njrat | hxxps://gamejolt[.]com/get/build?game=308692&build=532258

Analysis

max time kernel
1050s
max time network
1052s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gamejolt.com/get/build?game=308692&build=532258

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

6116 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

server.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe

pid	process
6116	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 2 IoCs

Processes:

sys32server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4cff1d8e66371f79ddacae14ee26dab.exe	sys32server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4cff1d8e66371f79ddacae14ee26dab.exe	sys32server.exe

Executes dropped EXE 4 IoCs

Processes:

server.exesys32server.exeserver.exeserver.exe

pid process

5124 server.exe
5864 sys32server.exe
5952 server.exe
2964 server.exe

pid	process
5124	server.exe
5864	sys32server.exe
5952	server.exe
2964	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sys32server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d4cff1d8e66371f79ddacae14ee26dab = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sys32server.exe\" .."	sys32server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d4cff1d8e66371f79ddacae14ee26dab = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sys32server.exe\" .."	sys32server.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

netsh.exeserver.exeserver.exeserver.exesys32server.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys32server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 440417.crdownload:SmartScreen msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 440417.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4280	msedge.exe
4280	msedge.exe
5020	msedge.exe
5020	msedge.exe
2524	identity_helper.exe
2524	identity_helper.exe
2536	msedge.exe
2536	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sys32server.exe

pid process

5864 sys32server.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

5020 msedge.exe
5020 msedge.exe
5020 msedge.exe
5020 msedge.exe
5020 msedge.exe
5020 msedge.exe
5020 msedge.exe
5020 msedge.exe

pid	process
5864	sys32server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sys32server.exe

description	pid	process
Token: SeDebugPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe
Token: SeIncBasePriorityPrivilege	5864	sys32server.exe
Token: 33	5864	sys32server.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5020 wrote to memory of 2076	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2076	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4920	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4280	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4280	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe
PID 5020 wrote to memory of 2944	5020	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gamejolt.com/get/build?game=308692&build=532258
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffd747d46f8,0x7ffd747d4708,0x7ffd747d4718
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Users\Admin\Downloads\server.exe
  "C:\Users\Admin\Downloads\server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5124
- - C:\Users\Admin\AppData\Local\Temp\sys32server.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5864
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\sys32server.exe" "sys32server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12572018646117422202,7293942169470479295,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3112 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x240
1⤵
PID:2920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4332

C:\Users\Admin\Downloads\server.exe
"C:\Users\Admin\Downloads\server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5952

C:\Users\Admin\Downloads\server.exe
"C:\Users\Admin\Downloads\server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2a439cd15884cf3bfd519d591759f6d3

SHA1
1357c925d64b377c50cffed765507ddd362e6423

SHA256
9e2da881d468bc7625524992e75e9a0f5ae265e5e73c2c53a1b042a454c3f162

SHA512
778cf3d6273ae8bc7a0bbc69e2da275baa1976bda5b4c3555e3c9f9d1a634554437ea9dc20d1b4eb5857db89a97c0b2d65377675682049350b08b77a4b385032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f9dbe54088053dd1fddf0afb437e70ed

SHA1
1ad1fd604bf71084bbe55af0ac07ea3f2c99249e

SHA256
a270189738c0daa3fc674bd5155199797cb9e1bbb1b7b966f64a8eff720979db

SHA512
2bd57626e85e843735defe1ac811949b7966c1e5819b6d0afb41e3e732f8e11763cdf13618ef656afc16ee9167ed7045b523d1a2aeedf49e653658cd8edea21c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e2d90a21e99f02519859299a35cc92bf

SHA1
e079d84f8b8be16c8afec5ad9b56e1793ec9daac

SHA256
99a809bb8253051df74a75288cb93d60aa3ca61deb95613824ae12c4efc483ec

SHA512
aee4222ab06d2d8e8385f5c96e6f7fb6c4e742d8a92a93adfc919a4d3ab74d24c023b827f2b027c4f8a53eb2e930aab73dbf37a5742f7cd9ca0d12fc1c193058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f68d087add91c13786003999339f1ff2

SHA1
c12565012f534d98e484f578e42ebfc50fc6c1ab

SHA256
6ff03ad89d9a604a699c89a3844ef924eb190a760bf1782b587fe25e445f859f

SHA512
593d80061942ea4ff47e2e4621e4c2dc5566f0c6539bdddde3cc8ee4989373d6ebed06ed31e47ee4e8137c8b50065618621afd1ef0b2b6ad67cd303d591c842f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2199ea9bf4e4f1a4d3ae7f05ea6362cd

SHA1
1d30e198bdfd2ab0f665c41bfc17821dd33b8090

SHA256
261cbd3d71bc46f3b6e7705aaae7507ff586186aeef1b27291a6f44cd05ec61c

SHA512
25b63503c92f916cb4b77cad161ad7d5b4b0eaeedead90753d1af82af4c4562715a3a0d63c2d6db7d7478c2375d1459347e71b1ea510fde164a9f7bd019e72ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
670becc5bec0af762d478fa7f418e18f

SHA1
d0ed423926198b756765e455ab14fe52c73869f3

SHA256
1f84ec2ba4a9d5b3fbbc2f967efc44bbc9902a41244532979a0283023dc9fc59

SHA512
0310f983875ede782aacfd8c8f4141d0439663e1fcfe535cd2f34056a90ae049ce7f32812231b84580261394927aabf8ac05737da9b7ef53fa0ee6be863a5c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c98e0ab3590557adf40943dec721297d

SHA1
81bb3918913a90583aec5f56ffb51cd59264c986

SHA256
513755393f8739257994b33d9f6a614ec85e73d2a1b25647b4e43f3fe30fa3a4

SHA512
2959b1be46d174eb05045ef9a9abb3ef75f19fd1746339ad1199e4945ad01dbf023148d68e4acf27f98f9eeb9783eea3209eb3ea452638840191a6df38901fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90dede332519ee942855cd7bf1742eab

SHA1
15617c053d15ed085a417e636cd7c9df56d16e4b

SHA256
fb33470fafaedd31873d68403883b7b1d2ac24c045611761521bc4898063b2db

SHA512
851fd2ecaefd6921832e57395d0cd6899ab7c8b56821752c5451ffa65c5b5f66a3b059e737c3b7fd95ac7fde45b06a7b517a20fa08d93a2112c07bc55a5acf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
da1e6373ff2274e6517c170adb87fe61

SHA1
59e91a795c77ae6714002c90c471974d47206994

SHA256
17c09f4b450c4f8a239b1061c2ff3f98bd90b8c32ce69b0285286f0f8605a670

SHA512
2e4d26c45a95996a509f4f9e698852e07d91cab40a773162976cd3b18c23d0cf0a081e975f1558f2f3a1a06f45edcb0fb0f1346c513ec82e37e9ed2cf7e189c2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 440417.crdownload

Filesize
23KB

MD5
a1f71c518f9b1d06cc70569d637cc92b

SHA1
de7f1872b500b65bed77cfc829ea06bebbdaeb34

SHA256
08ee47cd634d031112142e906fa2a0cb28895d7a233282470fafb2ccf25a8f92

SHA512
69fafaeb0053e9a6c9d61ccd3fe3ce17e8295eb5d7e85566bbded5f48706ab8ca5f9137c7e9ed1e04192f8f179608271463c76e6c76c11fc4ba09bf5039b7450

Download Submit
\??\pipe\LOCAL\crashpad_5020_MKNRDEQZSNDUAUHV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit