njrat | 4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414

Analysis

max time kernel
186s
max time network
198s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
21/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Payload1234.exe
Size

54KB
MD5

036b3d9a4d952a24395e7bb611c343fc
SHA1

c22e1bd6a08cb355af0916d071c1bca492b71948
SHA256

4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414
SHA512

2a0e6508fba8adec93929db094e664b252cfa635694a7d2e72c4b7d3ba2be6d30c37e5de17559dd728fdeda27fd5f843247a197339255b1d2c178dea34c6652b
SSDEEP

768:GmAQsCB2EsltNnVpladJr3N8JSNGExWQG35bmaePD5Pv42XXJdxIEpmJg:GmJtGtNnpabrmGGWWQcGD/X3xIEpmJg

Score

10^/10

njrat bootkit discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 9 IoCs

pid	Process
4288	3b7c8f9ce7144d3aada458a6bcaec624.exe
2716	ddb6c03aa36644f98fa87d429059bbc1.exe
992	ecc5ae38b1044913a6ca823decec6dee.exe
5208	51801387d7eb4f86b5bafd3bfe3fd07b.exe
2824	dbb518e5041841869e008bf2f616ffe9.exe
2224	92424edfcc55404f8da78c9467498fb9.exe
2672	5d7fdee62c76435e800ca544568562d4.exe
5736	44528ab9825343df8703863c89706962.exe
2856	2b7293b6b4244596a2a4e445eea63d3c.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	44528ab9825343df8703863c89706962.exe
File opened for modification	\??\PhysicalDrive0	2b7293b6b4244596a2a4e445eea63d3c.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1045870515\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1199318352\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1199318352\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1045870515\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1045870515\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1045870515\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1045870515\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1199318352\manifest.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b7c8f9ce7144d3aada458a6bcaec624.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddb6c03aa36644f98fa87d429059bbc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecc5ae38b1044913a6ca823decec6dee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb518e5041841869e008bf2f616ffe9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d7fdee62c76435e800ca544568562d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51801387d7eb4f86b5bafd3bfe3fd07b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92424edfcc55404f8da78c9467498fb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b7293b6b4244596a2a4e445eea63d3c.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870627516322320"	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{339E5023-089E-431F-9358-47BC2966BE2B}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	msedge.exe
1948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	3220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3220	AUDIODG.EXE
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: SeDebugPrivilege	5736	44528ab9825343df8703863c89706962.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe
Token: SeDebugPrivilege	2856	2b7293b6b4244596a2a4e445eea63d3c.exe
Token: 33	4524	Payload1234.exe
Token: SeIncBasePriorityPrivilege	4524	Payload1234.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
6064	msedge.exe
2716	ddb6c03aa36644f98fa87d429059bbc1.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2056	MiniSearchHost.exe
4288	3b7c8f9ce7144d3aada458a6bcaec624.exe
2716	ddb6c03aa36644f98fa87d429059bbc1.exe
2716	ddb6c03aa36644f98fa87d429059bbc1.exe
2716	ddb6c03aa36644f98fa87d429059bbc1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6064 wrote to memory of 5552	6064	msedge.exe	96
PID 6064 wrote to memory of 5552	6064	msedge.exe	96
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 1924	6064	msedge.exe	98
PID 6064 wrote to memory of 1924	6064	msedge.exe	98
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 380	6064	msedge.exe	97
PID 6064 wrote to memory of 1572	6064	msedge.exe	100
PID 6064 wrote to memory of 1572	6064	msedge.exe	100
PID 6064 wrote to memory of 1572	6064	msedge.exe	100
PID 6064 wrote to memory of 1572	6064	msedge.exe	100
PID 6064 wrote to memory of 1572	6064	msedge.exe	100
PID 6064 wrote to memory of 1572	6064	msedge.exe	100
PID 6064 wrote to memory of 1572	6064	msedge.exe	100
PID 6064 wrote to memory of 1572	6064	msedge.exe	100
PID 6064 wrote to memory of 1572	6064	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\Payload1234.exe
"C:\Users\Admin\AppData\Local\Temp\Payload1234.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4524
- C:\Users\Admin\AppData\Local\Temp\3b7c8f9ce7144d3aada458a6bcaec624.exe
  "C:\Users\Admin\AppData\Local\Temp\3b7c8f9ce7144d3aada458a6bcaec624.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\ddb6c03aa36644f98fa87d429059bbc1.exe
  "C:\Users\Admin\AppData\Local\Temp\ddb6c03aa36644f98fa87d429059bbc1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\ecc5ae38b1044913a6ca823decec6dee.exe
  "C:\Users\Admin\AppData\Local\Temp\ecc5ae38b1044913a6ca823decec6dee.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:992
- C:\Users\Admin\AppData\Local\Temp\51801387d7eb4f86b5bafd3bfe3fd07b.exe
  "C:\Users\Admin\AppData\Local\Temp\51801387d7eb4f86b5bafd3bfe3fd07b.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5208
- C:\Users\Admin\AppData\Local\Temp\dbb518e5041841869e008bf2f616ffe9.exe
  "C:\Users\Admin\AppData\Local\Temp\dbb518e5041841869e008bf2f616ffe9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\92424edfcc55404f8da78c9467498fb9.exe
  "C:\Users\Admin\AppData\Local\Temp\92424edfcc55404f8da78c9467498fb9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\5d7fdee62c76435e800ca544568562d4.exe
  "C:\Users\Admin\AppData\Local\Temp\5d7fdee62c76435e800ca544568562d4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\44528ab9825343df8703863c89706962.exe
  "C:\Users\Admin\AppData\Local\Temp\44528ab9825343df8703863c89706962.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:5736
- C:\Users\Admin\AppData\Local\Temp\2b7293b6b4244596a2a4e445eea63d3c.exe
  "C:\Users\Admin\AppData\Local\Temp\2b7293b6b4244596a2a4e445eea63d3c.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3308

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5736

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5812

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5512

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.oracle.com/javase/8/docs
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f8,0x7ff9d71ff208,0x7ff9d71ff214,0x7ff9d71ff220
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1944,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1784,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=2336 /prefetch:11
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2512,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:13
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4852,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:14
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5000,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5184,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:14
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5192,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:14
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5612,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:14
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:14
  2⤵
  PID:2672
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1100
    3⤵
    PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5800,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:14
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5800,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:14
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6560,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:14
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6580,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:14
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=6552 /prefetch:14
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5260,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:14
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6508,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:14
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:14
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6368,i,10720651422128075093,3798853158054127194,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
603d877431ed96b31057bfad24c4ac76

SHA1
5bafe1f00697e0b2bcc6c2b973fd12afc189f126

SHA256
57ac5957c4cf148ea8edc425b116eb6f88115a3eb164e5e939c64527a49a3170

SHA512
ff11c392a3df37932a88b88d721e87f246c2a786df8ce48c4d166e1e801d4a0183a4992bdd48181709d8e8812059381c699dd500a80da2835d9ffb402a6faf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58a60f.TMP

Filesize
3KB

MD5
aed8568ae577d3fbb2d1fc29b2703eb0

SHA1
f4445349ae9067b00e1d5a91cb7f5934270afc83

SHA256
e582ad75adf005f9b5e2680d183bb4fedf60411e26e249f0bc6fea14432dae60

SHA512
2d0523caef95d74c6ae3fa2ae4289877b6fc06dbd1a773901151bd29700b5bdea767fe46f441803e7075874383e07443e439610ea983d1a1d2aba862526a92bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
61717d774993efba1430eeec19d17284

SHA1
eac82225c43989eb473539eff6a35deb906ab436

SHA256
d2afac61a0ee313b13256b4203201989e554309e0c87d6096f55de1a8cdde243

SHA512
635ecc7f430daf9100e55b661882a25a03c9d68279d26f5ec60136a7821197d158864e8e1b66c7be46cd76e1addad7c3b7507daafa93bd93d189bf8c44ce8cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
411KB

MD5
e4d875c76ff7bed623a7e76fd8f42c5d

SHA1
c7946a90226b992e638195510c5e55bef7102ab5

SHA256
2801e2751c9fe5e4181b4522b2d8cd17f564e877fcb1b5a7705086d4c18d828e

SHA512
3a0a05935eb0d522739ecbdf8c5a3b4db720ab412f0f94082ca5dbe5802daeb899cad41859d410ac1b663675b9c15e2cadc30544dff82fcaa7d0502eb46c1be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
8d01bb808b2cb8f03df1b832a7e266dd

SHA1
1a8714c4fc142fc2654d34831218b430836f04e8

SHA256
d22497c9b07c4b33b645cec47999266a28bd17222a42a58f537baf9a26dd3229

SHA512
253daa6ffa1db33646f00be0949b3188fb3b1b4e0ad44675dc3c573a98f43d7c1d174ef533f5ac6fb16f40147ce9bf43b50864220975f2eed6fd8789bb83fef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
1090a95684b65a02dceb545d35057502

SHA1
4bb24422ada6aeb28913001c9685bfa820d164b0

SHA256
363afa5adf02e34258779e0904d900bf8eeb5cc48198a98fd635b27d038f5b4e

SHA512
08af87d039a5ea350844ea40c73198982188bd7fa3909d3f77482e8b6f9b00c305f5de218285757eb91b849558faf1d44a1a20af2f323177cdfa9a9861edab51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
2589485b029f1de680e1e064ace461f6

SHA1
30bac19a3be621ef993de29c72fdd17eef9f92dd

SHA256
213e50250477298eb42b85e326adde19ee337c7e5118469a156e1dd88205ee70

SHA512
1d9df2e9773e07ab51f05abdba28faf7d77df348fba443fda68f5b2f3bf0345a20729efc5056e9c776ea61a01f2054b587ee16988c862175c938b1a20ae1efb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
29fa62ce17a9fdaacb64357c731b6cee

SHA1
fec5ad01fa539dab82193fdf6f8a02bb47e12ed7

SHA256
41d846fa3f898c40306625c6ad3ab08c3e97e1e6ef0ad7078bc38ecae7c4ae2f

SHA512
0e5ac3a76c7d69906126d714813093fc8650dbce4e03466d57088bf6e7a44f78a4afcc9c3e60e7c38f5d02a3c5f711fddfe0b689fbd86f91e8b4e94278c955f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
0a74c73fb22a00b47f1571422c010f70

SHA1
1e0992aef2765d7abde8a314e6edeac1e88e23e2

SHA256
44c416be58def739eff26c6fea3fc156c55b10de26dff1d743b4ffe849e8a8d6

SHA512
725f5701bc2e1fc796a6e4731edb95b5ff82f8e1e5c105dc0cb2dd02d5bdb9f9db587b413e1dda2079887885a8482df7c49996b1fff0ccf35d1a6ddbd8d4f33e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
1fcfa6fad389a060ec6852c84c4d9602

SHA1
6c212707c6c4540b25bacc952dc7d473a59cb6fa

SHA256
b76eb0b842a8313045b4cbe86ffd6fdc6b2ac751c5c49cb8231ada9d64287127

SHA512
e5d5db57a9638fef17754c805e5f8c7048b61d6673b4708aa0932b47432f7c2cc0d7282f5c2323bdacf5f698e1962fb1c3d29edd1c5c043aca126fcb2937d35c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
cfa09e2879be37ecc174c23d119a834d

SHA1
04ba773860d6d48d42a6716f084777e578c91a00

SHA256
7e088794c5d3b3326cc8c49c829629816048ff130e392cfbd5d302aafef38395

SHA512
1bc0c70570e62ffd580fb386e73b048e77fe426b11541fd4e40e61e59464c20ccd2a4e8a69ae32c3c2c752dd5ed805fbda765ec465337ae598a25bb3f61d7389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
bc041ac772d4ffb505b93b2df248be24

SHA1
8d1c849d6c8fdf2cf8976bfcd2b45a4a234677a0

SHA256
7dfe4414632472dcf5f13096fb12c362fbd92d97d3aa57018381fd9c96ec957c

SHA512
9d46a3a2304c80bb38cbc7b783b4d3ef614342a5e35af63e6423343efe57d62f5f38958e41b0fba7e6532726749508abafac4cc80a4d0e96ce755588dba0e708

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a62bcf2f-1d83-4ff7-a958-c52c4a69c4e4.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b7293b6b4244596a2a4e445eea63d3c.exe

Filesize
12KB

MD5
58a0e2e194a5dc20f7ebe23f01cded37

SHA1
4a8d890cecf49e8454baa91a614f170bca7f85a4

SHA256
585d630395d116374920db90016e50e20d8a84e32f1a4013013e9e35f9aa10b4

SHA512
9ca13ba58c9f7fa17575cab1ce7114a2cc8d859aafc13da9df15d22f3f401d8138d1e801088e7ede39779e7fb3a805a258ce5fa8bd410a1498f029567677edb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b7c8f9ce7144d3aada458a6bcaec624.exe

