID 2792 wrote to memory of 1252	2792	msedge.exe	118
PID 2792 wrote to memory of 1252	2792	msedge.exe	118
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 3372	2792	msedge.exe	119
PID 2792 wrote to memory of 1232	2792	msedge.exe	120
PID 2792 wrote to memory of 1232	2792	msedge.exe	120
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121
PID 2792 wrote to memory of 4992	2792	msedge.exe	121

C:\Users\Admin\AppData\Local\Temp\javasfsdtgkoratg (2).exe
"C:\Users\Admin\AppData\Local\Temp\javasfsdtgkoratg (2).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe
  "C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1188

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3076

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4240

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4952

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:232

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4556

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3252

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1416

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4140

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3244

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3320

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1904

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1224

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:576

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffbf6173cb8,0x7ffbf6173cc8,0x7ffbf6173cd8
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4825781791745170622,2909233351918403258,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5704 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3504

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3704

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3396

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4928

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log

Filesize
507B

MD5
a5dcb915b1da3d8018340dba2a1f9974

SHA1
a43d74ff34081e4aa9084823ad1a478db8ab71d8

SHA256
045747003a499b85c29dc17bf70ae48279d05a87b8971b23ede053ba8a404750

SHA512
b778c0ba685be49fe295d2b3dea3dd727db14c7fade7521ddb3fd845641082751abcb8b2c8f59635c576ec550c2218585804890c2e2c4cb28f2ebbf1128142e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\72081653-8da7-436d-8ee8-019f28d345d7.tmp

Filesize
5KB

MD5
d578fa1f3ebdfb4113c93af756e2d202

SHA1
eae059edbcba59ce4623feef1183e4236fcc78f9

SHA256
3fbdbbcb37b63a75e281ac7cef0ae95038e8ac2d1986da0a99ab42cf9512e829

SHA512
38115d4313c1403164d8cdc5ab48e1196244e538416f6ad60e7c74bb552652d474c933b2b515285674080970bf018ecbcb0fa7c9d037b79b5661f8051af40f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47b2488329e264e9501c82f3fe16666f

SHA1
92c3692f709be7cb24658891da0b0ca3d107b5af

SHA256
e09cb720893a34538ee3a596c20e4594672e6d05fffee21680f27353a636ef3a

SHA512
a8d624147c746bfb0fc2a24e73dfe0e33373a043da3abdf1700532e6513fe5b1fcf1cf8ace900f734e606b2fc457ff1f4026430b624404ac9f89a1115016ce3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78be82cc766480d0bb7d471b16dbbb8c

SHA1
c9115a32a732a20bc88c479c6bf4d35a3e481fc2

SHA256
177d483b7dea0b7aa5fa218b42b6121a16fd13d741581be2e61dbcd65e7ac93d

SHA512
896718c6e5524348f9e3955c425fb0223b56d6a2b46e3fdd1e0b6cd968c11b6d28f369a083e4ea603239b568144c50d85b893aad90257f8e95828ddc12949427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1c5601de8de81c961de5c785f5ebcb5

SHA1
aed54f89c33925f18b1de639e3560765a7e93c4e

SHA256
5d756abb0f50044dffd2228b0416b87b77ed06f44f7e32010a12b4b8d05dd847

SHA512
9b901afd1c7ec02f4eccf931cfab62f8bf0a6402dd8d65d091724c774af054451149f5db25e36eeb67734635d25fb338096df2cfb0fa990ba9efa106c0e4ebe6

Download Submit
C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe

Filesize
43KB

MD5
75f876f184505cc110923210adf581cc

SHA1
2670bf9724001fd9ba1370682c8deddb22d1a35c

SHA256
18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13

SHA512
345c6cbeba7d3db55dee9a4717dea12b32693b19f8588920e2841330ba821fe0fb85769c26cb4b3050d1f851b3bfd26ea14b3dae24be095658243141ae151f74

Download Submit
memory/1180-17-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/1180-16-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/1180-23-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/1180-24-0x00000000062B0000-0x00000000062C8000-memory.dmp

Filesize
96KB

Download
memory/1180-20-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/1180-51-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/1180-22-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/1180-21-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/3108-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/3108-15-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/3108-5-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/3108-4-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/3108-3-0x0000000005910000-0x0000000005EB6000-memory.dmp

Filesize
5.6MB

Download
memory/3108-2-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/3108-1-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download