Filesize
28KB

MD5
62cbb85434223022a0b0e369b227a3d9

SHA1
4978b691168f16c678a1ffe53e126ba1d946bce0

SHA256
ea3087204e3ed644308a0a96bbf319590a9b2701ac850bb63f2ba3dc4955f1fd

SHA512
f76d281ce4c4401315f811dba1512757fa59a9c1ca6486c006f7861aed793a1f196fd66b772405374a751f383b5a234234e64de16f2fe9d613694e354b882f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\44528ab9825343df8703863c89706962.exe

Filesize
17KB

MD5
cb79c575e1f39c429dfad50a5b092e43

SHA1
77cc2bf89503c45ea3b60fdf4010dc1ba135cf59

SHA256
1ff9f4effaedbf260bb2980cfbcb1b698114f8bd14bae13e03907b673b76d316

SHA512
daa960ae3545c39cf618d3c3960271b49224e5b3738bd5437987f67ca7e9e5f3a6d48a2faaad0db45cd33934cf94aba27890488fd2430432d2265977edd7c79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\51801387d7eb4f86b5bafd3bfe3fd07b.exe

Filesize
263KB

MD5
bbb9f19a08712300e0b9afddf1aecb5d

SHA1
0e0778cb6b0396fe98a01772f8cbb3129dfd971a

SHA256
368234de5fb9ea1a242dd22857156ddd2e6f3fa068a78199a3a2606996cf2e82

SHA512
20d7bbb4c92c11be620268d259d06b0fc9a31dc6924e84fb88671cc9be6bc35ff0949a2291da5ab3d21980689545c2c6c5996b079c50e5400f0f4a454bc879b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d7fdee62c76435e800ca544568562d4.exe

Filesize
27KB

MD5
a01537295836a4e387cc80ff394fe53c

SHA1
c5775d713df0ab96e55fd2a1c841a9c8edb6b666

SHA256
df56d29d9124be1a3df66bffab2fa3382c2b083cc2a6deb956b757cd9a935f20

SHA512
598b6963e9ed59c48c3b47fc59b0864eaaa566da304f222a09a7539954b6a8a02735644ff1235a9eb98ae0451086a531de62528aabbf7cc9879e6d48003c38bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\92424edfcc55404f8da78c9467498fb9.exe

Filesize
63KB

MD5
2cf51977ed60a9a59d29a72075ce52ad

SHA1
960e40eaa8445c0049d11f97abba7f4b465ad4d5

SHA256
64735679e70b0d6e67198c28df11cf449dc114df01f6c336d61a9da39448f853

SHA512
bfcad9e99ff0dfd2cd917b8160cccab3710ed9974a6c15ea7dd1b0db965a51eec5ac588a87c4bab37af60504a3deb4f11de0a4d93a0c3648673b0dc0824646ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbb518e5041841869e008bf2f616ffe9.exe

Filesize
283KB

MD5
2b1e9226d7e1015552a21faca891ec41

SHA1
f87fcbe10fa9312048214d4473498ad4f9f331ce

SHA256
7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada

SHA512
1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddb6c03aa36644f98fa87d429059bbc1.exe

Filesize
500KB

MD5
07a9f858f9867f52163d7cec3bd899e3

SHA1
d7feae9f88b807606b747a27ac95ede57b2615f5

SHA256
0fde5da043382f46f04eaa04028fba0d127c20b87b88fbd7966805d5c93307ca

SHA512
e07185b51ea52aa9850beaa099a621383a06d452666e96b25e2f0a9f7152fe5f4dbcc8a75a6cb336ee80c4273f85d04abdc142e7d0f87a4f2a9b85a51036cb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecc5ae38b1044913a6ca823decec6dee.exe

Filesize
135KB

MD5
c971c68b4e58ccc82802b21ae8488bc7

SHA1
7305f3a0a0a0d489e0bcf664353289f61556de77

SHA256
cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce

SHA512
ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1199318352\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6064_1199318352\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
memory/2224-435-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2672-445-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4524-1-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/4524-2-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/4524-6-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/4524-5-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/4524-0-0x0000000075051000-0x0000000075052000-memory.dmp

Filesize
4KB

Download
memory/4524-4-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/4524-3-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5208-404-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5736-464-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads